Privacy Policy

Last updated: January 2026

TTL Privacy Policy

This Privacy Policy has been issued by Thomas Telford Limited (also referred to as ‘TTL’, ‘we’, ‘us’, or ‘our’), the wholly owned subsidiary of the Institution of Civil Engineers (‘ICE’). We are a data controller for your personal data, and in this Policy we explain how we collect, use and protect your personal data. We know that transparency and trust are important. It’s also important to us that you enjoy using our products, services and websites in a safe and secure way.

About us and this policy
Why we collect your personal data
What types of personal data we collect
How we use your data
How we work with third parties
Third parties who pass information to us
What lawful bases do we rely on to process your data?
How long do we retain your data?
When may we send your data overseas?
How do we keep your data safe?
What are my data rights and how do I exercise them?
What if I live in China?
How can I make a complaint?

1. About us and this policy

TTL is made up of several business areas. This Policy applies to all products and services TTL offers.

You should read this Policy in conjunction with our Cookie Policy and the relevant Terms and Conditions for the product or service you access.

Our policies will be updated from time to time. Please refer back to these policies regularly to keep yourself updated.

This Policy applies to ‘users’ and ‘customers’ (or ‘you’) of TTL; that is anyone ordering, registering or interacting with any product or service from TTL. This includes, for example, subscribers, registered users, website users, app users, event attendees, and training course participants. This Policy refers interchangeably to ‘your information’ and ‘your personal data’. As a UK entity, our use of the term ‘personal data’ is by reference to the definition of that term in the UK General Data Protection Regulation (‘UK GDPR’); personal data are ‘any information which relates to an identified or identifiable natural person’.

If you have questions about this Policy or wish to exercise your data subject rights, please contact us by email: dataprotection@ice.org.uk.

Alternatively, please send correspondence to us at the following address:

Attn: Data Privacy team

Thomas Telford Ltd.

One Great George Street

London, SW1P 3AA

United Kingdom

Phone: +44 (0)20 7222 7722

Email: dataprotection@ice.org.uk

Website: https://www.thomastelford.com/

If you wish to speak to our Data Protection Officer, please contact them at dataprotection@ice.org.uk and direct your correspondence to the DPO.

We're registered with the Information Commissioner's Office. You can also contact them for advice and support.

2. Why we collect your personal data

We collect and store information about you in order to deliver our products and services. Information you provide to us directly, and information we gather based on your activity and from third parties, helps us to deliver relevant content and advertising to you, as well as create a more seamless experience across the products and platforms through which you may access our content.

3. What types of personal data we collect

What we collect	How we collect it	Purpose and legal basis
Business contact details (name, work email, phone, job title, department, employer, office location)	Forms on our sites (account registration, content downloads, demo/quote requests); Event registrations/webinars; Direct sales outreach and CRM updates; Public sources (company websites, professional profiles)	Purpose: Deliver requested content/services, create and maintain customer/prospect records, enable B2B sales/marketing communications. Legal basis: Contract (for requested services); Legitimate interests for B2B prospecting and service improvement; Consent where local law requires for electronic marketing.
Company role and professional profile (job/seniority, function)	User-provided in profile setup or surveys; Public sources and research; Customer submissions/imports	Purpose: Data enrichment and segmentation to improve relevance of communications and products. Legal basis: Legitimate interests in providing business intelligence and tailored content to professionals.
Account identifiers and authentication	During account setup; SSO/identity provider	Purpose: Provide secure access to our services, manage entitlements, and prevent unauthorised use. Legal basis: Contract; Legitimate interests in platform security.
Marketing preferences (subscriptions, opt-ins/opt-outs, cookie choices)	Preference centre, consent banners; Email footer links; Trust/Privacy Centre	Purpose: Honour user choices for marketing and data sharing; compliance with e-privacy/consumer laws. Ensure users can opt-out at any point. Legal basis: Consent (for non-essential cookies/e-marketing); Legal obligation (to record/act on preferences).
Transactional and billing data	Order forms, invoices, payment processors	Purpose: Fulfil orders, manage accounts/renewals, financial reporting, and tax compliance. Legal basis: Contract; Legal obligation (financial record-keeping).
Technical and usage data (IP address, device/browser info)	Automatically captured during website use (cookies, analytics)	Purpose: For security, performance monitoring, and improving user experience. Legal basis: Legitimate interests.
Lead enrichment attributes (firmographics: industry, size, revenue bands; contact verification status)	Our research and third-party providers; Customer contributions/imports; Public records	Purpose: Maintain accurate business records, enhance data quality for clients and campaigns. Legal basis: Legitimate interests in providing commercial insights; safeguards include data accuracy and opt-out mechanisms.
Event participation data (attendance, session scans, badge data)	Registration forms; On-site scanning; Virtual event platforms	Purpose: Event administration, follow-ups, content tailoring. Legal basis: Contract; Consent for sharing attendee lists with sponsors or for scanning.
Surveys & research contributions (responses, role context, optional comments)	Email or in-product surveys; Research panels	Purpose: Market research, product development, thought leadership. Legal basis: Legitimate interests; Consent where required for panel participation.
Communications data (emails, meeting notes, support tickets, call/chat transcripts, call recordings)	Direct communication with Sales/Support; Recorded calls with notice;	Purpose: Customer support quality, training, record-keeping, dispute resolution. Legal basis: Legitimate interests; Consent where recording laws require.

