- Insights
- Featured Insights
ComplyAdvantage: Privacy Notice
Last updated: 12 June 2026
Privacy
This privacy notice (“Privacy Notice”) describes how ComplyAdvantage collects and processes personal data relating to Users in relation to the products and services we provide. The data we process differs depending on your interactions with us, as detailed more fully below. It also describes certain legal rights you may have, subject to applicable law, and how you can exercise them.
For purposes of this Privacy Notice, “personal data” means information about an identified or identifiable person, such as their name or email address and includes any equivalent term under applicable data protection law.
The expression “User” (and “you”/”your”) in this Privacy Notice shall mean any person accessing the ComplyAdvantage website, using ComplyAdvantage products and services, or about whom we collect and use any information in the course of providing our products and services. Collectively, we describe our products and services, including the ComplyAdvantage website, as our “Services.”
If you are a ComplyAdvantage employee, this Privacy Notice is supplemented by our internal Employee Privacy Notice, which sets out how we handle your personal data in the employment context.
Where we act as a controller of personal data, the following items apply:
Details of the controller and data protection officer: the controller of the personal data we process is IVXS UK Limited (trading as ComplyAdvantage) (referred to as “ComplyAdvantage”/“we”/“us”), having its registered office at 86-90 Paul Street, London EC2A 4NE and which is registered with the UK Information Commissioner’s Office under number ZA054290. Our data protection officer can be contacted by email at [email protected].
Our processing of personal data as a controller is governed by the UK GDPR, the Data Protection Act 2018 and the Data (Use and Access) Act 2025.
Other data protection laws, including the EU GDPR, may apply to certain of our processing activities, depending on their nature and the circumstances in which they are carried out.
Contacting us
If you wish to exercise your rights under the UK GDPR or have any queries in relation to your rights or general privacy matters, please email [email protected]. Where the EU GDPR applies to our processing under Article 3(2), we have appointed IVXS Technology Romania SRL as our representative in the EU under Article 27, at the following address: IVXS Technology Romania SRL, Attn: Data Protection Officer, 34-36 Somesului Street, Cluj-Napoca, Romania, 400145.
International Data Transfers
We may transfer personal data to countries outside the UK and EEA as part of our group operations and service delivery.
For transfers from the UK: We comply with the UK GDPR requirements, including UK adequacy regulations where available, or appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses. We conduct transfer risk assessments and implement supplementary measures as necessary to ensure adequate protection.
For transfers from the EEA: We rely on European Commission adequacy decisions where available, or appropriate safeguards including the European Commission’s 2021 Standard Contractual Clauses, with additional measures implemented following our transfer impact assessments.
Your rights
You have various rights and choices related to our use of your personal data. You can opt out of receiving our promotional emails at any time by following the instructions included in those emails. Please be aware that it may take up to 10 days for us to process your request, and you may continue receiving promotional communications from us during that period. If you opt out of receiving such communications, please be aware that we may continue to send you non-promotional communications (such as emails related to our business relationship or emails about changes to our legal terms).
As a data subject, whose personal data we process, you have the rights described below under the UK GDPR and Data (Use and Access) Act 2025. These rights may not be absolute and may be limited, for example, if fulfilling your request would reveal personal data about another person, or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. We may, if necessary, apply any available exemptions to these requirements.
- The right to be informed – as a data controller, we must tell you what activities we carry out that include the processing of your personal data. This information is provided to you in this Privacy Notice and any other notices or communications that we may send you or make available to you.
- The right of access – as a data subject, you can request copies of your personal data that we process, free of charge, unless the request is excessive or there is a valid exemption. If your request is upheld, we will supply you with copies of the data and inform you of the following:
a. The purpose of the processing activity.
b. The categories of personal data we process.
c. The recipients or categories of recipient to whom your personal data have been or will be disclosed, including any recipients outside the UK.
d. The time that we will continue to process the data for.
e. If we have obtained the personal data from a source other than directly from you.
f. Your right to ask us to rectify, erase or restrict the data, to object to its processing, and to complain to the Information Commissioner’s Office. - The right to rectification – you may ask us to correct inaccurate personal data about you, or to complete data that is incomplete. Much of the information in our database is aggregated from publicly available sources and third parties, which we reproduce rather than originate. We will consider every request and correct inaccurate data in accordance with applicable law. You may also ask us to restrict processing while we review your request.
- The right to erasure – you may ask us to delete your personal data in certain circumstances, for example where it is no longer necessary for the purposes for which we collected it, where you withdraw consent that we rely on, or where you successfully object to our processing. This right is not absolute: we may continue to process your data where we have an overriding lawful basis or are required by law to retain it.
