This Privacy Notice explains how and why we collect, use, and share personal data about you. It applies whenever you interact with us through the Website, our platform, or in any other way, including when you engage with us as a prospective or actual client organisation, as a fractional consultant, or in connection with a merger or acquisition transaction.

Our services are not directed at children under the age of majority. We do not knowingly collect data relating to children and will promptly delete any such data if discovered, unless legally required to retain it.

Please read this Notice alongside any other privacy or fair-processing notice we provide in specific contexts. This Notice supplements but does not override those additional notices.

Our roles as data controller and data processor

The nature of our services means we process personal data in different capacities, depending on the context:

• As Data Controller — we determine the purposes and means of processing when we collect and use personal data for our own business purposes, including operating our platform, analytics, and direct marketing.
• As Data Processor — we process personal data on behalf of our client organisations (Data Controllers) in order to deliver our fractional services. In this capacity we act on documented instructions from the client and in accordance with our Data Processing Agreement (DPA).
• As Data Processor for Fractional Consultants — we process personal data supplied by fractional consultants where the consultant is acting as their own data controller, again in accordance with our DPA.
• As Data Controller of De-identified Data — where personal data is aggregated or de-identified by us or shared with us in de-identified form, we use that data as controller for platform analytics, performance monitoring, and service improvement.

This Privacy Notice primarily addresses our processing as Data Controller. Where we act as Data Processor, data subjects should also refer to the privacy notices of the relevant client organisation.

Contact and complaints

For questions about this Notice or to exercise your rights, please contact our Data Privacy Manager at hello@thefractionalagency.com  or at the registered address above. If exercising your rights, please state the right you’re looking to exercise in the subject line before sending to our team. A list of your rights can be found in Section 13 of this Privacy Notice.

If you believe we have not handled your request correctly or have some other complaint relating to the way we process your data, We like the opportunity to address your concerns in the first instance. Please send an email to our Data Protection team at: hello@thefractionalagency.com with the words: Data Protection Complaint in the subject.

You have the right to make a complaint to the Information Commissioner’s Office (ICO) at ico.org.uk.

You can do this by:

Completing the online form: https://ico.org.uk/make-a-complaint/data-protection-complaints/

Calling the ICO: 0303 123 1113

Writing to the ICO: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Changes to this Privacy Notice

We review this Notice regularly and reserve the right to update it. Changes take effect immediately upon posting to our Website. This version was last updated on 27 May 2026. Please check back periodically.

Third-party links

Our Website may contain links to third-party sites, applications, or plug-ins. We are not responsible for their privacy practices and encourage you to review their privacy notices before providing any personal data.

Personal data means any information from which a living individual can be identified. It does not include data that has been robustly anonymised. The personal data we collect depends on your relationship with us. We have grouped it as follows.

A.  Data collected in connection with client organisations

When you or your organisation engages TFA for fractional or M&A advisory services, we collect the following data about relevant individuals within your organisation:

• Identity Data: first name, last name, job title, profile image, and — where relevant — qualification and reference information.
• Contact Data: business email address, business postal address, and telephone numbers.
• Financial Data: employee bank account details, National Insurance numbers, VAT number (if applicable), Company Registration Number, and payment and invoice data.

• Transaction & Engagement Data: details of services purchased, payment and fee information, Purchase Order requirements, invoice recipient details, Finance Contact Name, and Timesheet / Overtime Approver information (including Secondary Approver email address).
• Service Configuration Data: Primary Region, sector, transaction support status, role being hired for, M&A phase, deal size, company headcount, and required start date.
• Employee & Performance Data: Employee Performance Reviews, advisory outputs, and communications relating to the services.
• M&A Transaction Data: commercially sensitive merger, acquisition, and transaction-related documents and information.
• Special Categories of Personal Data: absence records (which may reveal mental or physical health information) and — where background checks are conducted — criminal offence data, processed only to the extent required and permitted by law.

