Privacy Policy

This policy explains how we may collect and use your personal information and how you can control its use.


1.1 Protecting your data, privacy and personal information is very important to Thunderhead (One) Limited and its group companies (collectively “Thunderhead”, “our”, “us” or “we”).

1.2 This policy (together with our terms of use and any other documents referred to in it), sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by Thunderhead. Please read this privacy policy carefully to understand the types of information we collect from you, how we use that information, the circumstances under which we will share it with third parties, and your rights in relation to the personal data you provide to us.

1.3 This privacy policy applies only to your use of our website at (our “Website”), our direct marketing activities, recruitment, and product feedback. This privacy policy does not apply to use of the Thunderhead software-as-a-service solutions where we process Personal Data in the role of a processor on behalf of our customers.

1.4 Our Website contains links to third party websites. If you follow a link to any of those third-party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal information. Please check these policies before you submit any personal information to such third-party websites.


2.1 We may collect and process the following data about you:

Information that you provide to us. You will be asked to provide us with your information when you:

fill in forms on our Website;

correspond with us by phone, email or otherwise;

report a problem with our Website.

If you submit any data relating to a third party, you must ensure you have obtained clear permission from the individual whose data you provide us with before sharing that data with us. For the avoidance of doubt, any reference in this privacy policy to your data shall include data about other individuals that you have provided us with.

Information we collect about you. With regard to each of your visits to our Website we may automatically collect the following information:

device-specific information, such as your hardware model, operating system version, unique device identifiers, and mobile network information;

technical information about your computer, including where available, your IP address, operating system and browser type, for system administration and analytical purposes; and

details of your visits to, and activity on, our Website.

Information we receive from other sources. We may collect personal data provided to us by third parties (such as market research providers and business data repositories).

Children’s information. Our Website and services are not intended for or targeted at children under 16, and we do not knowingly or intentionally collect personal information about children under 16 If you believe that we have collected personal information about a child under 16, please contact us at, so that we may delete the information.


3.1 Use of personal information under EU and UK data protection laws must be justified under one of a number of legal “grounds” and we are required to set out the ground in respect of each use of your personal data in this policy. These are the principal grounds that justify our use of your information:

Consent: where you have consented to our use of your information (you are providing explicit, informed, freely given consent, in relation to any such use and may withdraw your consent in the circumstance detailed below by notifying us);

Contract performance: where your information is necessary to enter into or perform our contract with you;

Legal obligation: where we need to use your information to comply with our legal obligations;

Legitimate interests: where we use your information to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights; and

Legal claims: where your information is necessary for us to defend, prosecute or make a claim against you or a third party.

3.2 We use information held about you (and information about others that you have provided us with) in the following ways:

Types of Information Collected Processing LocationProcessorUses of that Information Use Justification
First and last name, business phone number, mobile phone number, email address, job title, address, Twitter username, LinkedIn URL, details of Thunderhead events attended, marketing preferences. USOracle Eloqua


To market events, products and/or services provided by Thunderhead that we believe will be of interest to you. Legitimate interests (we will provide an option to unsubscribe or opt-out of further communication on any electronic marketing communication sent to you).
Website visit and clickstream history, IP address, DNS lookups, page views, page view length, referring sources, device type, Website behavior (linked to first and last name and company).     USThunderhead One Inc.

Google Analytics

Oracle Eloqua
We use our own ONE Engagement Hub technology to provide insight on website user behavior to tailor marketing and Thunderhead interactions. To administer our Website and for internal operations, including research, data analysis and data statistics. Legitimate interest (to tailor marketing) Consent (to the extent we use cookies to obtain this information).
First and last name, work email, work and personal phone, address. USOracle Eloqua

Prospect information for sales account management and billing. Legitimate interest (to manage sale processes).
Name, email address and information provided in Website forms (including comments or questions) and related correspondence. USOracle Eloqua


To enable us to contact you/send information that you have requested. Contracts Performance (to take steps at the request of the data subject prior to entering into a contract).
First and last name, email addressEUDoceboInformation used by our Learning Management System (LMS) to track course completion status, leaning skills mappings, and evaluationsConsent
First and last name, email address, mailing address, phone number, work authorization status, resume, cover letter, and any other information you elect to provide to usUSJazzHR


To enable you to apply for positions, to match your qualifications with career vacancies, to conduct reference checks and confirm work authorization, to notify you about future career vacancies Contracts Performance
Name and email addressEUProdPadTo capture feedback and suggestions to improve our productsConsent
Name, email address, TitleUSSurveyMonkey

To capture feedback and suggestions to improve our productsConsent

3.3 When you communicate with us by telephone or video link, we may record the audio and/or video call for quality control, training, or marketing purposes. All recordings are stored securely. We will not share the recordings with any third party (unless we are required to do so by law) or distribute the recordings outside of the Thunderhead group of companies.

3.4 We will not sell your personal data (or any other data you provide us with) to third-parties; however, we reserve the right to share any data which has been anonymized and/or aggregated. You acknowledge and accept that we own all right, title and interest in and to any derived data or aggregated and/or anonymized data collected or created by us.


