Privacy Policy

01Scope & Application

This Privacy Policy applies to The Way Policy Group (referred to as "we", "us", or "our" in this document) and governs your interaction with twpolicygroup.com, our membership platform, our published dashboards, our consulting engagements, our newsletters, and any related services we offer (collectively, the "Services").

By accessing our website, creating an account, subscribing to a paid plan, requesting a proposal, or otherwise using the Services, you acknowledge that you have read, understood, and accept the practices described herein. If you do not agree with any provision of this Policy, please discontinue use of the Services and contact us so we can address your concerns.

This Policy operates alongside our Terms of Service, Cookie Policy, and Refund Policy. Together, these documents define the full agreement between us and you.

02Data Controller

For the purposes of the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws, The Way Policy Group is the data controller of the personal information collected through the Services. Where we process personal information on behalf of a client under a separate engagement letter (for example, when conducting research that involves data the client supplied), we may act as a data processor; in those cases, the client remains the controller and our processing is governed by the terms of the relevant engagement contract.

You may reach our Privacy Office at [email protected] with any questions about how your data is handled.

03Information We Collect

We collect personal information in three principal categories, each described in detail below.

3.1 Information You Provide Directly

When you interact with the Services, you may provide us with information voluntarily. This typically includes:

• Account credentials: your full name, work or personal email address, password (stored as a one-way salted hash), professional title, and organization or affiliation.
• Billing information: billing name, postal address, country of residence or incorporation, applicable tax identifiers (such as VAT or TIN), and the last four digits of the payment card used for verification.
• Communications: the content of messages you send to us through contact forms, support tickets, email correspondence, scheduled calls, and any attachments you choose to share.
• Member content: documents, comments, annotations, or feedback you submit through our member portal, dashboards, or community channels.
• Engagement details: for advisory clients, the project scope, briefing materials, organizational context, and other information necessary to deliver the engagement.
• Marketing preferences: the topics, frequencies, and channels through which you wish to receive communications from us.

3.2 Information Collected Automatically

When you use the Services, our systems and our trusted service providers automatically log technical information needed for security, performance, and analytics. This information typically includes:

• Device information: device type, operating system, browser type and version, screen resolution, and language preference.
• Network information: IP address, internet service provider, and approximate geographic location derived from IP (typically at the city or region level).
• Usage information: pages viewed, time spent on each page, links clicked, referring URLs, search queries used to find us, and timestamps of activity.
• Session identifiers: randomly generated tokens placed in cookies or local storage to maintain your authenticated session.
• Diagnostic information: error reports, crash logs, and performance metrics that help us identify and resolve technical issues.

3.3 Information Collected from Third Parties

We also receive information about you from carefully selected partners and public sources. These include:

• Payment processors: Stripe confirms successful or failed transactions, partial card details (issuer, last four digits, expiry month and year), and fraud risk signals. We never receive your full card number.
• Authentication providers: Memberstack confirms identity and plan-tier information necessary for granting access to gated content.
• CRM and marketing tools: HubSpot provides aggregated engagement metrics on emails and forms, subject to your consent.
• Public business records: for institutional clients, we may consult publicly available regulatory filings, company registries, and sanctions lists to satisfy due diligence and anti-money laundering obligations.

04Sources of Information

To summarize the prior section, the personal information we hold about you originates from one of the following sources:

1. You, when you fill out a form, sign up for an account, subscribe to a newsletter, or correspond with our team.
2. Your device and browser, when you visit our website or interact with our dashboards.
3. Third-party service providers acting on our behalf or with your consent (Stripe, Memberstack, HubSpot, Google Analytics, our email infrastructure, and our hosting provider).
4. Public sources, when reasonably necessary for due diligence on prospective institutional clients.

05How We Use Information

We use the personal information we collect for the following purposes:

5.1 Providing the Services

• Creating, authenticating, and maintaining your account.
• Granting access to dashboards, reports, and member-only content based on your subscription plan.
• Processing payments, issuing receipts, and managing subscription renewals.
• Delivering advisory deliverables agreed in your engagement letter.

5.2 Communications

• Sending transactional emails (confirmations, receipts, password resets, security alerts).
• Notifying you of material changes to our policies or Services.
• Responding to your inquiries, support tickets, and refund requests.
• Sending newsletters and product updates (only where you have consented).