Information you provide to us

We collect information you provide us with, such as your contact details if you are a subscriber, to provide you with our services and products. Examples of the personal data we collect include:

Name
Postal address (including postcode)
Email address
Payment details
Job title
Work email
Company
Country
Industry

Information we collect through your use of our products

When you use any of our online platforms or apps we collect information that helps us to deliver the service you have chosen and to improve your experience. This is done through cookies and other similar technologies. Examples of the types of information we may collect are:

Browser
Email provider
The pages you read or otherwise access on our websites and apps, and how you navigated to them
Device
IP address
Internet connection
Location (in some cases)

Depending on where in the world you access our services, we may ask your consent to use certain cookies and technologies.

Information we receive from third parties

We work with third parties who may provide us with additional information that you have shared with them or have provided to a publicly available platform like LinkedIn. Some third parties may also share further information about your interaction on our sites to help us personalise our services to you.

Information we do not collect

We do not track or collect any sensitive information about you, unless there are exceptional circumstances. This is known as ‘special category data’ in some jurisdictions and includes information about a person’s race, ethnicity, health, religion, trade union membership, sex life, sexual orientation, genetic and biometric data, and political opinions. Please be aware that what constitutes ‘sensitive information’ can differ depending on where you are located in the world. For residents of China, we encourage you to review section 12 below.

4. How we use your data

We use your information for the following purposes:

i) To provide our products and services

To fulfil your orders and contracts with us (across all our products and services including NEC Contracts, NEC Training and ICE Training) this includes our third-party specialised payment providers.
To manage your access to our online content and apps, and to send you content via push notifications, newsletters and subscriptions if you have requested this.
To provide you with services where you attend our events.
To send you service notifications related to our products and services such as subscription renewal notifications, password resets and order confirmations.
To manage customer service queries and complaints.
To manage your privacy preferences and to ensure you only receive communications that you have requested, which may include using your details to suppress your contact details from our communications.
To send you administrative emails about your account, reminders of upcoming events, service changes or new policies. These updates, changes and notifications are essential for the services that you have selected.
To detect and reduce fraud including fraudulent orders.
To understand more about who you are and how you might engage with TTL products and services. From time to time we may analyse different data sources about you. For instance, where you choose to take part in TTL research including customer surveys we may analyse your answers in combination with other information you have provided us such as subscription information or data that shows how you interact with our websites and apps.

ii) To deliver marketing and advertising

We may send marketing communications via a range of channels, including email and push notifications. You can opt out of these at any time by using the unsubscribe button at the bottom of our emails and adjusting your app settings. We may contact you to tell you about special offers and related or similar products or services provided by TTL.

We may pass your information to our partners who may contact you with information regarding their own products and services such as other subscriptions or content services. Where required, we’ll tell you before we share this data and ask for your consent to do this. For corporate events attended by our business clients, we rely on our legitimate interests to collect and share personal data with event sponsors who may then choose to contact you about their services and products. Those parties are responsible for their use of your data and you should read their privacy policies carefully.

Depending on whether you are an individual customer or corporate client, and depending on where you are in the world, we will ask you to consent to our marketing or opt out of such communications when you first sign up to receive our products or services. You can also opt out of email marketing by clicking the unsubscribe link at the bottom of our emails. This does not apply to important service notifications such as payment confirmations, or where we have some other legal basis for contacting you.

