TDS Risk
Products
Trust Score — £0.35/check Mobile KYC — £0.45/check
Use cases
Consumer Lending Lead buying Insurance Lead Generation Account Creation Online Gambling Betting Affiliate Networks Payments Fintech
Developers
Getting Started Reason Codes Rule Studio Postman Collection Changelog System Status
Company
Pricing About Us Enterprise Contact Case Studies ROI Calculator Security & Compliance FAQ Trust Centre Sign up free →
Legal

Privacy Policy

Last updated 4 April 2026
Applies to thedatasupermarket.com & TDS Risk
ICO ZB300553
In force

1. Overview

The Data Supermarket Ltd understands that your privacy is important to you and that you care about how your personal data is used and shared online. We respect and value the privacy of everyone who visits this website, www.thedatasupermarket.com ("Our Site") and will only collect and use personal data in ways that are described here, and in a manner that is consistent with our obligations and your rights under the law.

Please read this Privacy Policy carefully and ensure that you understand it. Your acceptance of Our Privacy Policy is deemed to occur upon your first use of Our Site and you will be required to read and accept this Privacy Policy when signing up for an Account. If you do not accept and agree with this Privacy Policy, you must stop using Our Site immediately.

In plain English

We operate a data Marketplace and carrier-identity services. Depending on what you're doing on our site, we may act as a controller (when you sign up or visit) or a processor (when we handle data on behalf of a customer). Sections 11-14 explain the four different roles we play.

2. Definitions and interpretation

In this Policy the following terms shall have the following meanings:

Buyer A person or entity that uses the Platform to purchase data that is listed for sale by a Seller.
Cookie A small file placed on your computer or device by Our Site when you visit certain parts of Our Site and/or when you use certain features of Our Site.
Data Protection Regulations The Data Protection and Privacy Electronic Communications (EU Exit) Regulations 2019, which incorporates the EU Regulation 2016/679 General Data Protection Regulation into UK law ("UK GDPR").
EU The European Union.
Personal data Any and all data that relates to an identifiable person who can be directly or indirectly identified from that data, as defined in the Data Protection Regulations.
Platform The Data Supermarket's Marketplace where Sellers can offer to sell data to potential Buyers.
Seller A person or entity that registers with the Platform and offers to sell data to prospective buyers via the Platform.
We / Us / Our The Data Supermarket Ltd, a limited company registered in England and Wales under company number 13855926, registered office at The Innovation Centre, Brunswick Street, Nelson, England, BB9 0PQ.
UK The United Kingdom.
You / Your Any visitor or user of the Site including a Buyer and Seller registered on the Platform.

3. About us

Our Site is a marketplace for buyers and sellers of data. This could include personal data of opted-in individuals, commercial company data, or a mixture of both. We do not share any data that is provided by Sellers registered on our Platform to anyone other than the Buyer that has purchased the data from the Seller via our Platform.

We do not sell or share for marketing purposes any data of our Platform users to anyone (i.e. data of our Sellers and Buyers). We will only share data to those types of organisations detailed in this Privacy Policy for the purpose of providing the services that we provide.

All our Buyers and Sellers are required to undergo due diligence checks prior to becoming registered on our Platform. All data that is stored on our Platform for sale by a registered Seller is stored solely for the purposes of facilitating the transaction between a Buyer and a Seller. We act solely as a data processor in this instance.

Where you register to our Site as a Seller or Buyer, or use our Site in any other way, then we will act as a Data Controller.

  • Our Site is owned and operated by us.
  • Our Data Protection Officer can be contacted by email at compliance@thedatasupermarket.com or by post at The Data Supermarket, The Innovation Centre, Brunswick Street, Nelson, England, BB9 0PQ.
  • We are registered with the Information Commissioner's Office. ICO Fee Payer Registration Number: ZB300553.

4. What does this policy cover?

This Privacy Policy applies only to your use of Our Site www.thedatasupermarket.com. Our Site may contain links to other websites. Please note that we have no control over how your data is collected, stored, or used by other websites and we advise you to check the privacy policies of any such websites before providing any data to them.