B.  Data collected in connection with fractional consultants

When you register with TFA as a fractional consultant, or when we process your data in connection with placements, we collect:

• Identity Data: first name, last name, profile image, qualification and reference information, and LinkedIn Profile URL.
• Contact Data: business email address.
• Professional Profile Data: Fractional Role, Sector Bucket, Sector, M&A Phase expertise, Specific M&A Skill, Regional Experience, languages spoken, preferred client/employee size, Deal Size Comfort, Verified Realised Enterprise Value (GBP/USD), Day Rate (GBP), Risk Appetite, weekly bandwidth, Notice Period / Deployment Speed, motivations for fractional work (Why Fractional?), 5-Year Plan, and Capacity & Focus.
• Financial & Business Data: legal structure, VAT Registration (if applicable), Company Name and Company Registration Number (if applicable), bank account details, and National Insurance number.
• Compliance & Insurance Data: Professional Indemnity Insurance confirmation and Public Liability Insurance confirmation.
• M&A Transaction Data: project requirements and commercially sensitive files in the course of service provision.
• Special Categories of Personal Data: absence records (which may reveal mental or physical health information) and — where background checks are conducted — criminal offence data, processed only to the extent required and permitted by law.

C.  Data collected from all users of our Website and platform

Regardless of your relationship with TFA, when you interact with our Website or platform we collect:

• Technical Data: IP address (stored in anonymised format), device type and identifiers, screen resolution, operating system and browser type, geographic location (country level only), and log data (referring URL, pages visited, date and time of access).
• Usage Data: information about how you use our Website, platform, products, and services.
• Profile Data: account username and password, purchase history, interests, preferences, and survey responses.
• Marketing and Communications Data: your marketing preferences and communication preferences.

D.  De-identified and aggregated data

We may aggregate or de-identify personal data so it can no longer be attributed to any individual. We use such de-identified data as controller for purposes including monitoring platform engagement, analysing service performance, building KPIs, and producing analytical insights. Where we combine de-identified data with other data such that it could re-identify an individual, we treat the combined data as personal data subject to this Notice.

If you fail to provide personal data

Where we are required by contract or law to collect personal data and you do not provide it, we may be unable to enter into or perform the relevant contract. We will notify you if this is the case.

Direct interactions

You provide personal data directly when you:

• register as a client or fractional consultant, or create an account on our platform;
• submit onboarding forms, questionnaires, or profile information (including service configuration fields such as sector, M&A phase, deal size, and capacity preferences);
• submit CVs, qualification or reference information, or insurance confirmations;
• purchase or use our services, including where you submit timesheets, approve invoices, or provide payment data;
• communicate with us by email, telephone, post, or through the platform;
• participate in Sessions or Publications (podcasts, webinars, events, workshops); or
• interact with us in any other way.

Automated technologies

As you interact with our Website and platform, we automatically collect Technical Data using cookies, server logs, and similar technologies. Please see Section 7 (Website Tracking & Cookies) and our Cookie Notice for further details.

Third parties and publicly available sources

• Technical Data: from analytics providers, advertising networks, and search information providers.
• Contact, Financial, and Transaction Data: from payment and delivery service providers.
• Identity, Contact, and Financial Data: from credit-checking and compliance screening providers (including electronic ID verification).
• Identity and Contact Data: from publicly available sources such as Companies House.
• Data shared by your employer or client organisation: where they engage TFA and provide your details in that context.

We will only use your personal data when the law allows us to. The lawful bases we rely on are:

• Contract performance — processing necessary to perform a contract with you or to take pre-contractual steps at your request.
• Legal obligation — processing necessary for compliance with a legal obligation to which we are subject.
• Legitimate interests — processing necessary for our legitimate interests (or those of a third party), where those interests are not overridden by your rights and freedoms.
• Consent — where you have given clear, active agreement to a specific use. You may withdraw consent at any time without affecting the lawfulness of prior processing.

For special categories of personal data (including health/absence data and criminal offence data), we rely on additional conditions under applicable law, including explicit consent, performance of employment-related obligations, or the establishment, exercise, or defence of legal claims.