- The right to restrict processing – you can ask us to limit how we use your personal data where: (a) you contest its accuracy – we will restrict processing while we verify it; (b) the processing is unlawful but you ask us to restrict rather than erase it; (c) we no longer need the data but you need us to keep it for the establishment, exercise or defence of legal claims; or (d) you have objected to our processing – we will restrict it while we consider whether our legitimate grounds override yours. Where a restriction is temporary, we will tell you before we lift it.
- The right to data portability – you may request that we transfer your personal data to another controller in a standard, machine-readable format. This right is available where we process your personal data by automated means and on the basis of either your consent or a contract with you.
- The right to object – you have the right to object to us processing your personal data where:
a. the processing is for the purpose of marketing,
b. we process on the basis of our legitimate interests (without exemptions), including any related profiling,
c. processing is for scientific or historic research.
Automated decision-making – we do not carry out automated decision-making that produces legal or similarly significant effects on you. Decisions about whether to onboard, continue or monitor a relationship with a customer using our screening or monitoring output are made by our clients. - The right to withdraw consent – where we rely on your consent to process your personal data, you can withdraw it at any time by contacting [email protected] (or, for marketing emails, by using the unsubscribe link). Withdrawing consent does not affect the lawfulness of any processing carried out before you withdrew it.
- The right to complain – if you are concerned that we are handling your personal data improperly, you have the right to make a complaint to us under the Data (Use and Access) Act 2025.
How to complain: Please email your complaint to: [email protected]
What happens next:- We will acknowledge your complaint within 30 days of receipt
- We will investigate your complaint and keep you informed of progress
- We will communicate the outcome to you without undue delay
Escalation to the regulator: If you are not satisfied with our response, or if we have not responded within a reasonable timeframe, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at https://ico.org.uk/make-a-complaint/ or by calling the ICO helpline.
You may also complain to the ICO without reaching out to us first. In the first instance, we invite you to contact us with any concern, as we would be happy to try to resolve it directly.
In many cases, the most effective way to exercise these rights will be to email our dedicated inbox at [email protected]. We may ask you for a form of identification to ensure your rights are protected. You can opt out at any time from marketing communications by using the unsubscribe link in our emails.
Where applicable, for United States residents, please see our Supplemental Privacy Notice for USA
Information collection and use
The information we collect, and the ways in which we use it, varies in line with the use cases below (click the headings to view the relevant portions of the policy):
- Visitors to ComplyAdvantage.com
- Users of ComplyAdvantage Services
- When you provide us with information by completing forms
- Candidates for jobs with ComplyAdvantage
- Our anti-money laundering, sanctions and adverse media data
- Business contacts
- Users of the chatbot feature on the ComplyAdvantage website
- Information we collect from publicly available sources
- Supplier information
Visitors to ComplyAdvantage.com
When you browse this website
| What we collect | Data on how you use the site
The pages you visit, the means you use to visit (browser version, time zone, operating system, etc.), how long your visits last and how long you spend on each page, the frequency of your visits, and information on how you navigate and interact with the site. Data that identifies you Your IP address, unique identifiers tied to cookies.
|
| What do we do with your data | Site optimisation
Analysing aggregated data to update our site’s content and layout to improve relevance for visitors. |
| Our basis for data processing | Legitimate interests
Using insights from visitor behaviour to improve the way we market our Services and our website. |
| How long do we hold this data for | Data holding periods are determined by cookie expiry times.
|
| Recipients of data | Within ComplyAdvantage
Outside of ComplyAdvantage
|
When you use ComplyAdvantage Services
| What we collect | Data on how you use the Services
The pages you visit, the means you use to visit (browser version, time zone, operating system, etc.), how long your visits last and how long you spend on each page, the frequency of your visits, and information on how you navigate and interact with the Services. Data that identifies you Your IP address, unique identifiers tied to cookies, and the name and contact details used by you to access the Services. |
| What do we do with your data | Site optimisation
Analysing aggregated data to update our site’s content and layout to improve relevance for Users. Service updates and notifications Communicating with you about changes to the Services, availability of the Services, and your organisation’s activity on the Services. Sharing with you content and tutorials about the Services. Security and logging Monitoring and analysing login and session data to detect anomalous and potentially unauthorised use of your account. |
| Our basis for data processing | Legitimate interests
|
| How long do we hold this data for | Identifiable information
|
| Recipients of data | Within ComplyAdvantage
Outside of ComplyAdvantage
|
When you provide us with information by completing forms (including on third party platforms), subscribing for email updates, registering for events hosted by us or when requesting demos.
| What do we do with your data | We use this information to contact you for the purpose specified in the form and in accordance with any marketing preferences you submit to us.
