We collect personal data in the following ways:

• Directly from you when you create an account, use the platform, subscribe to updates, or contact us.
• From your organisation when it registers as a client and nominates you as an authorised user or contact.
• From official and reputable data sources including Companies House, UK sanctions and regulatory registers, VAT validation and other public business registers where those sources contain personal data relating to directors, officers, persons with significant control, beneficial owners or other business contacts.
• Automatically, through cookies and similar technologies when you visit our website or access the platform. Further information, including the cookies used and how to manage your preferences, is set out in our Cookie Policy at [cookie-policy].

We process personal data only where we have a lawful basis to do so. The main purposes and corresponding legal bases are:

• Providing and administering the platform and services (creating accounts, authenticating users, delivering search and verification functionality, maintaining audit trails). Legal basis: performance of a contract or taking steps at your request prior to entering into contract; and/or our legitimate interests in operating a secure business verification service.
• Managing our client relationships, including billing, service communications, training, and support. Legal basis: performance of a contract; legitimate interests in managing our business.
• Operating and securing our website and systems, including monitoring for misuse, security incidents and fraud. Legal basis: legitimate interests in maintaining network and information security and preventing abuse of our services.
• Complying with legal and regulatory obligations, such as record-keeping, responding to lawful requests from public authorities or exercising legal rights. Legal basis: compliance with legal obligations; establishment, exercise or defence of legal claims.
• Improving and developing our services, including analytics on aggregated or de identified usage data. Legal basis: legitimate interests in improving and developing our products and services; where required, consent.
• Sending you service-related communications and, where permitted, relevant information about updates or improvements. Legal basis: performance of a contract and/or legitimate interests; for some forms of electronic marketing, consent or the “soft opt in” under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) as applicable.

Where we rely on consent, you may withdraw that consent at any time using the methods described in this Privacy Policy or in the relevant communication.

The platform connects to official and third-party data sources in order to retrieve business verification information. Depending on the services used, this may include public authorities and registries, regulated data suppliers, sanctions and watchlist providers, VAT validation services, payment service providers, cloud hosting providers, customer support providers, cybersecurity providers, analytics providers and professional advisers.

Where third parties process personal data on our behalf, they act as our processors under written contracts and may process personal data only on our documented instructions and in accordance with applicable law. Where we obtain personal data from public registers or other independent sources, those organisations act as separate controllers of their underlying datasets.

We do not control the content of third-party source data and do not guarantee that data supplied by those sources is complete, current or error-free, although we take reasonable steps to ensure that our integrations and retrieval processes operate as intended.

Our primary hosting and processing locations are within the United Kingdom and/or European Economic Area (EEA). If we need to transfer personal data outside the UK or EEA, we will ensure that appropriate safeguards are in place, such as adequacy regulations or standard contractual clauses, in accordance with UK GDPR.

We do not carry out solely automated decision-making, including profiling, which produces legal effects concerning you, your business, suppliers or customers or similarly significantly affects you. The platform provides verification and due diligence information to business users to support their own assessment and decision-making processes, and any action taken by a user or client organisation remains subject to human review and judgement.

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy and to comply with legal, regulatory, accounting and record-keeping obligations, after which we delete or irreversibly anonymise it.

In general, we apply the following retention periods unless a longer period is required by law, regulation, the handling of a complaint or dispute, or the establishment, exercise or defence of legal claims:

• Account registration and profile information: for the duration of the account and for up to 6 years after account closure or end of the client relationship.
• Contract, billing and transaction records: for up to 6 years from the end of the relevant financial year or termination of the relevant contract.
• User activity logs, audit trails and security records: typically 12 months, and up to 6 years where required for compliance, incident investigation or legal claims.
• Communications, support requests and complaints: up to 6 years after closure of the relevant matter.
• Technical usage data and cookie-related records: for the periods set out in our Cookie Policy or, where relevant, for up to 12 months from collection unless a longer retention period is justified for security or compliance reasons.
• Business registry data retrieved through the platform: retained only for so long as necessary to provide the service, maintain appropriate audit records and meet legal or regulatory obligations, and in any event subject to our internal retention controls.

Under UK GDPR (and, where applicable, EU GDPR), you have several rights in relation to your personal data, subject to certain conditions:

• Right of access – to obtain confirmation as to whether we process your personal data and to receive a copy.
• Right to rectification – to request correction of inaccurate or incomplete data.
• Right to erasure – to request deletion of your personal data in certain circumstances.
• Right to restriction – to request we restrict processing in certain circumstances.
• Right to object – to object to processing based on our legitimate interests and to object at any time to direct marketing.
• Right to data portability – to receive certain data in a structured, commonly used and machine readable format and to have it transmitted to another controller where technically feasible.
• Right to withdraw consent – where we rely on consent, to withdraw it at any time, without affecting the lawfulness of processing before withdrawal.

You may exercise these rights by contacting us using the details above. We may need to verify your identity before responding to your request and will respond within the timeframes set by applicable law.

If your query relates to data for which we act only as a processor on behalf of a business client, we may direct you to contact that client as the relevant data controller.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) or, where applicable, another competent supervisory authority.

You can contact the ICO at:
https://ico.org.uk/ using the contact form or LiveChat function, or via post:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, disclosure or destruction, considering the nature of the data and the associated risks. However, no electronic transmission or storage is completely secure; if you believe your interaction with us is no longer secure, please notify us immediately using the contact details above.

Our platform and services are designed for business users and are not intended for use by children. We do not knowingly collect personal data relating to individuals under 18 in the ordinary course of our business.

Based on the nature of our activities, we assess our position against the ICO’s data protection fee and registration guidance on a regular basis and will update our registration or reliance on any available exemption where the law or our processing activities change.

We may update this Privacy Policy from time to time to reflect changes in law, regulation or our services. Any updated version will be published on our website with a revised “last updated” date and, where appropriate, notified to clients or users via the platform. You should review this page periodically to ensure you are aware of any changes.