We do not rely on consent as our primary basis except where legally required (for example, for certain direct marketing activities and for the use of non-essential cookies).

A.  Purposes and lawful bases

B.  Technology, AI, and Automated Processing

We and, where relevant, our approved sub-processors use technology — including artificial intelligence, machine learning, large language models, and other automated systems — as part of delivering and improving our services. Where these tools process personal data, we do so in accordance with applicable law, with appropriate safeguards, and only for the purposes described in this Notice.

AI systems may be used for purposes including:

• delivering and enhancing our platform, services, and operational workflows;
• discovery processes — understanding client requirements and matching fractional consultants to engagements;
• research, analytics, and performance monitoring (including using de-identified data);
• customer support and communications management; and
• legal, regulatory, and risk management functions.

Where AI systems process personal data in the form of prompts, inputs, or outputs (collectively “Inference Logs”), those logs are retained for no longer than 30 days from the date of generation, after which they are securely deleted, unless a shorter or zero-data-retention period applies (see Section 12).

We currently do not carry out automated decision-making that produces legal or similarly significant effects on individuals without ensuring this is permitted under applicable law and subject to appropriate human oversight and safeguards. Where AI outputs inform significant decisions, we maintain human review processes and can provide an explanation of the basis of the output on request.

Further detail about our AI processing, confidentiality safeguards, and any specific AI tools in use is set out in our AI Privacy / Confidentiality Notice, available via the Legal Documentation or on request.

We may use your Identity, Contact, Technical, Usage, and Profile Data to form a view on products, services, and offers that may be of interest to you. You will receive marketing from us if you have requested information from us or purchased our services and have not opted out.

Business contacts

We rely on our legitimate interests to send marketing to business contacts. You may opt out at any time.

Individual consumers

Where you are acting in a personal capacity rather than as a business contact, we will obtain your consent before sending direct marketing by electronic means.

Third-party marketing

We will obtain your express consent before sharing your personal data with any third party for their own marketing purposes.

Opting out

You can opt out of marketing at any time by using the unsubscribe link in any marketing message, contacting us at hello@thefractionalagency.com, or (where available) adjusting your account preferences on our platform. Opting out will not affect essential service communications as these do not require consent to be sent to you.

Our Website uses cookies and similar technologies to distinguish you from other users, provide a good browsing experience, and help us improve our Website. A cookie is a small file stored on your device. We use the following categories:

• Strictly necessary cookies — required for the operation of the Website (e.g. login, shopping cart, and e-billing).
• Analytical / performance cookies — allow us to recognise visitors and understand how they navigate the Website.
• Functionality cookies — enable personalisation such as remembering your name, language, and preferences.
• Targeting cookies — record your visit and browsing behaviour to serve relevant advertising.

Further details of the specific cookies we use, their purposes, and their expiry are available via our cookie consent tool or banner on the Website, or in our Cookie Statement accessible via the Legal Documentation. Third parties, including advertising networks, may also set cookies on our Website over which we have no control.

We have implemented a Consent Management Platform to enable you to manage your cookie preferences on our Website, or by adjusting your browser settings. Note that blocking all cookies may affect your ability to use some parts of our Website.

We will only use your personal data for the purposes for which it was collected, unless we reasonably consider that a new purpose is compatible with the original. If we need to process your data for an unrelated purpose, we will notify you and explain the legal basis. We may process your data without your knowledge or consent where required or permitted by law.

We may share your personal data with the following categories of recipients, as further detailed in our Third-Party Processors & Service Providers list (available via our Legal Documentation):

Sub-processors

We engage third-party sub-processors to assist in delivering our services. We require all sub-processors to enter into written agreements imposing data protection obligations no less protective than those in our DPA, and we restrict their access to the minimum data necessary. Sub-processors that provide AI infrastructure or foundation models are contractually prohibited from using your data for their own model training.

Where we appoint a new sub-processor, we will provide at least 30 days’ prior written notice to affected clients, who may raise reasonable objections on data protection grounds.

