Privacy Policy
Thank you for trusting Complyfirst Limited (we, us or Complyfirst) to be responsible for your personal data. We respect your privacy and are committed to protecting your personal data.
This privacy policy (policy) applies to all processing of personal data undertaken by Complyfirst (other than processing of personal information in the context of recruitment and employment, which is dealt with under separate internal policies) including when you interact with us as one of our suppliers or customers (or as an employee or representative of same), when you visit our premises, or visit or use our website (regardless of where you visit it from) https://www.complyfirst.co/ (our website) and the software services available through it and the Complyfirst application (the software services).
Any data that we collect through our website or generally when providing you with our other services shall be known as the Customer Data, and any data collected specifically through the software services known as the Complyfirst Data.
The software services prioritise your security and privacy by implementing privacy by design and data minimisation principles. We are conscious of the sensitivity of personal data, particularly within the financial sector. As such, we aim to collect as little personal data from our users as possible (and the only personal data we collect by default through the software services are names and email addresses of users, as well as date and place of birth of shareholders or other mandatory details required for regulatory reporting which you upload via the software services).
This policy also informs you about your privacy rights and how the law protects you. It does not cover any third party website you have used to access our websites or software services, any third party websites that you access from them, or any interactions between users which have not been conducted via our website or software services.
It is important that you read this policy so that you are fully aware of how and why we are using your data.
- WHO WE ARE
- Contact Details
- Full name of legal entity:Complyfirst Limited, a company incorporated in the Republic of Ireland under registered company number 725307.
- Email address:hello@complyfirst.co
- Postal address: 12 Lower Hatch Street, Dublin 2, Dublin, D02 R682, Ireland
- Under the UK General Data Protection Regulation or the EU General Data Protection Regulation (collectively GDPR) and other relevant data protection legislation, including the UK Data Protection Act 2018 and the Irish the Data Protection Acts 1988 to 2018, we act as both a controller (i.e., where we make decisions) in relation to your personal data that we collect, as well as a processor (i.e. process data broadly in accordance with your instructions).
- When we act as a Processor: When our users you use the software services to process other peoples' personal data, or make decisions regarding their own personal data, we act as a processor. Under these circumstances, you may, as a user, act as a controller or processor yourself, and we will act as either a processor or a sub-processor. Any Complyfirst Data is processed by us strictly as a processor.
- When we act as a Controller: By contrast, when we collect personal data and determine the purposes and means of processing that personal data – for example, when we store account information for account registration, administration, services access, or contact information as explained below – we act as a controller. This policy is intended to tell you more about the ways in which we process your personal data as a controller.
- Third-Party Links
- Our websites and software services may include links or connections to third-party websites, plug-ins or applications (including various social services as a user, you may be asked to provide information about yourself, including your full name and email address, alongside other non-personal details.
- You may also, on behalf of your organisation, provide details such as the date and place of birth of shareholders or other mandatory details required for regulatory reporting, uploaded via the software services
- There are parts of our software services that may offer users the opportunity to upload text into free form fields or provide the option to bulk upload redacted data if there is a need to provide further evidence in relation to, for example, a customer complaint.
- In such case, you would be the controller of such data and you would be responsible for redacting the uploaded documents adequately (as to remove any personal data). Where you do share personal data relating to third parties via the software services, you must ensure you have a lawful basis to do so.
- PERSONAL DATA WE COLLECT
- Financial Details: We currently only accept payment by bank transfer, and so will only collect your organisation's bank account details where you are a supplier (to make payments), or where we need to refund any money to you (as a customer). All details will be held securely.
- Verbal Information: If you provide verbal personal information that you give us consent to use you will have such consent confirmed back to you in writing.
- Marketing Strategy: If in future you will be able to communicate your preferences in receiving marketing from us and our third parties and your communication preferences (including details you provide when you opt-in to receive marketing communications from us) will constitute information you supply to us.
- IF YOU FAIL TO PROVIDE PERSONAL DATA
- Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with our software services). In this case, we may not be able to provide those services.