4.1 We may also disclose your personal information to third parties in the following circumstances:

Purpose of disclosure and third party(s) to which disclosure might be made Use Justification
We may disclose your personal information to our service providers, business partners, analytics providers and group companies (including Thunderhead One Inc).   Legitimate interests (to assist us in the provision of the Website and marketing and for improvement and optimization of the Website).
If Thunderhead or substantially all of its assets are acquired by a third party, personal information about our customers will be one of the transferred assets. Legitimate interests (to dispose of our business).
If we are under a duty to disclose or share your personal data in order to comply with any legal obligation or to protect the rights, property, or safety of Thunderhead, our customers, or others. Legal obligation.
Fraud Prevention and checks. We and other organizations may also access and use your personal information to conduct credit checks and checks to prevent fraud. If false or inaccurate information is provided and fraud is identified or suspected, details may be passed to fraud prevent agencies. Legitimate interests (to assist with the prevention of fraud and to assess your risk profile)
We may disclose your personal information to third parties, the court service and/or regulators or law enforcement agencies in connection with proceedings or investigations anywhere in the world where compelled to do so. Where permitted, we will direct any such request to you or notify you before responding unless to do so would prejudice the prevention or detection of a crime. Legitimate interests (to cooperate with law enforcement and regulatory authorities), legal claim.


5.1 We maintain commercially reasonable physical, electronic and procedural safeguards to protect your personal information in accordance with data protection legislative requirements. Please visit our Trust Center for more information.

5.2 Sensitive information between your browser and our Website is transferred in encrypted form using certificates issued by a trusted third-party authority. When transmitting sensitive information, you should always make sure that your browser can validate the Thunderhead certificate.

5.3 All information you provide to us is stored on our, or our subcontractors’, secure servers and accessed and used subject to our security policies and standards. We use hosted services (such as Oracle Marketing Cloud and Salesforce) in the course of our business, including for the provision of marketing and sales activities.

5.4 Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential and for complying with any other security procedures that we notify you of. We ask you not to share your password with anyone.


6.1 Your personal information may be accessed by staff or suppliers in, transferred to, and/or stored at, a destination outside the European Economic Area (EEA) or UK. Regardless of location or whether the person is an employee or contractor, we require that the recipient provide an adequate level of protection in accordance with the applicable Data Protection Laws and Regulations.

6.2 Certain countries outside the EEA have been approved by the European Commission as providing essentially equivalent protections to EEA data protection laws and therefore no additional safeguards are required to export personal information to these jurisdictions. In countries which have not had these approvals, we will either ask for your consent to the transfer or transfer it subject to European Commission approved contractual terms that impose equivalent data protection obligations directly on the recipient, or the Privacy Shield Framework unless we are permitted under applicable data protection law to make such transfers without such formalities.


7.1 Thunderhead complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. Thunderhead has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit

7.2 The Federal Trade Commission has jurisdiction over Thunderhead’s compliance with the Privacy Shield. In certain situations, we may be required to disclose personal information requested by government authorities, including for national security or law enforcement purposes.

7.3 Thunderhead commits to cooperate with The UK Information Commissioner’s Office and/or the Swiss Federal Data Protection and Information Commissioner and comply with the advice given by UK Information Commissioner’s Office and the Swiss Federal Data Protection and Information Commissioner with regard to personal data transferred from the EU, EEA and Switzerland.

7.4 In the event Thunderhead transfers personal data covered by this Privacy Policy to a third party acting as a controller, Thunderhead will do so consistent with any notice provided to the subjects of that data and any consent they have given, and only if the third party has given Thunderhead contractual assurances that it will (i) process the personal data for limited and specified purposes consistent with any consent provided by the subjects of such data; (ii) provide at least the same level of protection as is required by the Privacy Shield Principles and notify us if it makes a determination that it cannot do so; and (iii) cease processing of the personal data or take other reasonable and appropriate steps to remediate if it makes such a determination. If Thunderhead has knowledge that a third party acting as a controller is processing personal data covered by this Privacy Policy in a way that is contrary to the Privacy Shield Principles, Thunderhead will take reasonable steps to prevent or stop such processing.

7.5 With respect to Thunderhead agents, Thunderhead will only transfer the personal data covered by this Privacy Policy needed for an agent to deliver to Thunderhead the requested product or service. In addition, Thunderhead will (i) permit the agent to process such personal data only for limited and specified purposes; (ii) require the agent to provide at least the same level of privacy protection as is required by the Privacy Shield Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data transferred in a manner consistent with Thunderhead obligations under the Privacy Shield Principles; and (iv) require the agent to notify Thunderhead if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shied Principles. Upon receiving notice from an agent that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield Principles, Thunderhead will take reasonable and appropriate steps to stop and remediate unauthorized processing.

7.6 Thunderhead remains liable under the Privacy Shield Principles if an agent processes personal data covered by this Privacy Policy in a manner inconsistent with the Privacy Shield Principles, except where Thunderhead is not responsible for the event giving rise to the damage.

