Thank you for trusting ComplyFirst Limited (we, us or ComplyFirst) to be responsible for your personal data. We respect your privacy and are committed to protecting your personal data.
Any data that we collect through our website or generally when providing you with our other services shall be known as the Customer Data, and any data collected specifically through the software services known as the ComplyFirst Data.
The software services prioritise your security and privacy by implementing privacy by design and data minimisation principles. We are conscious of the sensitivity of personal data, particularly within the financial sector. As such, we aim to collect as little personal data from our users as possible (and the only personal data we collect by default through the software services are names and email addresses of users, as well as date and place of birth of shareholders or other mandatory details required for regulatory reporting which you upload via the software services).
This policy also informs you about your privacy rights and how the law protects you. It does not cover any third party website you have used to access our websites or software services, any third party websites that you access from them, or any interactions between users which have not been conducted via our website or software services.
It is important that you read this policy so that you are fully aware of how and why we are using your data.
- WHO WE ARE
- Contact Details
Our full details are:
Email address: [email protected]
Postal address: 12 Lower Hatch Street, Dublin 2, Dublin, D02 R682, Ireland
- Under the UK General Data Protection Regulation or the EU General Data Protection Regulation (collectively GDPR) and other relevant data protection legislation, including the UK Data Protection Act 2018 and the Irish the Data Protection Acts 1988 to 2018, we act as both a controller (i.e., where we make decisions) in relation to your personal data that we collect, as well as a processor (i.e. process data broadly in accordance with your instructions).
When we act as a Processor: When our users you use the software services to process other peoples’ personal data, or make decisions regarding their own personal data, we act as a processor. Under these circumstances, you may, as a user, act as a controller or processor yourself, and we will act as either a processor or a sub-processor. Any ComplyFirst Data is processed by us strictly as a processor.
When we act as a Controller: By contrast, when we collect personal data and determine the purposes and means of processing that personal data – for example, when we store account information for account registration, administration, services access, or contact information as explained below – we act as a controller. This policy is intended to tell you more about the ways in which we process your personal data as a controller.
- Third-Party Links
- WHAT KIND OF PERSONAL DATA DO COMPLYFIRST PROCESS?
INFORMATION YOU SUPPLY TO US
- General Personal Data: This is personal information about you that you share with us by online forms on our website, through email, through the post, on the telephone, when you complete customer surveys, engage with our customer services team, or by any other means.
Typically, when you sign up to use the software services as a user, you may be asked to provide information about yourself, including your full name and email address, alongside other non-personal details.
You may also, on behalf of your organisation, provide details such as the date and place of birth of shareholders or other mandatory details required for regulatory reporting, uploaded via the software services
There are parts of our software services that may offer users the opportunity to upload text into free form fields or provide the option to bulk upload redacted data if there is a need to provide further evidence in relation to, for example, a customer complaint.
In such case, you would be the controller of such data and you would be responsible for redacting the uploaded documents adequately (as to remove any personal data). Where you do share personal data relating to third parties via the software services, you must ensure you have a lawful basis to do so.
- Financial Details: We currently only accept payment by bank transfer, and so will only collect your organisation’s bank account details where you are a supplier (to make payments), or where we need to refund any money to you (as a customer). All details will be held securely.
- Verbal Information: If you provide verbal personal information that you give us consent to use you will have such consent confirmed back to you in writing.
- Marketing Strategy: If in future you will be able to communicate your preferences in receiving marketing from us and our third parties and your communication preferences (including details you provide when you opt-in to receive marketing communications from us) will constitute information you supply to us.
- Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with our software services). In this case, we may not be able to provide those services.
PERSONAL DATA WE COLLECT
- Telephone Recordings: We may in future record telephone conversations may be recorded for training or monitoring purposes, but you will be notified of that at the time.
- Technical Data from our Websites: We use certain technical services to gather technical data online whenever you use our website (as a visitor) or software services including information about your device and your visits to our website or software services such as your IP address, geographical location, browser type, referral source, internet service provider (ISP), clickstream data, browser type and language, time zone, length of visit and pages viewed, date or time stamps weblogs and other communication data. Please see our cookies policy for further detail, which can be found here.
Where logged in, you will be personally identifiable from the technical data we collect using the software services, as it will be tied to your specific user account.
PERSONAL DATA WE RECEIVE FROM THIRD-PARTIES
- Device Data: analytics providers such as Google or Hubspot; and search information providers such as Google.
- Social Media: ComplyFirst may use social media, which will provide us with publicly available information through social media sites, such as Facebook, Instagram, LinkedIn, Twitter, and Google, including where you engage with us through social media sites.