- Telephone Recordings: We may in future record telephone conversations may be recorded for training or monitoring purposes, but you will be notified of that at the time.
- DATA WE RECEIVE FROM THIRD-PARTIES
- Device Data: analytics providers such as Google or Hubspot; and search information providers such as Google.
- Social Media:Complyfirst may use social media, which will provide us with publicly available information through social media sites, such as Facebook, Instagram, LinkedIn, Twitter, and Google, including where you engage with us through social media sites.
- Publicly Available Information: we may collect personal information about you from other publicly available sources. This can include your name, address and other publicly available information. As far as possible, we ensure that where any third-parties are involved in suppling such information, that they are compliant to do so. This may include credit reference agencies such as Experian, public registers such as the UK Companies House registry, the Financial Services Register, the Irish Companies Registration Office or the relevant electoral registers.
- KEEPING YOUR PERSONAL DATA UP TO DATE
- It is important that the data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
- WHAT INFORMATION IS NOT COLLECTED?
- We do not intentionally collect sensitive personal data or special category data (including details about your race or ethnicity, religious or philosophical beliefs, medical information, sex life, sexual orientation, political opinions, trade union membership, genetic and biometric data, social security numbers). Nor do we collect any information about criminal convictions and offences.
- We require all of our customers to agree to procure that those using the software services do not use them to process such data, but do not actively monitor content uploaded or processed using the software services and are not responsible for enforcing those terms.
- If you are reviewing this policy because you believe your data has been used in violation of those terms, please contact us.
- If you're a child under the age of 18 (or are otherwise younger than the legal age limit required in the country in which you reside), you may not have an account on Complyfirst. Complyfirst does not knowingly collect information from or direct any of our content specifically to children we rely upon to process third-party data our users upload when using the software services.
- HOW WE USE YOUR PERSONAL DATA
- We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal or regulatory obligation.
- Generally, we do not rely on consent as a legal basis for processing your personal data other than as set out below in relation to marketing. We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.
- Our Standard Business Operations:
- To provide the software services that we contract to provide to you or others;
- To provide you with information that you request from us;
- To confirm your identity as a natural living person; and
- As part of our billing, payments and recovery processes.
- For example, we may use contact information to notify you of any issues which might impact the provision of the software services to you, confirm your bookings placed via the software services, respond to requests that you make, or notify you of changes to your account or the software services.
- Marketing
- We may in future maintain contact lists (with email addresses and other information) to allow us to communicate with individuals who do business with us or who have expressed an interest in our software services.
- We may use your identity, contact, technical, usage and profile data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).
- If you subscribe for these features, we may contact you for marketing purposes, both to inform you of any updates or news in relation to us or the software services or to otherwise inform you of information related to our business or your account with us (direct marketing relating to Complyfirst), or, if you have opted in to this feature, we may also send third party direct marketing communications to you via email, or other mediums.
- You will be able to ask us to stop sending you marketing messages at any time by following the opt-out links on any marketing message and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
- Legal Requirements
- We will keep and use your data in terms of any legal or regulatory requirements that we have and can use your data to protect our legal position, if legal action is required, including the recovery of any outstanding debts.
- By way of further example, we will share your personal data with the relevant agencies and without notice, where we are requested to or suspect fraudulent activities, money laundering, terrorist related activities or other illegal behaviours.
- Enhancing the software services
- We may use personal data (other than that comprised in private Customer Data) for the purposes of providing or enhancing our Services and products.
- Website Administration and Customisation
- We may use the information we collect about you for a variety of website administration and customisation purposes. For example, we use your information to process your registration request, provide you with services and communications that you have requested, send you email updates and other communications, customise features and advertising that appear on our websites, deliver our websites content to you, measure Website traffic, measure user interests and traffic patterns, and improve our websites and the software services and features offered via our websites.
