Privacy policy.

How we collect, use and protect personal data, written so a human can actually read it.

Version 1.0Effective 1 January 2026Last updated [DATE]

1. Who we are

“Tackt,” “we,” “us” and “our” refer to [TACKT LEGAL ENTITY NAME], a company registered in Malta (company number [MT COMPANY NUMBER]), with its registered office at [MALTA REGISTERED ADDRESS].

We are the data controller for the personal data described in this policy, unless we tell you we are acting as a processor on a client’s behalf (in which case the client is the controller and our processing is governed by the data processing addendum between us).

Our regulators

Malta (lead authority)

Information and Data Protection Commissioner (IDPC) — idpc.org.mt

United Kingdom

Information Commissioner’s Office (ICO) — ico.org.uk

UK representative (Article 27, UK GDPR)

Because we target UK data subjects from outside the UK, we have appointed a UK representative as our point of contact for UK data subjects and the ICO:

[UK REP NAME]
[UK REP ADDRESS]
Email: [UK REP EMAIL]

2. What this covers

This policy covers personal data we process in connection with the Tackt website (tackthq.com) and our service. It does not cover third-party websites we link to, or the internal privacy practices of our clients.

3. Data we process

About people at firms we contact on a client’s behalf (“prospects”)

This is most of what we do. For individuals at firms our clients have told us they want to approach, we process:

• Business identity: full name, job title, employer, office location.
• Business contact: work email address, sometimes direct work phone number.
• Public business context: information from the firm’s own public filings, regulator websites, business news, the firm’s website, and professional social profiles. This is what tells us when an introduction is relevant.
• Interaction records: whether messages we sent were delivered, opened, replied to, bounced, or unsubscribed; the content of replies you send us; any meeting that results.

We do not process personal email addresses, home addresses, special category data (e.g. health, religion, politics), or data about children.

About our clients’ staff

• Name, work email, work phone, job title.
• Records of our work for the client (account calls, approvals, reports).
• Billing contact details.

About visitors to our website

• Privacy-preserving analytics: approximate country, device type, pages viewed, referring site. We do not use tracking cookies. See Cookies.
• If you email us or book a call: your name, email, and whatever you choose to tell us.
• Standard server logs retained briefly for security (IP, user agent, timestamp).

4. Lawful bases

We rely on different lawful bases depending on what we are doing:

Contacting prospects

Legitimate interests (UK/EU GDPR Art. 6(1)(f)): the mutual business interest in a senior professional at a regulated UK firm being made aware of a relevant service, where we have taken reasonable steps to ensure the message is genuinely relevant and the data subject can object at any time. We have carried out a legitimate interests assessment (LIA).

Providing the service to clients

Contract (Art. 6(1)(b)): processing necessary to perform our agreement with the client.

Billing, tax and records

Legal obligation (Art. 6(1)(c)): we must keep accounting records under Maltese and international tax law.

Website analytics & security

Legitimate interests (Art. 6(1)(f)): running and securing our own website.

Direct marketing to our own prospects

Legitimate interests in the UK/EU B2B context, combined with PECR compliance (see section 12).

5. Where we get data

• Public registries and regulators (e.g. Companies House, the SRA, ICAEW, ACCA, RICS and equivalents).
• Firms’ own public websites and published materials.
• Reputable business news, trade press, and public social profiles.
• Licensed B2B data providers, where the provider has warranted a lawful basis for supply.
• Directly from clients (their own staff details; never their clients’ data).
• Directly from you (if you reply to us, book a call, or email).

6. What we use it for

• Identifying firms likely to need a given professional service this month, based on public signals.
• Drafting and sending introductions from our clients to those firms, after human review.
• Handling replies and booking meetings.
• Measuring what worked, so we can improve the service.
• Running, securing and improving our website and systems.
• Meeting our legal and regulatory obligations.

We do not use personal data for automated decisions that produce legal or similarly significant effects about individuals, in the sense of Article 22 UK/EU GDPR.