In order to deliver marketing messages that are relevant to you, we may use the information we hold about you, including details that we collate from your use of our services or third parties, such as more precise information on your location or your company's profile (e.g. , company name, company size), to ensure that the messages are of interest to you.

iii) Social-media

TTL publishes content on social media platforms to reach current and potential customers. We may do this in two ways known as ‘organic’ and ‘paid’ methods:

‘Organic’ methods describe where content and/or offers are published on a social platform so that they may appear in your social platform’s content, without being promoted or forced to appear more prominently, such as NEC Contract’s LinkedIn page.
‘Paid’ methods describe where content and/or offers are published on a social platform so that they will appear more prominently, or be shown to users that do not currently follow NEC Contract’s social pages.

We may place one or more social-media platform ‘tags’ on our website in order to better understand how TTL may be of best value to you by providing you with the most relevant content available according to what you have chosen to read on our own websites. These tags only record information around events to help us understand if you are registered or subscribed with us, so that we may use your reading preferences to provide more relevant content and/or offers to you, on social media platforms.

How to turn off personalisation

If you don’t want us to personalise your experience using cookies, please turn off Analytics cookies in the cookie consent banner on our websites.

vi) TTL business-to-business services

Where you have a NEC Contracts subscription provided to you by a company or institution such as your employer, generally TTL and your group subscription account holder will be separate data controllers. This means we are separately responsible for how your data is processed. Depending on how your company accesses our content, some of your personal data, such as your email address, may be shared with us so we can register you with an account.

For group subscription accounts, we rely on analytics cookies to understand how you use the subscription. This usage data is aggregated so individuals cannot be identified. This means we do not need your consent for some analytics cookies that are non-essential for individual subscribers. You will be served with a notice in our cookies banner that explains this when you access your group account.

5. How we work with third parties

In some instances, we will share information with our third-party partners and service providers to deliver you our services or products, help us improve your experience with us, or when we are required to do so by contract or law. These third parties include agents, subcontractors, sponsors for our events, members of our corporate group, other associated organisations, and sometimes regulators or law enforcement agencies. When we share information with our third-party service providers, we have contracts in place to ensure the information remains secure and limited in use. We require all our third-party service providers take appropriate security measures to protect your personal data. We do not allow your personal data to be used by those third parties for their own purposes, and they may only process your data for specified purposes, and in accordance with our instructions. Some illustrative examples of when we share your information are:

To members of our corporate group, or to third parties to whom we may choose to sell, transfer or merge parts of our organisation. If this occurs, the new owners may use your personal data in the same way as set out in this privacy policy.
When you make a payment on any of our sites, your payment will be processed by a specialist payment processor to ensure a secure transaction. All payment processors used by TTL are compliant with required security standards. If you have any questions regarding secure transactions, please contact the Data Privacy team emailing dataprotection@ice.org.uk.
When you log on to your subscription account, a third party provider who specialises in online account management will manage your access including, for example, resetting your password.
When we send you an email or a push notification, these are delivered by marketing platforms. As part of this service, certain information such as whether the message was opened, clicks and formatting are recorded to help deliver the best email experience.
When we test and launch new products, services or offers, we may work with trusted third parties to support us.
Product development.
When we employ third parties to carry out statistical analysis and conduct surveys on our behalf, to support our advertising and content-production efforts respectively.
To provide information for auditing and legal purposes when required by our regulators.
We may share information with law enforcement agencies where we are required to do so by law or where we think it is necessary to protect our rights or those of others.
To enhance your profile with other personal and non-personal information.
To enable third parties such as sponsors to contact you with information about their own products and services that may be of interest – but only if you give explicit permission for us to do so.

6. Third parties who pass information to us

Our subscription services sometimes use additional information such as telephone numbers or postcodes from third parties (like researchers or telemarketing agents, who have gathered this information lawfully) to help us contact you with important service updates via phone or post or to help us make marketing decisions. This includes advertising (by ourselves or via advertising partners) to groups of people with particular interests. These third parties may give us access to your personal information, if you have allowed them to do so.

We may also work with third parties to identify individuals who may be interested in our products and services. These third parties may give us access to your personal information, if you have allowed them to do so. In any communication you receive from us, through these third parties, we make sure to identify ourselves (and them) so that you know who has access to your information. Generally, we will need your consent to contact you if we receive your information from a third party, although this will not always be the case. For business-to-business contacts for instance, we will rely on our legitimate interests to contact you with offers and products.

Please note that the collection, use, and disclosure of information by these third parties are described in their own privacy policies, and consequently may differ from that set out in this policy. We are not responsible for those third party privacy policies where the other party is a separate data controller, and you should ensure that you have read and understood all applicable privacy policies before proceeding.