5. Your rights

5.1 UK and EU users

If you are resident in the UK or the EU then you have the following rights under the Data Protection Regulations:

  • Right to be informedAbout our collection and use of personal data
  • Right of accessTo the personal data we hold about you
  • Right to rectificationIf any personal data we hold is inaccurate or incomplete
  • Right to be forgottenAsk us to delete personal data we hold about you
  • Right to restrict processingPrevent the processing of your personal data
  • Right to data portabilityObtain a copy to re-use with another service
  • Right to objectTo us using your data for particular purposes
  • Automated decisionsRights around automated decision-making and profiling

If you have any cause for complaint about our use of your personal data, please contact us using the details in section 21 and we will do our best to solve the problem for you. If we are unable to help, you also have the right to lodge a complaint with the UK's supervisory authority, the Information Commissioner's Office.

If you are based outside the UK, or have a complaint concerning our activities outside the UK, then you may prefer to lodge a complaint with a different supervisory authority.

5.2 California users (CCPA)

The California Consumer Privacy Act of 2018 (CCPA) gives consumers specific rights in relation to their personal data collected by businesses. These rights include:

  • The right to know about the personal information a business collects and how it is used and shared
  • The right to delete personal information collected from them (with some exceptions)
  • The right to correct any personal information collected from them
  • The right to opt-out of the sale or sharing of their personal information
  • The right to non-discrimination for exercising their CCPA rights

To exercise your rights under the CCPA you can contact us using the details in section 21. Although we do not sell any data of our Users (i.e. Buyers and Sellers on our Platform), if you wish to exercise your right to opt-out (or opt-in) to the sale of your personal data, please email us.

5.3 Other users

If you are resident outside of the EU, UK, or California, we will adhere to any requirements that apply to the country in which you are resident. At a minimum we will provide all visitors and users of our Site the rights as set in section 5.1 above.

6. What data do we collect?

Depending upon your use of Our Site and/or our services, we may collect some or all of the following personal and non-personal data:

  • Full name
  • Home address and residential status
  • Date of birth
  • Gender
  • Business/company name
  • Business details (owners, directors, address and registered company details)
  • Job title / profession
  • Contact information such as email addresses and telephone numbers
  • Demographic information such as postcode, preferences and interests
  • Financial information such as bank name and account details
  • A record of any transactions that occur through your Account with us
  • A record of how and when you used our Site (searches, profile/Account changes, listings made)
  • IP address
  • Cookies and tracker information from your browser and/or device
  • Web browser type and version
  • Operating system
  • A list of URLs starting with a referring site, your activity on Our Site, and the site you exit to
  • Where you contact us by phone, email or post, a record of that contact

Information we automatically collect when someone visits the site:

  • IP address
  • User-Agent (browser type, device type, etc.)
  • Timestamp
  • Geolocation data (if enabled)

7. How do we use your data?

All personal data is processed and stored securely, for no longer than is necessary in light of the reason(s) for which it was first collected. We will comply with our obligations and safeguard your rights under the Data Protection Regulations at all times.

Our use of your personal data will always have a lawful basis, either because it is necessary for our performance of a contract with you, because you have consented to our use of your personal data, or because it is in our legitimate interests (see section 8). Specifically, we may use your data for:

  • Providing and managing your Account on our Platform
  • Providing and managing your access to Our Site or the Platform
  • Personalising and tailoring your experience on Our Site or Platform
  • Supplying our services to you (we require your personal data to enter into a contract with you, set up an Account, and provide analytics)
  • Keeping our Site functional (i.e. when problems have been notified to us)
  • Personalising and tailoring our services for you
  • Replying to emails from you
  • Supplying you with emails that you have opted into (you may unsubscribe at any time)
  • Market research
  • Analysing your use of Our Site to continually improve Our Site and your user experience
  • Managing your marketing preferences
  • Managing your data processing preferences
  • Compiling anonymised data for analytical purposes
  • Complying with any legal or regulatory obligations
  • Fraud prevention

With your permission and/or where permitted by law, we may also use your data for marketing purposes, which may include contacting you by email, telephone, text message, and post. We will not send you any unsolicited marketing or spam.

We may contact you via email to invite you to review any services and/or products you received from us. We may use an external company, such as Trustpilot A/S ("Trustpilot"), to collect your feedback, which means we will share your name, email address, and reference number with Trustpilot. We may also use such reviews in other promotional material and media.

You have the right to withdraw your consent at any time, and to request that we delete your personal data.

