Skip to main content Skip to navigation

The State of Financial Crime 2024: Download our latest research

ComplyAdvantage: Privacy Notice

Last updated: 07 June 2023

Privacy

This privacy notice (“Privacy Notice”) describes how ComplyAdvantage collects and processes personal data relating to Users in relation to the services we provide. The data we process differs depending on your interactions with us, as detailed more fully below. It also describes certain legal rights you may have, subject to applicable law, and how you can exercise them. 

For purposes of this Privacy Notice, “personal data” means information about an identified or identifiable person, such as their name or email address and includes any equivalent term under applicable data protection law. The personal data we process differs depending on your interactions with us, as detailed more fully below.

The expression “User” (and “you”/”your”) in this Privacy Notice shall mean any person accessing the ComplyAdvantage website, using ComplyAdvantage products and services, or about whom we collect and use any information in the course of providing our products and services. Collectively, we describe our products and services, including the ComplyAdvantage website as our “Services.”

Where we act as a controller of personal data, the following items apply:

Details of the controller and data protection officer: the controller of the personal data we process is IVXS UK Limited (trading as ComplyAdvantage) (referred to as “ComplyAdvantage”/“we”/“us”), having its registered office at 86-90 Paul Street, London EC2A 4NE and which is registered with the UK Information Commissioner’s Office under number ZA054290. Our data protection officer can be contacted by email at [email protected].

We have appointed IVXS Technology Romania SRL to act as our representative in the EU. If you wish to exercise your rights under the EU General Data Protection Regulation (EU GDPR), or have any queries in relation to your rights or general privacy matters, please email [email protected] in the first instance.
You can also contact our EU Representative at the following address:

IVXS Technology Romania SRL

Attn: Data Protection Officer

34-36 Somesului Street
Cluj-Napoca
Romania
400145

Transfers outside of the EEA: As part of our group operations and to help us manage the personal data that We process, we transfer personal data of Users outside of the EEA subject to appropriate safeguards including European Commission adequacy decisions and model clauses approved by the European Commission on the basis of Art. 46(2)(c) EU GDPR.

 

By using any ComplyAdvantage’s Services, you confirm that you have agreed to the relevant Terms of Service applicable to your use, to the extent permitted by law, and have read and understood this Privacy Notice.

Your rights

You have various rights and choices related to our use of your personal data.
You can opt out of receiving our promotional emails at any time by following the instructions included in those emails. Please be aware that it may take up to 10 days for us to process your request, and you may continue receiving promotional communications from us during that period. If you opt out of receiving such communications, please be aware that we may continue to send you non-promotional communications (such as emails related to our business relationship or emails about changes to our legal terms).

As a data subject, whose personal data we process, you have 7 potential rights under the privacy laws in which we operate. These rights are not absolute and may be limited, for example, if fulfilling your request would reveal personal data about another person, or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. We may, if necessary, apply any available exemptions to these requirements.

  1. The right to be informed– as a data controller, we must tell you what activities we carry out that include the processing of your personal data. This information is provided to you in this privacy notice and any other notices or communications that we may send you or make available to you.
  2. The Right of Access– as a data subject, you can request copies of your personal data that we process, free of charge, unless the request is excessive or there is a valid exemption. If your request is upheld, we will supply you with copies of the data and inform you of the following:
    a. The purpose of the processing activity.
    b. The categories of personal data we process.
    c. To whom we have disclosed personal data.
    d. The time that we will continue to process the data for.
    e. If we have obtained the personal data from other sources other than directly from you.
  3. The Right to Rectification– You may request that we correct or complete data that you believe is inaccurate or incomplete about you, you may request this right alongside the right to restrict processing. This right will be upheld by us if we are the original source of the data, and that is does not reflect a representation that was believed to be accurate at the time of the original data creation e.g. media data. Our services provide our clients with an aggregation of data sets that have been made freely available and as we are not the original creators of the data you may need to raise your request with the data controller.
  4. The Right to Erasure– We may have an overriding legal basis or legitimate reason to continue to process your personal data, however, where we do not have a valid lawful basis, you may request erasure of your personal data that we process.
  5. Right to Restrict Processing– You have the right to request that we stop processing your data any further. This right may be exercised where you contest the accuracy of the data, claim that it is unlawful for us to process it, we no longer require the data other than for legal purposes or that there is a pending decision on a right to object.
  6. The Right to Data Portability– You may request that we transfer your personal data to another controller or processor in a standard, machine readable format. This right is available if we process the personal data under the lawful basis of consent, we use automated means to process the data and the data is processed to fulfil a contractual obligation with you.
  7. The Right to Object– You have the right to object to us processing your personal data if we are processing it under the following circumstances:
    a. The processing involves automatic decision making and profiling
    b. The processing is for the purpose of marketing
    c. We process using the lawful basis of legitimate interest (without exemptions)
    d. Processing is for scientific or historic research.