- Aggregated or Non-Identifying Information
- Non-identifying information includes information collected from or about you that does not personally identify you. Aggregated information is similar, but includes bulk data about, for example aggregate volumes of complaints.
- Insofar as aggregated or non-identifying information forms part of the Complyfirst Data, Complyfirst will not use such information for any purpose, and it is treated as strictly confidential in accordance with our customer terms (i.e. your or your organisation's name or identity will never be associated with the data), but we do reserve a right to use aggregated or anonymised data (for example, in respect of aggregate or average complaint levels or reports of fraud, for the purposes of benchmarking customers).
- We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- WHAT INFORMATION IS SHARED?
- We do not disclose personal data outside Complyfirst, except in the situations listed in this section or in the section below on Compelled Disclosure, but may have to share your personal data with the categories of processors or controllers set out below for the purposes set out above or otherwise below:
- any member of our group, which means our subsidiaries, our ultimate holding company, FDJ Ecommerce Ltd t/a Complyfirst, a company incorporated in England under registered company number 725307 and its subsidiaries, as defined in section 1159 of the Companies Act 2006;
- with HM Revenue & Customs, the Irish Revenue Commissioners, the FCA, and other authorities and regulators acting as processors of this policy and our Customer Terms https://complyfirst.co/terms-and-conditions;
- with the FCA or other financial regulatory authorities, where you elect to permit such disclosures as part of your use of the software services, or where we are subject to a Compelled Disclosure;
- with professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services, where they have a strict need to know same for any of the purposes set out above;
- with specific selected third parties, determined by us, where they have a strict need to know same, if you breach any agreement with us, so as to enforce our rights against you, including credit-reference agencies, debt-collection firms or service providers, solicitors or barristers and law enforcement agencies (if applicable);
- with other service providers acting as processors based in the European Union or United Kingdom who provide IT and system administration services, including for the performance of our contract with you, as set out below: When we transfer your data to our service providers, we remain responsible for it:
- with email marketing services to send marketing emails where you have opted in to receiving them. You will be able to unsubscribe directly from any mailing list using the unsubscribe links provided within emails;
- with analytical service providers, such as Google Analytics or Hubspot Analytics, in order to analyse our website traffic or usage of our software services to improve products and services;
- with external software development agencies, based in the UK or EU, in order toassist us in the provision of our software services;
- with processors offering software tools, or EU or UK based external servers (including externally provided original and backup servers), that are used to store personal data provided by you on our behalf (our current servers are maintained by Amazon Web Services, whose privacy policies are available at https://aws.amazon.com/privacy/. By default, and unless we have agreed otherwise in writing with the location of these servers will be within the EU; and
- with providers of cloud-based customer relationship management tools, who may data with your permission, so we can perform services you have requested.
- HOW IS MY INFORMATION SECURED?
- Complyfirst takes all measures reasonably necessary to protect personal data from unauthorised access, alteration, or destruction, maintain data accuracy and help ensure the appropriate use of personal data. We follow reasonable industry standards to protect the personal data we hold, both during transmission and once we receive it.
- In addition, we limit access to any personal data to those employees, agents, contractors, service providers and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to duties of confidentiality.
- We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
- No method of transmission, or method of electronic storage, is 100% secure. Although we will do our best to protect your personal data, we cannot guarantee its absolute security. Any transmission is at your own risk.
- HOW IS INFORMATION COLLECTED AND STORED GLOBALLY?
- Information that we collect will be stored and processed in the United Kingdom and European Union in accordance with this policy. Where required by law to facilitate such processing, we will ensure that they sign data transfer agreements such as EU standard contractual clause agreements or the UK international data transfer agreement.
- In particular:
- we provide clear methods of unambiguous, informed consent at the time of data collection, when we do collect your personal data and if applicable. Where consent is not the applicable ground for processing, we will ensure that it has an appropriate ground for processing any personal data (including but not limited to contractual obligation or legitimate interest);
- we collect only the minimum amount of personal data necessary, unless you choose to provide more. We encourage you to only give us the amount of data you are comfortable sharing;
- we offer you simple methods of accessing, correcting, or deleting the data we have collected; and
- we provide our users notice, choice, accountability, security on issues (www.ico.org.uk), the Irish Data Protection Commission, the ROI supervisory authority for data protection issues (https://www.dataprotection.ie/) or other competent supervisory authority of an EU member state if the software services are accessed outside the UK or Ireland.