7.1 Retention periods

We do not keep your personal data for any longer than is necessary:

  • Customer data: as a general rule, unless we have been requested to delete your information, customer personal data will be kept for the duration of the provision of services and for a period of up to six years after the services have been terminated by you or us. This is based upon the Limitation Act 1980 for the period in which someone can bring a breach of contract claim.
  • No contract: where we have not provided you with any products or services, we will keep your data for a period of 12 months.
  • Legal obligation: we may keep data longer where we are required to do so by law or a contractual obligation. Where we can, we will anonymise such data so that it no longer identifies a living individual.

8. Legitimate interests

Where we use legitimate interest for the basis of our processing of your personal data, we shall ensure that we can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual.

You have the right to object to our use of your personal data where we use legitimate interest as the basis of processing. You can do this by contacting us on the details in section 21.

Our legitimate interests include:

  • The maintenance of our IT / data security systems and processes
  • Putting in place fraud prevention mechanisms
  • Keeping our records up to date
  • Working out which of our products and services may interest you and telling you about them (i.e. direct marketing)
  • Developing products and services
  • Being efficient about how we fulfil our legal duties
  • Maintaining a marketing suppression list, including checking data loaded to the Platform against services such as the Telephone Preference Service in the UK
  • Complying with laws and regulations that apply to us

9. How and where do we store your data?

We only keep your personal data for as long as we need to in order to use it as described in section 7, and/or for as long as we have your permission to keep it.

All our customer data is stored and accessed from our servers in the UK or the European Economic Area (the EEA consists of all EU member states, plus Norway, Iceland, and Liechtenstein).

Transfers outside UK/EEA

Some of your data may be stored or transferred outside the EEA or UK. You are deemed to accept and agree to this by using Our Site. Where we do transfer data outside the UK/EEA, we take all reasonable steps to ensure your data is treated as safely and securely as it would be within the UK.

Safeguards we apply to international transfers include:

  • Carrying out due diligence on prospective parties to whom we wish to transfer data
  • Carrying out a risk assessment on the destination country to ensure protection offered to data subjects is equivalent to that provided in the UK
  • Having in place written contracts on the transfer and use of the data, using UK International Data Transfer Agreements or EU model contract clauses
  • Transferring data in an encrypted form or using a secure file transfer protocol
  • Limiting the data transfer to only data that needs to be transferred to achieve the purpose

10. Do we share your data?

We may share your data with other companies for carrying out / putting in place the services that you require. For example, if you wish to purchase data from a Seller on our Platform, we may share your (Buyer) details for them to contact you.

We may sometimes contract with third parties to supply services to you on our behalf. These may include search engine facilities, advertising, and marketing companies. In order to provide you with our services, we may need to share some or all of your personal data with our service providers, such as:

  • Our hosting and server provider
  • Our payment service providers
  • Our external compliance consultants

We may compile statistics about the use of Our Site including data on traffic, usage patterns, user numbers, sales, and other information. We may share such anonymised data with third parties such as prospective investors, affiliates, partners, and advertisers.

In certain circumstances, we may be legally required to share certain data, for example where we are involved in legal proceedings, complying with legal requirements, a court order, or a governmental authority.

We may share your data with regulators and dispute resolution bodies such as:

  • The Information Commissioner's Office
  • Advertising Standards Authority
  • Local Trading Standards

10.1 Facebook Audience Insights

We may use the services of Facebook Ireland Limited ("Facebook") to carry out certain marketing activities on the Facebook Platform. Specifically, from time to time we use Facebook's Audience Insights to help us create targeted audiences for our advertising campaigns on Facebook. This involves sharing some of our customer personal data with Facebook to allow it to create information on the types of audiences on the Facebook platform that would be best suited to see our adverts. In this respect Facebook acts as our joint processor.

For such processing of your personal data we and Facebook also act as a Joint Controller. This means that both Facebook and us can determine the reasons for processing of your personal data. Facebook has its own privacy policy on how Facebook processes personal data, including the legal basis it relies on and the ways to exercise Data Subject rights against Facebook. To review Facebook's privacy policy, visit facebook.com/about/privacy.

We have entered into a Controller Addendum with Facebook that sets out each party's respective responsibilities. Any data subject requests with regard to personal data stored by Facebook Ireland after the joint processing is the responsibility of Facebook.

10.2 PayPal

We use PayPal for payments and other services. If you use one of these services and pay on our website, PayPal may collect the personal data you provide, such as payment and identifying information. PayPal uses this information to operate and improve the services it provides, including for fraud detection, harm and loss prevention, authentication, analytics, and to comply with applicable legal requirements. The processing of this information is subject to the PayPal Privacy Statement.