In many cases, the most effective way to exercise these rights will be to mail our dedicated inbox at [email protected]. We may ask you for two valid forms of identification to ensure your rights are protected.

For California residents, please see our Supplemental Privacy Notice for California.

If you are concerned that we are handling your personal data improperly, you also have the right to make a complaint to our data protection regulator, the UK Information Commissioner’s Office: https://ico.org.uk/global/contact-us/. However, we invite you to contact us with any concern, as we would be happy to try to resolve it directly.

 

Information collection and use

The information we collect, and the ways in which we use it, varies in line with the use cases below (click the headings to view the relevant portions of the policy):

  • Visitors to ComplyAdvantage.com
  • When you provide us with information by completing forms
  • Candidates for jobs with ComplyAdvantage
  • Our anti-money laundering, sanctions and adverse media data
  • Business contacts
  • Information we collect from publicly available sources

Visitors to ComplyAdvantage.com

When you browse this website

What we collect Data on how you use the site

The pages you visit, the means you use to visit (browser version, time zone, operating system, etc.), how long your visit and pageviews last, the frequency of your visits, and information on how you navigate the site.

Data that identifies you

Your IP address, unique identifiers tied to cookies.

 

What do we do with your data Site optimisation

Analysing aggregated data to update our site’s content and layout to improve relevance for visitors.

 

Our basis for data processing Legitimate interests

Using insights from visitor behaviour to improve the way we market our services.

 

How long do we hold this data for Data holding periods are determined by cookie expiry times.

 

Recipients of data Within ComplyAdvantage group companies

  • Personal data will be available for our global marketing teams, and other ComplyAdvantage personnel who have a need to access this data for the purposes set out above.

Outside of ComplyAdvantage

  • CRM and marketing automation providers
  • Website analytics vendors

 

When you provide us with information by completing forms (including on third party platforms), subscribing for email updates, registering for events hosted by us or when requesting demos.

What do we do with your data We use this information to contact you for the purpose specified in the form and in accordance with any marketing preferences you submit to us.

This information is added to and managed through our contact database. A member of our sales team may contact you if we determine through your submission that you may be interested in our services. We analyse our contact database data to understand, track, and improve how we market and sell our services.

Our basis for data processing Taking steps at your request prior to entering into a contract

If you request that we contact you to provide more information on our services to you, we’ll process your data and contact you on this basis.

Legitimate interests

We will send you our email newsletters being necessary for our legitimate interests to give you information about our products and services (unless you have opted-out). We’ll also retain and analyse information gained from our interactions with you as part of understanding, tracking and improving how we market and sell our service.

We retain a record of your marketing preference choices in order to demonstrate our historic compliance with data protection law.

Consent:

We may ask you for your consent to process your personal data, for example to send you marketing communications when you sign up to receive one of our industry reports. You are able to revoke this consent at any time by unsubscribing using the automated unsubscribe button in our emails, or by emailing [email protected].

How long do we hold the data for Email newsletters

We’ll keep your details on this list until you unsubscribe, at which point we’ll move your details to an opted-out list to ensure that we don’t send you marketing emails from other sources in future.

Sales process

We retain information relating to our sales interactions with you for up to five years following our determination that we’re not an appropriate sales fit. We use this period as service contracts in our industry often last for 5 years, so a new opportunity may arise during the retention period.

General

We retain historic information relating to any marketing preference choices that you provided, or other bases for processing that have since lapsed, for six years from the date that the basis for processing lapsed.

 

Recipients of data Within ComplyAdvantage

Personal data will be available for our marketing and sales personnel, as well as customer success and other teams as necessary to fulfil the purposes set out above.

Outside of ComplyAdvantage

Our cloud storage providers, customer database, and marketing providers.

 

Job candidates

Recruitment information you provide to us

What do we do with your data We use your data to:

  • contact you in relation to your candidacy
  • assess suitability for future vacancies
  • assess your suitability for the vacancy you applied for
  • monitor the impact of our diversity and inclusion programme and to make improvements
Our basis for data processing Taking steps at your request prior to entering into a contract:

If you send us your personal data in response to a vacancy advertised by us, we need to process it in order to consider your application.

Legitimate interests:

We want to build the best team we can, and we carry out this processing as part of the hiring process that enables this.