- Publicly Available Information: we may collect personal information about you from other publicly available sources. This can include your name, address and other publicly available information. As far as possible, we ensure that where any third-parties are involved in suppling such information, that they are compliant to do so. This may include credit reference agencies such as Experian, public registers such as the UK Companies House registry, the Financial Services Register, the Irish Companies Registration Office or the relevant electoral registers.
KEEPING YOUR PERSONAL DATA UP TO DATE
- It is important that the data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
- WHAT INFORMATION IS NOT COLLECTED?
- We do not intentionally collect sensitive personal data or special category data (including details about your race or ethnicity, religious or philosophical beliefs, medical information, sex life, sexual orientation, political opinions, trade union membership, genetic and biometric data, social security numbers). Nor do we collect any information about criminal convictions and offences.
We require all of our customers to agree to procure that those using the software services do not use them to process such data, but do not actively monitor content uploaded or processed using the software services and are not responsible for enforcing those terms.
If you are reviewing this policy because you believe your data has been used in violation of those terms, please contact us.
- If you're a child under the age of 18 (or are otherwise younger than the legal age limit required in the country in which you reside), you may not have an account on ComplyFirst. ComplyFirst does not knowingly collect information from or direct any of our content specifically to children under relevant ages. If we learn or have reason to suspect that you are a user who meets these criteria, we will unfortunately have to close your account.
- HOW IS INFORMATION USED?
- We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- Where we need to perform the contract we are about to enter into or have entered into with you, to keep internal records for administration purposes related to such contracts, for the purposes contemplated in any separate customer terms https://complyfirst.co/terms-and-conditions that your organisation has entered into, including for the purposes set out in the “Our Standard Business Operations” section below. This is the ground we rely upon to process third-party data our users upload when using the software services.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal or regulatory obligation.
- Generally, we do not rely on consent as a legal basis for processing your personal data other than as set out below in relation to marketing. We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.
- Our Standard Business Operations:
- To provide the software services that we contract to provide to you or others;
- To provide you with information that you request from us;
- To confirm your identity as a natural living person; and
- As part of our billing, payments and recovery processes.
For example, we may use contact information to notify you of any issues which might impact the provision of the software services to you, confirm your bookings placed via the software services, respond to requests that you make, or notify you of changes to your account or the software services.
We may in future maintain contact lists (with email addresses and other information) to allow us to communicate with individuals who do business with us or who have expressed an interest in our software services.
We may use your identity, contact, technical, usage and profile data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).
If you subscribe for these features, we may contact you for marketing purposes, both to inform you of any updates or news in relation to us or the software services or to otherwise inform you of information related to our business or your account with us (direct marketing relating to ComplyFirst), or, if you have opted in to this feature, we may also send third party direct marketing communications to you via email, or other mediums.
You will be able to ask us to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us, as appropriate, at any time.
We will never sell your personal data to any third party (as noted below).
- Change of Purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
- Legal Requirements
We will keep and use your data in terms of any legal or regulatory requirements that we have and can use your data to protect our legal position, if legal action is required, including the recovery of any outstanding debts.
By way of further example, we will share your personal data with the relevant agencies and without notice, where we are requested to or suspect fraudulent activities, money laundering, terrorist related activities or other illegal behaviours.
- Enhancing the software services
We may use personal data (other than that comprised in private Customer Data) for the purposes of providing or enhancing our Services and products.
- Website Administration and Customisation
We may use the information we collect about you for a variety of website administration and customisation purposes. For example, we use your information to process your registration request, provide you with services and communications that you have requested, send you email updates and other communications, customise features and advertising that appear on our websites, deliver our websites content to you, measure Website traffic, measure user interests and traffic patterns, and improve our websites and the software services and features offered via our websites.
- Aggregated or Non-Identifying Information
Non-identifying information includes information collected from or about you that does not personally identify you. Aggregated information is similar, but includes bulk data about, for example aggregate volumes of complaints.
Insofar as aggregated or non-identifying information forms part of the ComplyFirst Data, ComplyFirst will not use such information for any purpose, and it is treated as strictly confidential in accordance with our customer terms (i.e. your or your organisation’s name or identity will never be associated with the data), but we do reserve a right to use aggregated or anonymised data (for example, in respect of aggregate or average complaint levels or reports of fraud, for the purposes of benchmarking customers).
- WHAT INFORMATION IS SHARED?