11. The Data Supermarket as a Data Processor (Marketplace)

Role 1 · Processor

Marketplace transactions between Sellers and Buyers

We facilitate transactions but don't own or control the data being traded.

Where we are acting as the facilitator of transactions between third-party Data Owners and approved buyers through our online Marketplace (the "Marketplace"), we are acting as a data processor on behalf of the Data Owner that has offered data for sale or licence via our online Marketplace.

As a data processor we do not own or control the data being transacted on the Marketplace — this is owned by or licensed to the seller offering the data on the Marketplace. We operate as a secure and compliant platform to help Data Owners share their data, with the consent of the data subjects, to buyers seeking verified and lawful use of that data. Each Data Owner is responsible for ensuring that their data-sharing practices comply with applicable data protection laws, including UK GDPR.

As the owner of the Marketplace, we will ensure that only approved buyers, who meet our strict compliance requirements, have access to any data offered for sharing or sale by a Data Owner. Buyers are responsible for processing the data in line with the licence agreement they enter into for the data they purchase, their own privacy policies, and always in compliance with all applicable laws and regulations including but not limited to the Data Protection Regulations.

11.1 Approved Buyers List

Below is a regularly updated list of approved buyers who may receive data shared by Data Owners through our Marketplace:

Company Website Category Company No. ICO

12. The Data Supermarket as a Compliance Verification Processor

Role 2 · Processor

Third-party compliance verification

We verify the legal basis and origin of data on behalf of end-user companies.

Where we act as a third-party compliance verification layer between data buyers and end-user companies, we may process limited personal data (such as an email address, phone number, or postal address) strictly for the purpose of validating the legal basis for processing and tracing the origin of the data.

This service is used to protect the rights of data subjects by:

  • Confirming whether the data was originally obtained with valid consent or under a lawful legitimate interest
  • Ensuring all relevant metadata, such as opt-in timestamps and consent methods, is auditable and available at the point of use
  • Tracing the source and full journey of the data across brokers, sellers, and intermediaries
  • Preventing the use of any data where the legal basis cannot be verified

If verification cannot be achieved, the data will not be authorised for processing. This ensures that individuals are not contacted using data that cannot be fully verified to meet regulatory and ethical standards.

In this context, The Data Supermarket acts as a data processor solely for the end-user company utilising the verification service. We do not retain, resell, or reuse the data, and we process it only to fulfil the compliance check. All data is encrypted in transit and at rest and is automatically deleted within a defined retention period.

This service supports full alignment with UK GDPR, PECR, and other applicable data protection legislation, reinforcing our commitment to lawful, fair, and transparent data processing.

12.1 Approved Verification Users

A regularly updated list of companies who may share information with us for the sole purpose of enabling compliance validations and protecting data subjects' rights is published here. For the current list, please contact our compliance team.

13. The Data Supermarket as Controller (Mobile Identity & Trust Verification)

Role 3 · Controller

Our own fraud prevention

When we verify identity for our own platform security — we determine purpose and means.

Where we use mobile identity verification and trust score checks directly for our own business purposes (for example, to verify the identity of users of our platform, prevent fraud, or protect the security of our systems), The Data Supermarket acts as a data controller.

We determine the purpose and means of these checks in order to:

  • Confirm that individuals accessing our services are genuine
  • Prevent and detect fraudulent or unauthorised use of our platform
  • Protect the rights and interests of our business, our users, and affected individuals

We rely on our legitimate interests under Article 6(1)(f) of the UK GDPR to conduct these checks, as they are necessary to protect both you and us against fraud and misuse of personal data. These checks are used solely for fraud prevention and identity verification purposes.

The data processed for this purpose may include:

  • Mobile number and related network information
  • Signals relating to the ownership, tenure, or recent activity of a mobile number (e.g. SIM swap events, porting, call forwarding)
  • Associated trust indicators such as behavioural or risk signals

In order to perform these checks, we share the relevant data (such as mobile number and associated identifiers) with trusted third-party partners, including Mobile Network Operators and specialist fraud-prevention service providers. These partners process the data solely to return verification signals and risk indicators to us and are prohibited from using the data for any other purpose.

All such partners are bound by contractual safeguards consistent with UK GDPR, including confidentiality, security, and strict data minimisation requirements.

Not credit checks

We do not use these checks for credit assessment purposes. They will not affect your ability to obtain services, nor will they appear on your credit history.