This information is added to and managed through our contact database. A member of our sales team may contact you if we determine through your submission that you may be interested in our Services. We analyse our contact database data to understand, track, and improve how we market and sell our Services. |
| Our basis for data processing | Taking steps at your request prior to entering into a contract
If you request that we contact you to provide more information on our Services to you, we’ll process your data and contact you on this basis. Legitimate interests We will send you our email newsletters being necessary for our legitimate interests to give you information about our Services (unless you have opted-out). We’ll also retain and analyse information gained from our interactions with you as part of understanding, tracking and improving how we market and sell our Services. We retain a record of your marketing preference choices in order to demonstrate our historic compliance with data protection law. Consent We may ask you for your consent to process your personal data, for example to send you marketing communications when you sign up to receive one of our industry reports. You are able to revoke this consent at any time by unsubscribing using the automated unsubscribe button in our emails. |
| How long do we hold the data for | Email newsletters
We’ll keep your details on this list until you unsubscribe, at which point we’ll move your details to an opted-out list to ensure that we don’t send you marketing emails in future. Sales process We retain information relating to our sales interactions with you for up to five years following our determination that we’re not currently an appropriate sales fit. Sales cycles in our market are long, so a prospect we don’t pursue now may become a real opportunity later. This period lets us pick the conversation back up rather than starting cold. General We retain historic information relating to any marketing preference choices that you provided, or other bases for processing that have since lapsed, for six years from the date that the basis for processing lapsed. |
| Recipients of data | Within ComplyAdvantage
Personal data will be available for our sales team, marketing team, client success and other teams as necessary to fulfil the purposes set out above. Outside of ComplyAdvantage Our cloud storage providers, contact database, and marketing providers.
|
Candidates for jobs with ComplyAdvantage
Recruitment information you provide to us
| What do we do with your data | We use your data to:
|
| Our basis for data processing | Taking steps at your request prior to entering into a contract
If you send us your personal data in response to a vacancy advertised by us, we need to process it in order to consider your application. Legitimate interests We want to build the best team we can, and we carry out this processing as part of the hiring process that enables this. Compliance with a legal obligation Where we sponsor a worker for a role you applied for, we retain unsuccessful applicant information as part of the related immigration record-keeping requirements. Diversity monitoring Providing equality information (such as your racial or ethnic origin) is voluntary. Where you do, we process it solely to monitor and promote equality of opportunity and treatment, in aggregated form and not for any decision about you, under the equality of opportunity or treatment condition in Schedule 1 to the Data Protection Act 2018. You can ask us to stop at any time. |
| How long do we hold the data for | General
Your information is stored in our applicant tracking system for up to 24 months after you have been notified your application has been unsuccessful. We may process this data for instance for the purpose of defending any claims against us. Successful candidates’ information becomes subject to our Employee Privacy Notice. Legal record-keeping Where we sponsor a worker for a role you applied for, we’ll retain your personal data until the expiry of the applicable record-keeping requirement under UK immigration rules (currently up to one year following the end of our sponsorship of that worker). |
| Recipients of data | Within ComplyAdvantage
Personal data will be available for the hiring and recruitment teams. Outside of ComplyAdvantage
|
Recruitment-related data we collect
| The data we process |
|
| What do we do with your data | We use your data to:
|
| Our basis for data processing | Legitimate interests
Compliance with a legal obligation Where we sponsor a worker for a role you applied for, we retain unsuccessful applicant information as part of the related immigration record-keeping requirements. |
| How long do we hold the data for | Your information is stored in our applicant tracking system for up to 24 months after you have been notified your application has been unsuccessful. Where we sponsor a worker for a role you applied for, we’ll retain your personal data until the expiry of the applicable record-keeping requirement under UK immigration rules (currently up to one year following the end of our sponsorship of that worker). |
| Recipients of data | Within ComplyAdvantage
Outside of ComplyAdvantage
|
Our anti-money laundering, sanctions and adverse media data
| The data we process | Sanctions, warnings, fitness and probity
Information related to and available on publicly available government lists covering sanctions, the prevention and detection of unlawful acts, and other protective functions. This will generally include a full name, a year or date of birth, nationality, reasons for appearing on the list, and the period covered by the data subject’s appearance on the list, but this depends on the information contained in the list. Politically exposed persons We collect publicly available information relating to individuals in prominent public positions, and their family members, close associates, and business interests. Names, dates or years of birth, position(s) held or connection(s) that we think may give rise to a PEP designation, country of nationality, residence and service, photographs (if available) and the period for which that designation would have been active (e.g. active service dates). Adverse media We collect links to publicly available news articles that our systems determine to name individuals in connection with financial crime, terrorist financing, other relevant unlawful acts, improper conduct, dishonesty, etc. We will also extract information relating to age from these articles to determine approximate years of birth. Corporate registry information We collect data from publicly available corporate registries or from third parties, relating to individuals’ shareholdings and directorships (or such analogous positions).
