Data Privacy Statement

This Data Privacy Statement summarises important information about how Form3 collects, uses and discloses personal data and ensures compliance with the laws and regulations. This Data Privacy Statement relates to your use of our website(s).

Through our website(s) we may from time to time link to other websites(s) owned and operated by third parties. Our website(s) may also gather information about you in accordance with their own separate privacy notices. Please consult their privacy notices, as appropriate.

Who we are

This website is operated by Form3 Group Limited. We and our group of companies are a payment technology provider; for more information about our services, please visit the About tab.

We collect, use and are responsible for certain information about you (referred to as "personal data") that we collect through our websites. When we do so we are regulated by the General Data Protection Regulation (GDPR) which applies across the EU and UK.

Principles of data protection

Form3 has adopted the following principles to govern use, collection and disclosure of personal data. These principles have been established to create a uniform standard across all our offices taking account of the laws in the jurisdictions in which we operate.

Form3's core principles provide that personal data must:

  • be processed fairly and lawfully and to the extent required under local laws with valid and informed consent
  • be obtained for specific and lawful purposes
  • be kept accurate and up to date
  • be adequate, relevant and not excessive in relation to the purposes for which it is used
  • not be kept for longer than is necessary for the purposes for which it is used
  • be processed in accordance with the rights of individuals
  • be kept secure to prevent unauthorized processing and accidental loss, or destruction and will only be transferred to, or accessed from, another jurisdiction where these core principles cannot be met unless it is adequately protected.

Collection, use and disclosure

The types of data we collect and process fall into one of the following categories:

  • Personal data relating to subscribers to our newsletters and other promotional materials;
  • Personal data obtained and created in relation to providing our services.

Types of data

We collect personal information from you when:

  • You access and use our website;
  • Subscribe to our newsletter or other promotional materials; and/or
  • Submit the “contact us” form.

We collect this personal data from you either directly, such as when you subscribe to our newsletter or contact us, or indirectly, such as your browsing activity while on our website through the use of Cookies. Please visit our Cookies Policy for further information on how we use cookies.

We also collect personal data when you apply for a job vacancy through our website but this information is processed in accordance with our Recruitment Privacy Statement, which you should review before submitting your application.

The information we collect about you depends on your activity but includes:

  • First and last name;
  • Business information (job title and who you work for);
  • Contact details (including email and phone number); and/or our websites may also collect your device's unique identifier, such as an IP address).

Additional information may be processed where it is provided by you, for example in correspondence, in connection with an event or in letting us know what areas you are interested in and when you wish to be contacted by us.

Our websites are not intended for use by children and we do not knowingly collect of use personal information relating to children.

Our legal basis for processing 
your personal data

When we use your personal data that we collect through our website, we must have a lawful basis for doing so.

The lawful basis depends on what information we collect and how we use it.

The legal basis we rely on to process the personal data we collect through our website is either:

  1. Consent: where you have given us clear consent for us to process your personal information for a specific purpose ;or

  2. Legitimate interests: where our use of your personal data is necessary for our legitimate interests or the legitimate interests of a third party (unless there is a good reason to protect your personal information which overrides our legitimate interests).

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.

Our lawful basis for each processing activity is set out in the table below:


When you register your details with us (either to contact us or sign up to our newsletter or other promotional materials), we take information to allow us to:

  • Create and manage your account;
  • Contact you about your account or for the purpose you’ve requested.

Personal Data

Name, contact information and/or business information

Our Lawful Basis

Legitimate interests: to take steps at your request


Consent: where you have opted into receive direct marketing communications


To use data analytics to improve our website and for our marketing purposes

Personal Data

Technical and analytical information about how you interact with our website

Our Lawful Basis

Legitimate interests: to define the types of customers for our services, keep our website updated and relevant and develop our business.


If you have previously given your consent for us to contact you for marketing purposes, you can opt-out at any time by contacting us at or using the unsubscribe feature on the communication.