Data processed in this way is retained only as long as necessary for fraud prevention and verification, in line with our data retention policy, and is encrypted both in transit and at rest.

14. The Data Supermarket as Processor (Mobile Identity & Trust Verification)

Role 4 · Processor

TDS Risk service for clients

When clients use our verification API, they are the controller and we act on their instructions.

Where we provide mobile identity verification and trust score checks as a service to our clients, The Data Supermarket acts as a data processor.

In this context, we process personal data strictly on the instructions of the client (the data controller) who has chosen to use our verification services. We do not retain, reuse, resell, or repurpose this data for our own purposes.

We process data under this service solely to:

  • Run the requested verification checks on behalf of the client
  • Return the verification results to the client
  • Ensure full auditability and traceability of the verification process

Where required to provide verification results, we transmit the relevant data (such as mobile number and identifiers) securely to our approved sub-processors, including Mobile Network Operators and specialist fraud-prevention service providers. These sub-processors act only on our documented instructions and those of the client, and cannot use the data for any independent purpose.

We maintain a current list of sub-processors and ensure appropriate contractual and technical safeguards are in place to protect the confidentiality, integrity, and availability of the data.

All data is encrypted in transit and at rest, and is automatically deleted within a defined retention period unless otherwise required for legal or regulatory reasons.

Clients using our verification services are responsible for ensuring that their privacy policies and consent mechanisms appropriately inform individuals of these checks, including their reliance on Article 6(1)(f) UK GDPR legitimate interests (or another suitable lawful basis where applicable).

15. What happens if our business changes hands?

We may, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of our business. Any personal data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part. The new owner or newly controlling party will, under the terms of this Privacy Policy, be permitted to use that data only for the same purposes for which it was originally collected by us.

16. How can you control your data?

In addition to your rights under the Data Protection Regulations (section 5), when you submit personal data via Our Site, you may be given options to restrict our use of your data. In particular, we aim to give you control on our use of your data for direct marketing purposes (including the ability to opt-out of receiving emails from us which you may do by unsubscribing using the links provided in our emails and at the point of providing your details).

You may also wish to sign up to one or more of the preference services operating in the UK: The Telephone Preference Service (TPS), the Corporate Telephone Preference Service (CTPS), and the Mailing Preference Service (MPS). These may help to prevent you from receiving unsolicited marketing. Please note, however, that these services will not prevent you from receiving marketing communications that you have consented to receiving.

17. Your right to withhold information

You may access Our Site without providing any data at all.

You may restrict our use of Cookies. For more information, see our Cookie Policy.

18. How can you access your data?

You have the right to ask for a copy of any of your personal data held by us (where such data is held). Under the Data Protection Regulations, no fee is payable and we will provide any and all information in response to your request free of charge. Please contact us at compliance@thedatasupermarket.com or using the contact details in section 21.

19. Our use of cookies

Our Site may place and access certain first-party Cookies on your computer or device. First-party Cookies are those placed directly by us and are used only by us. We use Cookies to facilitate and improve your experience of Our Site and to provide and improve services.

In addition, Our Site uses analytics services provided by Google Analytics. Website analytics refers to a set of tools used to collect and analyse usage statistics, enabling us to better understand how people use Our Site.

For full details, please see our Cookie Policy. You can change your preferences at any time via the cookie settings button in the footer of every page.

20. Children

We do not knowingly collect or maintain personal data from anyone under the age of 13, unless or except as permitted by law. Any person who provides personal data through the Website represents to us that he or she is 13 years of age or older.

If we learn that personal data has been collected from a user under 13 years of age on or through the Website, we will take the appropriate steps to cause this information to be deleted.

If you are the parent or legal guardian of a child under 13 who has become a member of the Website or has otherwise transferred personal data to the Website, please contact us using the information in section 21 to have that child's account terminated and information deleted.

21. Contacting us

If you would like to contact us, please reach out via:

Please ensure that your query is clear, particularly if it is a request for information about the data we hold about you.

22. Changes to our Privacy Policy

We may change this Privacy Policy from time to time (for example, if the law changes). Any changes will be immediately posted on Our Site and you will be deemed to have accepted the terms of the Privacy Policy on your first use of Our Site following the alterations. We recommend that you check this page regularly to keep up-to-date.

Exercising your rights?

Email our DPO at compliance@thedatasupermarket.com — we acknowledge within one UK business day and complete most requests inside 30 days.

Contact DPO →