|
| What do we do with this data | Consolidated profiles
We structure the data collected into profiles consolidating the information outlined above. Sharing with clients Where one of our clients searches for a name on our database, we share with that client any profiles that match the given search parameters. Partners We will also share this data with partners that resell the data to clients seeking AML and sanctions compliance tools. |
| Our basis for data processing | Legitimate interests
Our existing and prospective clients have legitimate interests in gaining access to high-quality and easily manageable data of the type we process in order to optimise compliance with obligations concerning sanctions, anti-money laundering, know-your-client and counter-terrorist financing. We also pursue our own legitimate interests in providing the Services to our clients, developing and improving the Services to serve that market. Where this information includes special category data or personal data relating to criminal convictions and offences, we process it as necessary for reasons of substantial public interest under Schedule 1 to the Data Protection Act 2018, in particular for the prevention, investigation or detection of unlawful acts, dishonesty and financial crime (Article 9(2)(g) UK GDPR for special category data; section 10 of, and Schedule 1 to, the Data Protection Act 2018 read with Article 10 UK GDPR for criminal conviction and offence data). In respect of special category data, we may also rely on such information having been manifestly made public by the data subject (Article 9(2)(e) UK GDPR). Where equivalent or analogous provisions of other applicable data protection laws apply, we rely on the corresponding conditions under those laws. |
| How long do we hold the data for | AML Database
We hold this data for as long as it is necessary to fulfil the purposes for which it was collected. This includes any legal, accounting, or reporting requirements. To determine the appropriate retention period for the personal data, we consider the amount, nature, and sensitivity of that data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes we process that personal data for and whether we can achieve those purposes through other means. Backups Where we remove personal data from this database (for example, where we become aware that the information is not, or is no longer, relevant), it will remain in our backups for 30 days.
|
| Recipients of data |
|
Business contacts
Information we receive from you (e.g. business cards, correspondence during the sales process)
| What do we do with your data | A member of our sales team may contact you if we determine through your submission that you may be interested in our Services.
This information, along with details of our interactions including phone calls and correspondence, is added to, and managed through, our client relationship management tools. We analyse our client relationship management data to understand, track, and improve how we market and sell our Services. We save some correspondence to provide precedents and examples to other members of the team, and add your personal data to our e-signing and billing systems if appropriate. We may make recordings of telephone calls with clients and prospective clients. We may send you questionnaires or forms asking for feedback on our Services, which are used to help improve the Services we provide. |
| Our basis for data processing | Taking steps at your request prior to entering into a contract
If you request that we contact you to provide more information on our Services to you, we’ll process your data and contact you on this basis. Legitimate interests We’ll retain and analyse information gained from our interactions with you as part of understanding, tracking and improving our Services and how we market and sell our Services. We process data in relation to billing and contracting in order to operate the legal and financial elements of our business. We retain records of consent-based and other processing in order to demonstrate our historic compliance with data protection law. |
| How long do we hold the data for | Email newsletters
We’ll keep your details on this list until you unsubscribe, at which point we’ll move your details to an opted-out list to ensure that we don’t send you marketing emails in future. Sales process We retain information relating to our sales interactions with you for up to five years following our determination that we’re not currently an appropriate sales fit. Sales cycles in our market are long, so a prospect we don’t pursue now may become a real opportunity later. This period lets us pick the conversation back up rather than starting cold. General We retain historic information relating to any consent you provided, or other bases for processing that have since lapsed, for six years from the date that the basis for processing lapsed. |
| Recipients of data | Within ComplyAdvantage
Personal data will be available for our marketing and sales personnel, as well as client success and other teams as necessary to fulfil the purposes set out above. Outside of ComplyAdvantage Our cloud storage providers, client relationship management, sales and marketing automation tools, third party providers of online forms, client support/servicing tools, debt collection service providers. |
Users of the chatbot feature on the ComplyAdvantage website
| The data we process | The information you choose to provide:
Your name, contact details, and the contents of your messages. |
| What do we do with your data | Our chat provider stores chat transcripts and makes them available to us so that we can respond to your enquiries and improve our Services. |
| Our basis for data processing | Legitimate interests
|
| How long do we hold the data for | Information collected via live chat is retained for up to three years. This retention period resets if you return to our website and begin a new session, meaning the three-year period runs from your most recent visit. If you do not return within three years, your personal information and chat history will be deleted. You may also request deletion of your chat data at any time. |
| Recipients of data | We use a third-party live-chat provider to supply the chat functionality. |
Information we collect from publicly available sources
| The data we process |
|
| What do we do with your data | We use this data to generate sales leads and to run marketing campaigns.
