Privacy Policy

Who we are and how to contact us

Medlock & Thames is a named-dealer foreign exchange brokerage registered in England and Wales under company number 11973815. We act as the data controller for the personal information described in this policy, and we are registered with the Information Commissioner's Office under registration number ZA532056. If you would like to ask a question about how we handle your data, exercise any of the rights set out below, or raise a concern, you can write to us at info@medlockandthames.com and a member of the firm will respond. Where correspondence relates to a formal data protection request, we ask that you mark it clearly so that it can be routed to the right person without delay.

What personal data we collect and how

We collect personal data directly from you when you interact with our website, when you speak to one of our dealers, and when you become a client of the firm. From the website, the rate alert form asks for your name, email address, telephone number, the currency pair you are watching, and the target exchange rate at which you would like to be contacted. The newsletter sign-up asks only for your first name, last name, and email address. Booking and general enquiry forms collect the details you provide in order for a dealer to return your call, which typically include your name, contact details, and a short description of the transaction or service you are interested in. When you go on to open an account with us, we collect the further information required to satisfy our anti-money-laundering and know-your-customer obligations, including identity documents, proof of address, source-of-funds information, and, for corporate clients, ownership and control details. We do not knowingly collect special category data, and we ask that you do not send it to us unless we have specifically requested it for a defined regulatory purpose.

Why we use your data and our lawful basis

We use your personal data to provide the service you have asked for, to meet our legal and regulatory duties, and to run the firm responsibly. Where you are a client or are taking steps to become one, the lawful basis is performance of a contract: we need your information in order to execute trades, settle payments, and communicate with you about your account. Where we carry out identity verification, sanctions screening, transaction monitoring, and record-keeping, the lawful basis is compliance with a legal obligation under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and related financial-crime legislation. Where we contact you about currency markets, rate movements, or services we believe are relevant to your business or personal circumstances, the lawful basis is our legitimate interest in maintaining a dealer relationship with prospective and existing clients, balanced against your right to be left alone, and you can ask us to stop at any time. Where you have signed up to our newsletter or asked to receive rate alerts, the lawful basis is your consent, which you can withdraw at any time by using the unsubscribe link in any message or by writing to us at the address above. We do not carry out automated decision-making or profiling that produces legal or similarly significant effects.

How long we keep your data

We keep personal data only for as long as we need it. Enquiry information from prospective clients who do not go on to open an account is retained for up to twenty-four months so that a dealer can follow up on the original conversation, after which it is deleted or anonymised. Client records, including identity documents, transaction history, and supporting correspondence, are kept for a minimum of five years from the end of our business relationship in line with our anti-money-laundering obligations, and in some cases for longer where another legal or regulatory requirement applies. Newsletter and rate-alert data is kept for as long as you remain subscribed, and is removed promptly when you unsubscribe. Where data is retained beyond its active use for legal or evidential reasons, access is restricted to those who genuinely need it.

Who we share your data with

We share your personal data only with parties that are necessary to deliver the service or that we are required to share with by law. Our regulated payments and execution infrastructure is provided by Currencycloud, a Visa solution authorised by the Financial Conduct Authority under firm reference number 900199, and by GC Partners, the trading name of Global Currency Exchange Network Ltd, authorised by the Financial Conduct Authority under firm reference number 504346. To open and operate an account that uses these networks, we pass the relevant identity, contact, and transactional information to them so that they can carry out their own regulatory checks and execute settlement. We also use a small set of carefully selected processors to run the day-to-day operation of the firm: Zoho CRM is used to store lead and client records so that our dealers can manage relationships, and Resend is used to send transactional email such as confirmations and rate alerts. Our content management system holds the editorial content of the website and does not process client personal data. From time to time we may also share data with our professional advisers, auditors, or with law enforcement, regulators, and courts where we are legally required to do so. We do not sell your personal data to anyone, and we do not share it with third parties for their own marketing purposes.

Transfers outside the UK

Some of the providers described above operate infrastructure outside the United Kingdom, including in the European Economic Area and in the United States. Where personal data is transferred outside the UK, we rely on the safeguards recognised under UK data protection law, which include transfers to countries that the UK government has determined provide an adequate level of protection and, where no such determination exists, the International Data Transfer Agreement or the UK Addendum to the European Commission's Standard Contractual Clauses, supplemented where appropriate by additional technical and organisational measures. You can ask us for further detail on the safeguards that apply to a particular transfer by contacting us at the address above.

Cookies and tracking

Our website uses only those cookies that are strictly necessary for the site to operate and to keep it secure. We do not use analytics cookies, advertising cookies, or third-party tracking technologies, and we do not build behavioural profiles of visitors. We maintain a presence on LinkedIn, X, Facebook, and Instagram so that you can follow the firm if you wish; if you interact with us on those platforms, the platforms themselves will process your data under their own privacy policies, over which we have no control, and we would encourage you to read them before engaging.

Your rights

Under UK GDPR and the Data Protection Act 2018 you have a number of rights in relation to the personal data we hold about you. You have the right to ask for a copy of your data and to be told how we use it, the right to have inaccurate data corrected, the right to ask us to delete data where there is no good reason for us to continue holding it, the right to ask us to restrict the way we use your data while a question about it is resolved, the right to receive certain data in a portable format, and the right to object to processing that we carry out on the basis of our legitimate interests. Where we rely on your consent, you have the right to withdraw that consent at any time, and withdrawal will not affect the lawfulness of anything we did before you withdrew it. To exercise any of these rights, please contact us at info@medlockandthames.com. We will respond within one calendar month and will not charge a fee unless your request is manifestly unfounded or excessive.

How to complain

If you are unhappy with the way we have handled your personal data, we would like the chance to put it right, and we encourage you to contact us first so that we can investigate. You also have the right to complain to the Information Commissioner's Office, the UK supervisory authority for data protection matters. The ICO can be reached at ico.org.uk, by telephone on 0303 123 1113, or by post at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

Changes to this policy

We review this policy regularly and may update it from time to time to reflect changes in the way we operate, changes in the law, or changes in the providers we work with. Where a change is material we will draw it to your attention by a notice on the website or, where appropriate, by writing to you directly. The date at the top of this page shows when the policy was last updated, and earlier versions are available on request.