Data is collected in our CRM system when you register to receive newsletters or updates, or we otherwise receive your contact details.

You will receive a notice when your details have been added to the CRM database. You can revisit your profile at any time to amend your information or preferences or to provide additional details.

You will also be provided with the option to opt out and/ or be removed from the CRM database with each marketing communication you receive from us.

Who we share your personal data with

We may share your personal data with third parties to enable us to effectively run our business, e.g. marketing agencies and website hosts.

Specifically, we share your personal data with Hubspot who run our client relationship management platform.

We only allow our service providers to handle your personal information if we are satisfied they take appropriate measures to protect your personal information. We also impose contractual obligations on service providers relating to ensure they can only use your personal information to provide services to us and to you. We may also share personal information with external auditors, eg in relation to ISO [or Investors in People] accreditation and the audit of our accounts.

We will share personal data with law enforcement or other authorities if required by applicable law.

We may also need to share some personal information with other parties, such as potential buyers of some or all of our business or during a re-structuring. Usually, information will be anonymised but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.

We will not share your personal information with any other third party.

Individual's rights

Form3 understands that personal data must be processed in line with individuals' rights, including the right to:



The right to be provided with a copy of your personal information (the right of access)

The right to require us to correct any mistakes in your personal information


To be forgotten

The right to be provided with a copy of your personal information (the right of access)

The right to require us to delete your personal information—in certain situations


Restr. of processing

The right to be provided with a copy of your personal information (the right of access)

The right to require us to restrict processing of your personal information — in certain circumstances, eg if you contest the accuracy of the data


Data portability

The right to be provided with a copy of your personal information (the right of access)

The right to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations


To object

The right to be provided with a copy of your personal information (the right of access)

The right to object:

  • At any time to your personal information being processed for direct marketing (including profiling);
  • In certain other situations to our continued processing of your personal information, eg processing carried out for the purpose of our legitimate interests.


Not to be subject to automated individual decision making

The right to be provided with a copy of your personal information (the right of access)

The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you

For further information on each of those rights, including the circumstances in which they apply, see the ICO’s guidance on individuals rights under the GPDR, available here:

Should you have any questions or complaints

If you have any questions or complaints relating to how the firm has processed your personal data, please contact

Alternatively, if you prefer a GDPR EU Rep, please contact IITR CertGmbH

Transfer of data between jurisdictions

It is sometimes necessary for us to share your personal data outside of the UK and EEA, specifically:

  • As an international company, personal data may be transferred between our various offices worldwide due to, for example, shared IT systems and/or cross border working.
  • Our service provider, Hubspot, is located in the US.
  • If you are based outside of the UK/EEA.

These transfers are subject to special rules under UK and European data protection law.

These non-UK/EEA countries may not have the same data protection laws as the UK and EEA. We will, however, ensure the transfer complies with data protection law and all personal data will be kept secure. Our standard practice is to use standard data protection contract clauses that have been approved by the European Commission.

If you have any questions at all about transfer of data between jurisdictions please contact

How long your personal data will be kept

We will keep your personal data while you have an account with us or while you continue to communicate or opt-in to receive communications from us. Thereafter, we will keep your personal information for as long as is necessary:

  • to respond to any questions, complaints or claims made by you or on your behalf;
  • to show that we treated you fairly;
  • to keep records required by law.

We will not retain your personal data for longer than necessary for the purposes set out in this policy. Different retention periods apply for different types of personal information.

When it is no longer necessary to retain your personal information, we will delete or anonymise it.

Keeping your personal information secure

We have appropriate security measures in place to prevent personal data from being accidentally lost, or used or accessed in an unauthorised way.

We limit access to your personal data to those within Form3 who have a genuine business need to access it. Those processing your personal data will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a data security breach where we are legally required to do so.

Changes to this data privacy statement

This Data Privacy Statement was published on 19 December, 2019 and last updated on 16 September, 2022.

We may change this Data Privacy Statement from time to time, when we do we will inform you via email and the updates will be posted on this page.