A member of our sales team may contact you to understand more information about your organisation’s anti-money laundering and sanctions compliance operations, and gauge your organisation’s potential interest in our Services. This information, along with details of our interactions including phone calls and correspondence, is added to, and managed through, our contact database. We analyse our contact database data to understand, track, and improve how we market and sell our Services. |
| Our basis for data processing | Taking steps at your request prior to entering into a contract.
If you subsequently request that we contact you to provide more information on our Services to you, we’ll process your data and contact you on this basis. Legitimate interests
|
| How long do we hold the data for | Sales process
We retain information relating to our sales interactions with you for up to five years following our determination that we’re not currently an appropriate sales fit. Sales cycles in our market are long, so a prospect we don’t pursue now may become a real opportunity later. This period lets us pick the conversation back up rather than starting cold. General We retain historic information relating to any consent you provided, or other bases for processing that have since lapsed, for six years from the date that the basis for processing lapsed. |
| Recipients of data | Within ComplyAdvantage
Personal data will be available for our marketing and sales personnel, as well as client success and other teams as necessary to fulfil the purposes set out above. Outside of ComplyAdvantage Our cloud storage providers, client relationship management, sales and marketing automation tools, and client support/servicing tools. |
Supplier information
| What do we do with your data | We will use publicly available contact information in order to approach you or your employer for services, or to respond to an approach.
We may make recordings of telephone calls with suppliers and prospective suppliers. We may send you questionnaires or forms asking for further information on how you or your employer provide services, which are used to facilitate our supplier management and to comply with our governance obligations. As part of receiving services from you or your employer, we will process personal data concerning employees of the supplier, that are necessary for assessing the suitability of the supplier, or for the purposes of receiving the services. |
| Our basis for data processing | Processing is necessary for the performance of a contract/taking steps prior to entering into a contract.
We’ll process your data as part of considering if we wish to enter into a supplier relationship with you/your employer, and subsequently to facilitate the receipt of services from the supplier, to comply with our ongoing supplier governance processes and processing invoices. Legitimate interests We also rely on our legitimate interests where we process data about our suppliers’ employees, who are not parties to our contract. |
| How long do we hold the data for | We retain information relating to the supply of services for six years from the date that the contract for the provision of the services is terminated. |
| Recipients of data | Within ComplyAdvantage
Personal data will be available for personnel, as necessary to fulfil the purposes set out above. Outside of ComplyAdvantage
|
Business Transfers
In addition to the circumstances described above, we may also share personal data with another company in connection with or during negotiations of any merger, acquisition, financing, re-organisation, bankruptcy, sale of all or a portion of our assets, or transition of services to another provider.
Minors
Our Services are intended for adults, and we do not knowingly collect personal data from children below the age of 16. If you are a parent or legal guardian and think your child has given us personal data without your consent, please contact us at [email protected]
Links to Other Websites and Third-Party Content
We may provide links to third-party websites, services, and applications that are not operated or controlled by ComplyAdvantage. This Privacy Notice does not apply to the privacy practices of those third parties. The fact that we link to a website, service, or application is not an endorsement, authorisation, or representation of our affiliation with that third party. We encourage you to review the privacy policies of any third-party service before providing any personal data to or through them.
Security
ComplyAdvantage uses generally accepted administrative, physical, and technical safeguards we believe are appropriate to protect the confidentiality, integrity and availability of your personal data. Although we make reasonable efforts to protect personal data from loss, misuse, or alteration by third parties, you should be aware that there is always some risk involved in transmitting information over the internet and storing information electronically. ComplyAdvantage cannot and does not guarantee absolute security.
Cookie Policy
For information about our use of cookies and similar technologies (such as HTML Local Storage) please review our Cookie Policy.
Changes to Our Privacy Notice
We may change this Privacy Notice from time to time to reflect changes in our practices or in the law. If we make changes, we will post the updated Privacy Notice on our website and indicate when it was last revised. You are advised to review this Privacy Notice periodically, to stay informed of our practices. If we make material changes, we may provide you with additional notice, such as posting a statement on our homepage or sending you an email notification, if we have your email address on file. We encourage you to review the updated Privacy Notice whenever we make changes.
If you have any queries, complaints, or would like to request a data subject right, please contact our DPO at [email protected].