5.3 Security & Fraud Prevention

• Detecting, preventing, and investigating unauthorized access, suspicious transactions, or violations of our Terms of Service.
• Maintaining audit logs to support incident response and regulatory inquiries.

5.4 Improvement & Analytics

• Analyzing aggregate usage patterns to improve our content, navigation, and dashboard relevance.
• Measuring the performance of our outreach so we can spend marketing budgets responsibly.

5.5 Legal Compliance

• Meeting our obligations under applicable tax, accounting, anti-money laundering, and consumer-protection laws.
• Responding to lawful requests from public authorities, including to meet national security or law enforcement requirements.

06Legal Bases for Processing

Where the GDPR or UK GDPR applies, we rely on one or more of the following legal bases to process your personal information:

• Contractual necessity: processing is necessary to perform a contract with you (for example, providing the services you purchased).
• Legitimate interests: processing is necessary for our legitimate business interests, balanced against your rights and freedoms (for example, securing our infrastructure or improving our Services).
• Consent: processing is based on your specific, informed, and freely given consent (for example, for marketing newsletters or non-essential cookies). You may withdraw consent at any time.
• Legal obligation: processing is necessary to comply with a legal obligation imposed on us (for example, retaining invoices for tax purposes).
• Vital interests: processing is necessary to protect your vital interests or those of another individual (rarely applicable to our Services).

07Sharing & Disclosure

We do not sell your personal information. We share information only in the following limited circumstances:

7.1 With Service Providers (Processors)

We share information with vendors who process data on our behalf under written contracts that require confidentiality, security safeguards, and use restrictions consistent with this Policy. Our current processors include:

• Stripe, Inc. for payment processing and fraud prevention.
• Memberstack for authentication and member access control.
• HubSpot, Inc. for customer relationship management and email delivery.
• Google LLC for analytics, where consented (Google Analytics).
• Our cloud hosting provider, content delivery network, and email infrastructure.

7.2 With Legal Authorities

We disclose information when required by law, court order, subpoena, or other valid legal process, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

7.3 In Business Transfers

If we undergo a merger, acquisition, reorganization, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you in advance where feasible and ensure that the receiving party honors the commitments made in this Policy.

7.4 With Your Consent

We may share your information with other parties when you ask us to or otherwise consent to such sharing, for example when you choose to publish content publicly.

08Payment Processing

All card payments made through the Services are processed by Stripe, Inc., an independent payment processor certified at PCI-DSS Level 1, the highest level of certification available in the payments industry. We do not store, transmit, or otherwise have access to your full card number, CVC code, or expiry date. Stripe transmits this information directly from your browser to its own systems using strong encryption.

The information Stripe shares with us about each transaction includes the transaction amount, currency, status (successful, failed, refunded), card brand, last four digits of the card, country of issuance, and a fraud risk score. We use this information to fulfill orders, issue receipts, prevent fraud, and respond to chargebacks.

Stripe's handling of your payment data is governed by Stripe's own privacy policy, available at stripe.com/privacy.

09Cookies & Tracking

We use cookies and similar technologies (including local storage, session storage, and pixel tags) to authenticate sessions, remember your preferences, secure our infrastructure, and measure site performance. Some cookies are strictly necessary for the Services to function; others are optional and only set with your consent.

For a full breakdown of cookie categories, durations, providers, and your options to opt out, please review our Cookie Policy, which forms part of this Privacy Policy by reference.

10Data Retention

We retain personal information only as long as necessary to fulfill the purposes for which it was collected, satisfy our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:

• Account data: retained while your account is active, and for up to 24 months after account closure to allow account reactivation, handle late billing inquiries, and meet tax obligations.
• Billing and tax records: retained for at least 7 years following the end of the relevant fiscal year, as required by accounting and tax authorities in most jurisdictions.
• Communications and support tickets: retained for up to 36 months from the date of the last interaction.
• Marketing data: retained until you unsubscribe or request deletion, after which we maintain a minimal suppression list to honor your opt-out preference indefinitely.
• Security and audit logs: retained for up to 24 months to support incident response and regulatory inquiries.