7. What lawful basis do we rely on to process your data?

We need to identify a legal reason, or ‘lawful basis’, to process your personal data.

Other than where we have asked for your consent, we mainly rely on two other separate lawful bases to lawfully use your information.

First, we need to use your information in certain ways to provide our products or services to you, in accordance with our contract(s) with you. In this case, it is necessary for us to use your information so that we can deliver the products or services you have chosen.

Second, as described in more detail below, in certain cases we may use your information where necessary to further our legitimate interests, where those legitimate interests are not outweighed by any negative impact on your rights or interests. Some of the purposes for which we may process your data based on our legitimate interests include:

To measure customer and user response and engagement with our products and services such as online content, email newsletters and subscription offers. This may include sharing your information with third parties who help us to analyse and measure these outcomes.
To ensure our products (including websites and apps) are compatible with the browsers and operating systems used by most of our visitors.
To help us improve our customer and user experience and to support product development. We may send customer satisfaction surveys and market research questionnaires (for which we may share your information with third party suppliers employed by us).
To create audience profiles for marketing or research and development on and off our websites.
To detect and reduce fraudulent activity and for other security-related purposes such as to help us protect against harassment, IP infringement, crime or other security issues.

You have the right to object to any of the above uses of your information, so please contact us by emailing dataprotection@ice.org.uk if you wish to do so. We will consider all objections reasonably, but there may be legal reasons where we deem that the use of your information is still necessary and reasonable in the circumstances. We will explain our decision to you in a timely manner.

We may share your personal data with third parties for any purpose required by law or regulation and to verify information that we provide to third parties for compliance and audit purposes.

Below, we outline the lawful bases we rely on to process your data and examples of the types of data we collect under each basis.

Consent

Marketing - generally, depending on where you are in the world, if you’re a new customer, we need your consent to send you marketing.

Legitimate interests

Marketing - if you’re an existing customer, we may rely on our legitimate interests to send you information about new products.
Marketing – where we identify business-to-business contacts who may be interested in our products and services we will rely on our legitimate interests to contact you with relevant information.
Personalised content.

Necessary for performance of a contract

Manage subscription payments.
To identify customer usage data for group subscription accounts.
To send subscribers important service messages.

Defence of a legal claim

In circumstances where TTL commences or defends a legal claim involving the processing of personal data.

Required by law

For tax and auditing purposes.

We may from time to time process special category data or criminal conviction data. We will only do this where we can rely on an additional lawful basis to process your data and where necessary we will identify substantial public interest conditions for such processing.

8. How long do we retain your data?

We securely store your information, and hold it for as long as reasonably necessary to fulfil the purposes for which it was collected, as set out at section 4 above, in accordance with (i) applicable law, or (ii) as long as is set out in any relevant contract you have with us.

We review our retention periods for personal information to comply with the Data Minimisation and Limitation Principles in data protection law, to ensure we only collect and retain the data we need to serve you with our services and products.

As a customer, if you have not interacted with us after four years, we will cleanse or delete your data. Sometimes we may need to keep it for longer periods; for example, tax and other financial regulations may require us to keep certain information for seven years. We may need to retain some information for longer due to legal or human-resources reasons. If you request that we no longer contact you, for example with marketing communications, we will retain the minimum amount of information about you so that (i) if you are a customer, we can continue to fulfil our obligations to you, (ii) we can ensure we remove you from any future communications and (iii) we comply with any legal or regulatory obligations that we may have. Please note that if you ask us to completely remove all information about you, and you subsequently use our products and services at a later date, we will no longer be able to recognise your previous request not to be contacted, which is why we would keep it and suppress it in line with industry standards.

9. When may we send your data overseas?

As a global company, we have offices in different locations and we work with trusted third parties around the world. This means we may collect and share your personal information internationally, including outside of the United Kingdom and European Union. Generally, we will notify you when we do this and always ensure we can rely on an approved UK Government adequacy decision, the UK extension of the EU-US Data Privacy Framework, or have appropriate legal safeguards in place such as the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (SCCs) to protect the transfer of data.

10. How do we keep your data safe?

We take information security seriously. We implement reasonable and appropriate technical and organisational measures designed to protect your personal information against accidental or unlawful destruction, loss, change, or damage. We limit who has access to your information and ensure that those who do are bound by contracts to keep your information restricted and safe.