- We do not disclose personal data outside ComplyFirst, except in the situations listed in this section or in the section below on Compelled Disclosure, but may have to share your personal data with the categories of processors or controllers set out below for the purposes set out above or otherwise below:
- any member of our group, which means our subsidiaries, our ultimate holding company, FDJ Ecommerce Ltd t/a ComplyFirst, a company incorporated in England under registered company number 725307 and its subsidiaries, as defined in section 1159 of the Companies Act 2006;
- with HM Revenue & Customs, the Irish Revenue Commissioners, the FCA, and other authorities and regulators acting as processors or joint controllers based in the United Kingdom and Ireland who require reporting of processing activities in certain circumstances (excluding private ComplyFirst Data – unless we are subject to a Compelled Disclosure);
- with third party purchasers, if we buy, sell or merge any business or assets of our business and are required to share data as part of the buying, selling or merger agreement or if our assets are acquired by a third-party, and data is transferred as part of the purchased assets. If any such change happens, we will ensure that it is under terms that preserve the confidentiality of your personal data, and we will notify you on our website or by email before any transfer of your personal data. Any purchaser would be bound by the terms of this policy and our Customer Terms https://complyfirst.co/terms-and-conditions;
- with the FCA or other financial regulatory authorities, where you elect to permit such disclosures as part of your use of the software services, or where we are subject to a Compelled Disclosure;
- with professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services, where they have a strict need to know same for any of the purposes set out above;
- with specific selected third parties, determined by us, where they have a strict need to know same, if you breach any agreement with us, so as to enforce our rights against you, including credit-reference agencies, debt-collection firms or service providers, solicitors or barristers and law enforcement agencies (if applicable);
- with other service providers acting as processors based in the European Union or United Kingdom who provide IT and system administration services, including for the performance of our contract with you, as set out below: When we transfer your data to our service providers, we remain responsible for it:
- with email marketing services to send marketing emails where you have opted in to receiving them. You will be able to unsubscribe directly from any mailing list using the unsubscribe links provided within emails;
- with analytical service providers, such as Google Analytics or Hubspot Analytics, in order to analyse our website traffic or usage of our software services to improve products and services;
- with external software development agencies, based in the UK or EU, in order to assist us in the provision of our software services;
- with processors offering software tools, or EU or UK based external servers (including externally provided original and backup servers), that are used to store personal data provided by you on our behalf (our current servers are maintained by Amazon Web Services, whose privacy policies are available at https://aws.amazon.com/privacy/. By default, and unless we have agreed otherwise in writing with the location of these servers will be within the EU; and
- with providers of cloud-based customer relationship management tools, who may also facilitate complaint and customer support ticketing and communications, and host such data, such as HubSpot, whose privacy policies are available at: https://legal.hubspot.com/privacy-policy.
- We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process the minimal personal data required for the specified purposes, in accordance with our instructions, where they have agreed to privacy restrictions similar to our own policy.
- We do not share, sell, rent, or trade personal data with third parties for their commercial purposes.
- We may also share personal data with your permission, so we can perform services you have requested.
- HOW IS MY INFORMATION SECURED?
- ComplyFirst takes all measures reasonably necessary to protect personal data from unauthorised access, alteration, or destruction, maintain data accuracy and help ensure the appropriate use of personal data. We follow reasonable industry standards to protect the personal data we hold, both during transmission and once we receive it.
- In addition, we limit access to any personal data to those employees, agents, contractors, service providers and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to duties of confidentiality.
- We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
- No method of transmission, or method of electronic storage, is 100% secure. Although we will do our best to protect your personal data, we cannot guarantee its absolute security. Any transmission is at your own risk.
- HOW IS INFORMATION COLLECTED AND STORED GLOBALLY?
- Information that we collect will be stored and processed in the United Kingdom and European Union in accordance with this policy. Where required by law to facilitate such processing, we will ensure that they sign data transfer agreements such as EU standard contractual clause agreements or the UK international data transfer agreement.
- In particular:
- we provide clear methods of unambiguous, informed consent at the time of data collection, when we do collect your personal data and if applicable. Where consent is not the applicable ground for processing, we will ensure that it has an appropriate ground for processing any personal data (including but not limited to contractual obligation or legitimate interest);
- we collect only the minimum amount of personal data necessary, unless you choose to provide more. We encourage you to only give us the amount of data you are comfortable sharing;
- we offer you simple methods of accessing, correcting, or deleting the data we have collected; and
- we provide our users notice, choice, accountability, security, and access, and we limit the purpose for processing. We also provide our users a method of recourse and enforcement.
- WHAT HAPPENS IF I HAVE A COMPLAINT?
- If you have concerns about the way ComplyFirst is handling your personal data, please let us know immediately. We want to help and there are several ways available that you can contact us. You may also email us directly at [email protected] with the subject line "Data Privacy". We will do our best to respond as soon as we can, unless required to respond earlier under relevant law.