7. Who we share with

We share personal data only with:

• Our clients, in respect of prospects they have asked us to contact on their behalf, and replies to those messages.
• Service providers who help us run the service, acting as our processors under contract: hosting ([HOSTING PROVIDER]), email infrastructure ([ESP]), CRM ([CRM]), analytics ([ANALYTICS]), and professional advisers.
• Authorities, where we are legally required to.

We do not sell personal data. We do not share personal data with advertising networks.

8. International transfers

Tackt is established in Malta. Some of our processors are in the United Kingdom, the European Economic Area, or the United States.

• Malta ↔ UK: covered by the UK’s adequacy decision for the EEA and the EU’s adequacy decision for the UK.
• Malta ↔ EEA: no restricted transfer.
• Any transfer to the United States or elsewhere without adequacy relies on Standard Contractual Clauses (in the European Commission’s 2021 form), the UK International Data Transfer Addendum, and a transfer impact assessment, with appropriate supplementary measures.

9. How long we keep it

Prospect data (not contacted)

Up to 12 months from last refresh, then deleted unless still relevant.

Prospect data (contacted, no reply)

Up to 24 months from last contact, then deleted or suppressed.

Prospect data (replied / meeting taken)

Retained for the life of the client relationship plus 12 months.

Unsubscribe / opt-out records

Retained indefinitely so we can honour the opt-out.

Client contract & billing data

Six years from end of relationship, for tax and accounting.

Website analytics

Up to 13 months, then aggregated.

Server security logs

30 days.

10. Your rights

Whether you are in the UK, the EEA, or Malta, you have the right to:

• Access the personal data we hold about you.
• Rectify data that is wrong or incomplete.
• Erase data in certain circumstances (“right to be forgotten”).
• Restrict our processing in certain circumstances.
• Object to processing based on legitimate interests, including an absolute right to object to direct marketing at any time.
• Portability of data you have provided to us.
• Withdraw consent, where consent is the basis we rely on.
• Complain to a supervisory authority (see section 1).

To exercise any of these, email [email protected]. We respond within one month. We will not charge a fee unless a request is manifestly unfounded or excessive.

11. Security

We take appropriate technical and organisational measures, including: encryption in transit (TLS 1.2+) and at rest; access controls with least-privilege and audit logging; multi-factor authentication on all admin systems; regular backups; documented incident response; and vendor due diligence before any processor is engaged.

We are required to notify the IDPC (and, where relevant, the ICO) of a personal data breach within 72 hours where it is likely to result in a risk to individuals, and to notify affected individuals where the risk is high.

12. Direct marketing & PECR

Our outreach to UK recipients is governed by the UK’s Privacy and Electronic Communications Regulations 2003 (PECR) as well as the UK GDPR. For outreach to EEA recipients, the ePrivacy Directive as implemented locally, and the EU GDPR, apply.

• We contact corporate subscribers (limited companies, LLPs, and similar) on the soft-B2B basis recognised in UK and EU law, where the message is relevant to the recipient’s role and an opt-out is provided in every message.
• Every message identifies the sender, provides a valid reply address, and offers a clear one-click or one-reply way to stop further contact.
• Unsubscribe requests are honoured across our entire platform, not only for the client that prompted the original message.
• We do not send marketing to sole traders or unincorporated partnerships without their prior consent.

13. Cookies

The Tackt marketing site uses no advertising or tracking cookies. We use a privacy-preserving analytics tool ([ANALYTICS TOOL]) that does not set cookies and does not collect personal data. If we add any non-essential cookies in future, we will ask for your consent first.

14. Changes to this policy

We update this policy when our practices change or the law does. The “last updated” date at the top tells you when. If a change is material, we will also notify clients directly.

15. How to contact us

General privacy enquiries: [email protected]

Opt-out / suppression: [email protected]

Post (Malta): [TACKT LEGAL ENTITY NAME], [MALTA REGISTERED ADDRESS]

UK representative: [UK REP NAME], [UK REP ADDRESS], [UK REP EMAIL]