11. What are my data rights and how can I exercise them?

You have the following rights in relation to any personal data that we hold about you:

to request a copy of your personal data;
to request the correction of any mistakes in your personal data;
to request the deletion of your personal data in certain circumstances;
to request, in certain situations, to receive the personal data you have provided us, in a structured, commonly used and machine-readable format, and to transmit that data to a third party if technically feasible;
to object, at any time, to our processing of your personal data for direct marketing;
to object, in certain situations, to our continued processing of your personal data;
to request, in certain situations, the restriction our processing of your personal data;
to withdraw your consent, at any time, where we rely on your consent to process your personal data; and
the right to complain to us about any data protection concerns you may have.

If you wish to exercise any of the rights set out above, please contact us at dataprotection@ice.org.uk.

If you submit a rights request, we may ask you to provide information to help us confirm your identity and ensure your right to access your personal data.

We try to respond to all legitimate requests within one month. Sometimes it could take us longer than one month to respond if your request is particularly complex, you have made a number of requests, or if we are waiting for clarification from you. In this case, we will notify you and keep you updated.

Please be aware that there are circumstances in which complete erasure of your information will not be possible for operational, legal and business reasons. This may include if you remain a TTL customer for whom we need to provide services, or where we need to retain some of your details in order to facilitate a ‘Do Not Contact’ request by keeping you on a suppression list.

12. What if I live in China?

If you are a resident of the People’s Republic of China (‘China’) and TTL processes your personal information, the Personal Information Protection Law (‘PIPL’) applies to you. Please be aware that other parts of this privacy policy may also apply to you.

For residents of China, we may use your information to:

administer your subscription to NEC Contracts and other TTL products and services;
communicate with you regarding the products and services TTL provides to you and send you marketing and other promotional information, with necessary lawful bases; and
gather research for our TTL businesses.

TTL does not intentionally or actively process any sensitive information of China residents. In the event we do this for specific processing activities, we will provide a privacy notice.

Where we process your information, you have certain rights under the PIPL, including the:

right to know;
right to decide relating to your personal information;
right to consult and copy;
right to data portability;
right to correction;
right to deletion;
right to withdraw consent; and
right to request personal information handlers explain personal-information handling rules.

To exercise these rights, please contact dataprotection@ice.org.uk.

Transfer of your personal data outside China

In order to fulfil and manage the transactions of China residents with TTL and to ensure robust information security, we may transfer some of your information we collect to our affiliate companies outside China. Where required, we have contractual safeguards in place and will comply with applicable legal requirements in China.

Where required, we will ask for your general or separate consent to relevant data processing activities.

13. How can I make a complaint?

If you wish to make a complaint about how we use your personal data, please contact us by emailing dataprotection@ice.org.uk. We hope that we can resolve any query or concern that you may have.

You also have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk).

FAQs

How can I see what information you hold on me?

You can contact us at dataprotection@ice.org.uk and our data privacy team will process your request.

How do I opt out of profiling?

Depending on where in the world you access our services you can opt in or out of profiling by managing your cookie preferences.

How do I opt out of marketing?

You can update your preferences at any time, or by contacting customer services (see ‘Contact Us’). You can also opt out of email marketing by clicking the unsubscribe link at the bottom of our emails.

How do I make a complaint?

If you have a complaint regarding any aspect of your personal information or this privacy policy, please contact the Data Privacy team at dataprotection@ice.org.uk. If you are still not satisfied with the outcome of your complaint, you may write to the Information Commissioner's Office as set out below.

Can I write to the Information Commissioner’s Office (the ‘ICO’)?

Yes, you have the right to raise a concern with the ICO about how we handle your personal data at: https://ico.org.uk/ The ICO recommends that, before raising a concern with them, you first raise your complaint with the organisation handling your information.

How long do you hold my information for?

We generally hold your customer information for up to four years after our last interaction with you. It may be seven years or longer if required for financial, tax or legal reasons.

Can I ask you to delete my information?

Yes, just contact us. We will consider your request and take appropriate action which may mean that we suppress it, rather than delete it to ensure that we can still follow your preferences as to whether or not we can market to you, or to comply with legal, contractual or regulatory reasons.

How do I manage my cookie preferences?

You can use our cookie consent tool. For more information please also see our cookie policy.

What are my rights under the GDPR?

You have several privacy rights, including the right to ask us for information we hold about you by making a subject access request. For more information, please see the “What are my data rights and how can I exercise them?” section of the Privacy Policy.

How can I contact TTL?

If you have questions about this policy or about your personal information, please contact dataprotection@ice.org.uk