- If you are a data subject based in the UK or European Union, you may have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk), the Irish Data Protection Commission, the ROI supervisory authority for data protection issues (https://www.dataprotection.ie/) or other competent supervisory authority of an EU member state if the software services are accessed outside the UK or Ireland.
We would appreciate the chance to deal with your concerns before you approach such bodies so would ask that you please contact us in the first instance.
- HOW DO YOU RESPOND TO COMPELLED DISCLOSURE REQUIREMENTS?
- ComplyFirst may disclose personal data or other information we collect about you to law enforcement in response to a valid subpoena, court order, warrant, or similar governmental order.
- In complying with court orders and similar legal processes, ComplyFirst strives for transparency. When permitted, we will make a reasonable effort to notify users of any disclosure of their information, unless we are prohibited by law or court order from doing so, or in rare, exigent circumstances.
- HOW CAN I ACCESS MY OWN PERSONAL INFORMATION?
If you're already a user, you may access, update, alter, or delete your basic user profile information by editing your user profile or contacting us.
Under certain circumstances, where you are a citizen of the European Union or UK, you have rights under data protection laws in relation to your personal data under GDPR.
You have the right to:
- Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a (transferable) copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law.
- Please note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- In relation to profiling you have the right not to be subject to solely automated decisions and where we make such automated decisions, you have a right to have a person review the decision.
- Withdraw consent at any time (or object to processing) where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If you wish to exercise any of the rights set out above, please contact us.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
Where you exercise one of your rights, we may need to request specific information from you to help us confirm your identity and ensure your right to exercise such rights. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
- DATA RETENTION AND DELETION
Personal Data Generally
- We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
- To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Personal data which ComplyFirst considers to be of less relevance to the performance of a contract, such as miscellaneous correspondence or telephone records, may be deleted earlier.
- We will keep your personal data for the term you have consented to, the contracted term between us where there is a legitimate interest for us to remain in contact with you, or for the legally required period, whichever is the longest.
- By law we have to keep basic information about any of our users and service providers (including contact, identity, financial and transaction data) for six years after you cease being a user or service provider for tax purposes. For the purposes of contract administration, we will also store all data as long as the contract you have placed through us endures and for the six year limitation period thereafter in case you raise any claims in relation to any products or services you or your employer or other person by whom you have been authorised to use the software services have purchased from us.
- If you have otherwise closed your account through the software services, save for the anonymised data mentioned below, or the basic information mentioned above, we will endeavour to delete all personal data we no longer have grounds to process within 6 months of the date of such deletion.
- In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
- If you would like to cancel your account and initiate deletion of your personal data, you may do so by contacting us at [email protected]. As above, we will retain and use your information as necessary to comply with our legal obligations, resolve disputes, maintain security, and enforce our agreements, but barring legal requirements, the timeframe above will be observed for deletion.
- HOW DO YOU COMMUNICATE WITH USERS?
- We will use your email address to communicate with you, if you've given us the OK, and only for the reasons you’ve permitted. Emails by default are not disclosed with other users, even if you belong to the same organisation. This will not change how we contact you, as we always utilise your primary email address.
- Depending on your email settings, ComplyFirst may occasionally send notification emails about new features, requests for feedback, important policy changes, or offer customer support. We also send marketing emails, including ones featuring new services and products offered by our commercial partners (as noted above), but only with your consent. There's an unsubscribe link located at the bottom of each of the emails we send you.
- Our emails might contain a pixel tag, which is a small, clear image that can tell us whether or not you have opened an email and what your IP address is. We use this pixel tag to make our email more effective for you and to make sure we’re not sending you unwanted email. If you prefer not to receive pixel tags, please opt out of marketing emails.
Unless legally necessary (in which case you will be notified by email), any changes we may make to this privacy notice in the future will be posted on this page without further recourse or notice to you. If there are material changes to this policy or in how we use your personal data, we will prominently post such changes prior to implementing the change. We encourage you to periodically review this policy to be informed of how we are collecting and using your information.
We keep this policy under regular review, for example, to reflect changing business circumstances and legal developments.
Although most changes are likely to be minor, it may change and if it does, these changes will be posted on this page and, where appropriate, may be notified to you when you next log on to use the software services. Otherwise, any changes shall be applicable without further notice.
This version one of this policy was last updated on 1st of December 2023 and historic versions can be obtained by contacting us.
- HOW CAN I CONTACT COMPLYFIRST?
This policy shall be governed by and interpreted in accordance with the laws of England and you irrevocably agree that the courts of England shall have non-exclusive jurisdiction to settle any dispute which may arise out of, under, or in connection with this policy. This shall be without prejudice to your rights under relevant legislation, including where you are based in the Republic of Ireland.