Once a retention period expires, we either delete the relevant data or anonymize it so it can no longer be linked to you.

11Security Measures

We implement layered administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These safeguards include:

• Encryption in transit: all communication between your browser and our servers is encrypted using TLS 1.2 or higher.
• Encryption at rest: databases and backups are encrypted using industry-standard algorithms.
• Access controls: access to personal information is limited to authorized personnel on a need-to-know basis and protected by multi-factor authentication.
• Password protection: user passwords are stored as one-way salted hashes; we never see your plaintext password.
• Regular reviews: we conduct periodic security reviews, vulnerability scans, and access audits.
• Incident response: we maintain a documented incident response plan and will notify affected individuals and authorities promptly where required by law in the event of a data breach.

No security system is impenetrable, and we cannot guarantee absolute security. You can help protect your account by using a strong, unique password, enabling multi-factor authentication where available, and reporting any suspicious activity to us promptly.

12Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

• Right of access: request a copy of the personal information we hold about you, together with information about how it is processed.
• Right to rectification: request that we correct inaccurate or complete incomplete information.
• Right to erasure (right to be forgotten): request that we delete your personal information, subject to legal exceptions (for example, where retention is required by tax law).
• Right to restriction: request that we limit the processing of your information in certain circumstances.
• Right to data portability: receive your personal information in a structured, commonly used, machine-readable format, and have it transmitted to another controller where technically feasible.
• Right to object: object to processing based on our legitimate interests, including profiling and direct marketing.
• Right to withdraw consent: where processing relies on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: file a complaint with your local data protection authority if you believe our processing infringes applicable law.

13Exercising Your Rights

To exercise any of the rights listed above, please contact us at [email protected] with the following information:

1. Your full name and the email address associated with your account.
2. A clear description of the right you wish to exercise.
3. Any information that will help us locate the relevant records.

We may need to verify your identity before fulfilling the request, particularly where the request relates to sensitive information or could affect another person's rights. We will respond to verified requests within 30 days, or such longer period as permitted by applicable law (in which case we will inform you of the delay and the reason).

We do not charge a fee for exercising your rights, except where requests are manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or refuse to act.

14International Transfers

The Way Policy Group operates internationally, and our service providers may be located in countries other than your country of residence, including the United States, the European Union, and the United Kingdom. The data protection laws of these countries may differ from those in your country.

When we transfer personal information across borders, we rely on appropriate safeguards to ensure your information receives an adequate level of protection. These safeguards may include:

• Standard Contractual Clauses (SCCs): as approved by the European Commission for transfers from the EU/EEA to third countries.
• UK International Data Transfer Agreement (IDTA): for transfers from the United Kingdom.
• Adequacy decisions: for transfers to countries that the European Commission has determined provide an adequate level of protection.
• Binding corporate rules or codes of conduct where applicable.

Copies of the safeguards we use are available upon request from our Privacy Office.

15Children's Privacy

Our Services are intended for professional use by adults aged 18 and older. We do not knowingly collect personal information from children under 18. If we become aware that a child under 18 has provided us with personal information, we will take reasonable steps to delete such information promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

16Third-Party Links

Our website and dashboards may contain links to third-party websites, plugins, or services. Clicking such links may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy practices. We encourage you to read the privacy policies of every website you visit.

17Automated Decision-Making

We do not engage in automated decision-making, including profiling, that produces legal effects concerning you or significantly affects you in a similar way. Stripe may apply automated fraud scoring to payment transactions; you can request a manual review of any declined transaction by contacting our billing team.

18Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in technology, regulation, our practices, or for other operational, legal, or regulatory reasons. The "Effective Date" at the top of this page indicates when the latest version took effect. Material changes will be communicated to you at least 14 days before they take effect, either by email or by prominent notice on our website. Your continued use of the Services after the effective date of any update constitutes acceptance of the revised Policy.

19Contacting Us

If you have any questions, comments, or requests concerning this Privacy Policy or our handling of your personal information, please contact our Privacy Office:

• Email: [email protected]
• General contact form: available at twpolicygroup.com/contact
• Postal mail: attention "Privacy Office" at the address listed on our contact page

We will respond to all reasonable inquiries within 30 days.