7.7 In compliance with the Privacy Shield Principles, Thunderhead commits to resolve complaints about our collection or use of your personal information.  EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Thunderhead at: 

Thunderhead has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning data transferred from the EU and Switzerland in the context of the employment relationship.


8.1 We will hold the above information for as long as is necessary in order to conduct the processing detailed in the table above, deal with any specific issues that may raise, or otherwise as is required by law or any relevant regulatory body. Some personal data may need to be retained for a longer period of time to ensure Thunderhead can comply with applicable laws and internal compliance procedures, including retaining your email address for marketing communication suppression if you have opted not to receive any further marketing.

8.2 If information is used for two purposes, we will retain it until the purpose with the latest period expires but we will stop using it for the purpose with a shorter period when that period expires.

8.3 We restrict access to your personal information to those persons who need to use it for the relevant purpose(s). Our retention periods are based on business needs and your information that is no longer needed is either irreversibly anonymized (and the anonymized information may be retained) or securely destroyed. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.


9.1 Under the General Data Protection Regulation (EU) 2017/676, United Kingdom General Data Protection Regulation (UK GDPR), California Consumer Privacy Act (CCPA), and Privacy Shield Framework, you have various rights in relation to your personal data. All of these rights can be exercised by either:

Contacting our Data Protection Officer at:

If you are in the EU, you may also contact our EU representative at:

Calling us at:

  • North America: +1 877 838 8945
  • Europe: +44 (0) 203 695 4629

9.2 In certain circumstances, you have the following rights in relation to your personal data:

Rights Details
Right of Access You have the right to obtain from us information as to whether your personal data is being processed and, where that is the case, access to such personal data.
Right to Rectification We will use reasonable endeavors to ensure that your personal information is accurate. In order to assist us with this, you should notify us of any changes to the personal information that you have provided to us by sending us a request to rectify your personal data where you believe the personal data we have is inaccurate or incomplete.
Right to erasure / ‘Right to be forgotten’ Asking us to delete all of your personal data will result in Thunderhead deleting your personal data without undue delay (unless there is a legitimate and legal reason why Thunderhead is unable to delete certain of your personal data, in which case we will inform you of this in writing).
Right to restriction of processing You have the right to ask us to stop processing your personal data at any time.
Right to data portability You have the right to request that Thunderhead provides you with a copy of all of your personal data and to transmit your personal data to another data controller in a structured, commonly used and machine-readable format, where it is technically feasible for us to do so and the processing is based on consent or contractual performance.
Right to complain Although we encourage our customers to engage with us in the event they have any concerns or complaints, you have the right to lodge a complaint to a supervisory authority such as the UK Information Commissioner’s Office or the Swiss Federal Data Protection and Information Commissioner. Under certain circumstances, the Privacy Shield Framework provides the right to invoke binding arbitration to resolve complaints not resolved by other means.
Right to not be subject to discrimination for the exercise of rights Under no circumstances will Thunderhead refuse goods or services to individuals who exercise their consumer rights.  

9.3 When exercising these rights, Thunderhead will require verifiable proof of identity to confirm the identity of the requestor.

9.4 Thunderhead will not ordinarily charge you in respect of any requests we receive to exercise any of your rights detailed above; however, if you make excessive, repetitive or manifestly unfounded requests, we may charge you an administration fee in order to process such requests or refuse to act on such requests. Where we are required to provide a copy of the personal data undergoing processing this will be free of charge; however, any further copies requested may be subject to reasonable fees based on administrative costs.

9.5 Where you request Thunderhead to rectify or erase your personal data or restrict any processing of such personal data, Thunderhead may notify third parties to whom such personal data has been disclosed of such request. However, such third party may have the right to retain and continue to process such personal data in its own right.


10.1 Thunderhead uses cookies to distinguish you from other users. This helps us provide you with a good experience when you use our Website, personalise content and ads, provide social media features and to analyse our traffic. Please note that it is possible to disable cookies being stored on your computer by changing your browser settings. However, our Website may not perform properly or some features may not be available to you if you disable cookies.

10.2 For detailed information on the cookies we use and the purposes for which we use them, refer to our cookie consent preference center. These preferences can be updated at any time.

10.3 Most internet browsers are configured to automatically accept cookies. These settings can be modified to selectively accept, block cookies, or alert you when cookies are being sent to your device. Please refer to your browser’s documentation or visit for ways to manage cookies.


11.1 Questions, comments and requests regarding this privacy policy are welcome and should be addressed to

11.2 Thunderhead One Inc. has control over the sales and marketing activity in the U.S. and decides the purpose and means for how the personal data related to such activity in the U.S. is processed. Subject to the foregoing, the data controller is Thunderhead ONE Limited (company no. 08115007), with registered address at Stanford Building, 27A Floral Street, London WC2E 9EZ.


12.1 Any changes we make to our privacy policy in the future will be posted on this page, and where appropriate, notified to you by email. We therefore encourage you to review it from time to time to stay informed of how we are processing your information.

Last revised: 11 Nov. 2021