- We would appreciate the chance to deal with your concerns before you approach such bodies so would ask that you please contact us in the first instance.
- HOW DO YOU RESPOND TO COMPELLED DISCLOSURE REQUIREMENTS?
- Complyfirst may disclose personal data or other information we collect about you to law enforcement in response to a valid subpoena, court order, warrant, or similar governmental order.
- In complying with court orders and similar legal processes, Complyfirst strives for transparency. When permitted, we will make a reasonable effort to notify users of any disclosure of their information, unless we are prohibited by law or court order from doing so, or in rare, exigent circumstances.
- HOW CAN I ACCESS MY OWN PERSONAL INFORMATION?
- If you're already a user, you may access, update, alter, or delete your basic user profile information by editing your user profile or contacting us.
- Under certain circumstances, where you are a citizen of the European Union or UK, you have rights under data protection laws in relation to your personal data under GDPR.
- You have the right to:
- Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a (transferable) copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law.
- Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- In relation to profiling you have the right not to be subject to solely automated decisions and where we make such automated decisions, you have a right to have a person review the decision.
- Withdraw consent at any time (or object to processing) where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
- If you wish to exercise any of the rights set out above, please contact us.
- You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
- Where you exercise one of your rights, we may need to request specific information from you to help us confirm your identity and ensure your right to exercise such rights. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
- We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
- DATA RETENTION AND DELETION
- Personal Data Generally
- We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
- To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data or the purposes of contract administration, we will also store all data as long as the contract you have placed through us endures and for the six year limitation period thereafter in case you raise any claims in relation to any products or services you or your employer or other person by whom you have been authorised to use the software services have purchased from us.
- If you have otherwise closed your account through the software services, save for the anonymised data mentioned below, or the basic information mentioned above, we will endeavour to delete all personal data we no longer have grounds to process within 6 months of the date of such deletion.
- In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
- If you would like to cancel your account and initiate deletion of your personal data, you may do so by contacting us at hello@complyfirst.co. As above, we will retain and use your information as necessary to comply with our legal obligations, resolve disputes, maintain security, and enforce our agreements, but barring legal requirements, the timeframe above will be observed for deletion.
- Personal Data Generally
- HOW DO YOU COMMUNICATE WITH USERS?
- We will use your email address to communicate with you, if you've given us the OK, and only for the reasons you'vepermitted. Emails by default are not disclosed with other users, even if you belong to the same organisation. This will not change how we contact you, as we always utilise your primary email address.
- Depending on your email settings, Complyfirst may occasionally send notification emails about new features, requests for feedback, important policy changes, or offer customer support. We also send marketing emails, including ones featuring new services and products offered by our commercial partners (as noted above), but only with your consent. There's an unsubscribe link located at the bottom of each of the emails we send you.
- Our emails might contain a pixel tag, which is a small, clear image that can tell us whether or not you have opened an email and what your IP address is. We use this pixel tag to make our email instances and legal developments.
- CHANGES TO THIS POLICY
- Although most changes are likely to be minor, it may change and if it does, these changes will be posted on this page and, where appropriate, may be notified to you when you next log on to use the software services. Otherwise, any changes shall be applicable without further notice.
- This version one of this policy was last updated on 1st of December 2023 and historic versions can be obtained by contacting us.
- HOW CAN I CONTACT COMPLYFIRST?
- Questions regarding our Privacy Policy or information practices should be directed to us via one of the contact methods that we have provided in this policy.
- LEGAL
- This policy shall be governed by and interpreted in accordance with the laws of England and you irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any disputes which may arise out of or in connection with this policy.