A list of our current sub-processors can be found here: TFA Sub-Processors

Client organisations

Where we act as processor for a client organisation, we share relevant personal data — particularly fractional consultant profiles and engagement data — with that client for the purpose of the engagement.

External professional advisers

We share data with lawyers, accountants, bankers, and insurers based in the United Kingdom where necessary for legal, financial, insurance, or compliance purposes.

Regulatory and government authorities

We may disclose personal data to HM Revenue & Customs, the ICO, law enforcement, courts, and other regulators where required by law. We will notify you in advance of any such disclosure to the extent permitted by law, and we will challenge overbroad or unlawful access requests where reasonably practicable.

Business transfer parties

If we sell, transfer, or merge parts of our business or assets, your personal data may be transferred to the new owner, who will use it in accordance with this Notice.

Affiliates

We may share data with our parent company, subsidiaries, or joint venture partners.

We require all third parties to respect the security of your personal data and to process it only for specified purposes and in accordance with our instructions. We do not permit our third-party service providers to use your personal data for their own purposes, and we will not sell your data.

We may share your personal data with affiliates, clients, and sub-processors located outside the UK and the European Economic Area (EEA), including in the United States and other jurisdictions. Where AI inference computation (i.e. where prompts are processed and outputs generated) occurs outside the UK or EEA, we will disclose the relevant countries and ensure adequate transfer mechanisms are in place.

Where we transfer personal data internationally we ensure it is protected through at least one of the following mechanisms:

• Adequacy decisions — transferring only to countries recognised by the UK or EU as providing an adequate level of protection (including, where applicable, the EU–US Data Privacy Framework);
• Standard Contractual Clauses (SCCs) — the EU SCCs adopted under Commission Decision (EU) 2021/914 (Module 2: Controller-to-Processor; and/or Module 3: Processor-to-Processor), incorporated by reference into our DPA; and/or
• UK International Data Transfer Agreement (UK IDTA) — where transfers are subject to UK GDPR, we use the ICO’s IDTA or the UK Addendum to the EU SCCs; and/or
• Binding Corporate Rules (BCRs) — where a sub-processor holds approved BCRs covering the relevant transfers.

We will provide reasonable assistance and information to help clients and consultants conduct Transfer Impact Assessments where required.

We implement and maintain appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Our security programme includes, as a minimum:

Access controls

• Unique user authentication credentials for all platform users.
• Multi-factor authentication for all privileged (administrator) accounts.
• Role-based, least-privilege access controls with regular access reviews and revocation upon account deletion.
• Logging and monitoring of all successful and failed access attempts.

Encryption

• Data in transit encrypted using TLS 1.3.
• Data at rest encrypted using AES-256. Our data centres conform to ISO 27001:2022.

Physical security

• Access-controlled (badge and biometric) data centres with CCTV monitoring.
• Secure destruction of physical media containing personal data.

System integrity and availability

• Daily vulnerability scanning via Wordfence.
• Regular penetration testing of systems, AI systems, and APIs.
• Patch management and secure development practices.
• Business continuity and disaster recovery plans with regular testing.
• 4-hourly off-site backups and hardware redundancy on the platform hosting infrastructure.

AI-specific security

• Measures to protect AI systems against adversarial attacks, prompt injection, data poisoning, and model inversion attacks.
• Model-level access controls preventing cross-customer data contamination in multi-tenant AI environments.

Certifications

Our infrastructure and platform suppliers maintain ISO 27001:2022 certification. We will make relevant audit reports and certifications (such as SOC 2 Type II, where applicable) available to clients on request, subject to confidentiality obligations.

Incident response

We have documented incident response procedures. We will notify affected clients of a confirmed or reasonably suspected reportable personal data breach without undue delay and, where feasible, within 72 hours of becoming aware of it, including details of the nature of the breach, the categories and approximate number of affected data subjects, the likely consequences, and the measures taken or proposed to address it.

Despite our safeguards, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure. Transmission of personal data to and from our Website is at your own risk.

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including satisfying any legal, regulatory, tax, accounting, or reporting requirements.

In determining the appropriate retention period, we consider the nature and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process the data, and applicable legal requirements.

Specific retention periods

• Client and fractional consultant data: retained for the term of the agreement and for such period thereafter as required by applicable law or, where no specific law applies, for a period of seven years to comply with anti-money laundering, tax, and other regulatory obligations, after which it will be securely deleted or anonymised.
• AI Inference Logs (prompts and AI-generated outputs): retained for no longer than 30 days from the date of generation and then securely deleted, unless a shorter or zero-data-retention period has been agreed with the relevant client.
• De-identified and aggregated data: may be retained and used indefinitely as it is no longer personal data.
• Data following termination: within 30 days of termination or expiry of an agreement, we will (if requested within that period) return a complete copy of all client personal data in a standard, machine-readable format, and will securely delete or destroy all remaining copies. We will certify deletion in writing on request.

Special categories and criminal offence data

Absence records and criminal offence data are retained only for the minimum period necessary and in accordance with our specific handling procedures for such data.

Third-party technologies

Some third-party technology providers we use may retain limited data for their own purposes beyond our standard retention periods. We take steps to minimise the data shared with such providers and select providers that apply appropriate data protection safeguards.

Under applicable data protection law you have the following rights in relation to your personal data:

• Right of access — to receive a copy of the personal data we hold about you and verify our lawful processing of it.
• Right to rectification — to have inaccurate or incomplete personal data corrected.
• Right to erasure — to ask us to delete your personal data where there is no good reason for continued processing. Note that we may not always be able to comply for legal reasons, which we will explain at the time. Where personal data has been used in AI model training, we will take reasonable technical measures to address erasure requests (which may include output suppression or model retraining) and will notify you if full technical erasure from model weights is not feasible.
• Right to object — to processing based on our legitimate interests, or to direct marketing.
• Right to restriction — to ask us to suspend processing of your personal data in certain circumstances.
• Right to data portability — to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller, where processing is based on consent or contract and carried out by automated means.
• Right to withdraw consent — where processing is based on consent, to withdraw it at any time without affecting the lawfulness of prior processing.
• Right to explanation regarding automated decisions — to request an explanation of any AI output that has informed a decision with legal or similarly significant effects on you.

Depending on your location and applicable laws, you may have additional rights. We will respect and facilitate all applicable rights.

To exercise any of these rights, please contact our Data Privacy Manager at hello@thefractionalagency.com. We will respond within one month; complex or multiple requests may take up to three months, in which case we will notify you. We will not charge a fee unless a request is manifestly unfounded or excessive.

Lawful bases

Legitimate interests: Our interest in operating and improving our business and services in a way that is fair and proportionate. We always balance our interests against any potential impact on your rights.

Performance of contract: Processing necessary to perform a contract to which you are a party, or to take steps you request before entering into a contract.

Legal obligation: Processing necessary for compliance with a legal obligation to which we are subject.

Consent: Your freely given, specific, informed, and unambiguous agreement to processing for a stated purpose. You may withdraw consent at any time.

Third parties — External

External third parties include:

• IT and technology service providers, payroll and accountancy providers, compliance and AML screening providers, marketing service providers, and other business support providers.
• Professional advisers including lawyers, bankers, accountants, and insurers.
• Providers of fractional, consultancy, M&A, finance, HR, tech, and legal services who are engaged or introduced in the course of our services.
• HM Revenue & Customs, the ICO, law enforcement, courts, regulators, and other authorities requiring reporting of processing activities.
• International revenue services and regulatory authorities outside the United Kingdom.
• Third parties to whom we are required to disclose information by law or legal proceedings, or in connection with fraud investigation.
• Sub-processors based outside the United Kingdom and EEA — details available in our Third-Party Processors list.
• Personal representatives, new advisers, or other third parties you direct us to correspond with.
• Our professional indemnity insurers or legal advisers where we need to defend a claim.
• Our professional disciplinary body where a complaint is made against us.