Compliance with a legal obligation

For roles where we conduct a resident labour market test to enable us to apply for visas, and subsequently hire someone who needs a visa on this basis, we retain unsuccessful applicant information as part of the related record-keeping requirements.

Consent:

Where you have voluntarily provided information this is on a consent basis, and may be revoked (e.g. information relating to your race or ethnicity).

 

How long do we hold the data for General

Your information is stored in our applicant tracking system for up to 24 months after you have been notified your application has been unsuccessful. Successful candidates’ information becomes subject to our employee privacy policy.

Legal record-keeping

If we hire someone subject to a resident labour market test for a role you applied for, we’ll retain your personal data until the expiry of the applicable record-keeping requirement (currently one year following the end of our sponsorship of the visa in question).

 

Recipients of data Within ComplyAdvantage

Personal data will be available for the hiring and recruitment teams.

Outside of ComplyAdvantage

  • Our applicant tracking system
  • Providers of any aptitude testing systems used as part of the hiring process
  • Third party background check providers
  • Recruitment agencies

 

Recruitment-related data we collect

The data we process
  • Publicly available information relevant to your potential suitability to work with ComplyAdvantage
  • Any information provided by someone else about you to us.
  • Feedback from interviews and assessments.

 

What do we do with your data We use your data to:

  • contact you in relation to current vacancies
  • assess your suitability for vacancies

 

Our basis for data processing Legitimate interests

  • Assessing the current labour market and your suitability for available roles.
  • To hold as a reference point should you make any further applications within the retention period.

Compliance with a legal obligation

If you are actively involved in our recruitment process for roles where we conduct a resident labour market test and subsequently hire someone who requires a sponsored visa, we retain unsuccessful applicant information as part of the related record-keeping requirements.

How long do we hold the data for Your information is stored in our applicant tracking system for up to 24 months after you have been notified your application has been unsuccessful, or subject to our legal record-keeping requirements if needed for our compliance with immigration law.
Recipients of data Within ComplyAdvantage

  • Personal data will be available for the hiring team and our recruitment personnel.

Outside of ComplyAdvantage

  • Our applicant tracking system
  • Providers of any aptitude testing systems used as part of the hiring process
  • Our cloud file storage systems
  • External recruiters with whom you dealt as part of the recruitment process
  • Government and legal service providers involved in the visa application process
  • Third party background check providers.

 

Our anti-money laundering, sanctions and adverse media data

The data we process Sanctions, warnings, fitness & probity

Information related to and available on publicly available government lists covering sanctions, the prevention and detection of unlawful acts, and other protective functions. This will generally include a full name, a year or date of birth, nationality, reasons for appearing on the list, and the period covered by the data subject’s appearance on the list, but this depends on the information contained in the list.

Politically exposed persons

We collect publicly available information relating to individuals in prominent public positions, and their family members, close associates, and business interests. Names, dates or years of birth, position(s) held or connection(s) that we think may give rise to a PEP designation, country of nationality, residence and service, photographs (if available) and the period for which that designation would have been active (e.g. active service dates).

Adverse media

We collect links to publicly available news articles that our systems determine to name individuals in connection with financial crime, terrorist financing, other relevant unlawful acts, improper conduct, dishonesty, etc. We will also extract information relating to age from these articles to determine approximate years of birth.

Corporate registry information

We collect data from publicly available corporate registries or from third parties, relating to individuals’ shareholdings and directorships (or such analogous positions).

 

What do we do with this data Consolidated profiles:

We structure the data collected into profiles consolidating the information outlined above.

Sharing with clients:

Where one of our clients searches for a name on our database, we share with that customer any profiles that match the given search parameters.

Partners: 

We will also share this data with partners that resell the data to clients seeking AML and sanctions compliance tools.

 

Our basis for data processing Legitimate interests

Our existing and prospective clients have legitimate interests in gaining access to high-quality and easily manageable data of the type we process in order to optimize compliance with obligations concerning sanctions, anti-money laundering, know-your-client and counter-terrorist financing. We also pursue our own legitimate interests in providing the products and
services to our clients, developing and improving products and services to serve this market.

 

How long do we hold the data for AML Database:

We hold this data for as long as it is necessary to fulfil the purposes for which it was collected. This includes any legal, accounting, or reporting requirements. To determine the appropriate retention period for the personal data, we consider the amount, nature, and sensitivity of that data, the potential risk of harm from
unauthorised use or disclosure of the personal data, the purposes we process that personal data for and whether we can achieve those purposes through other means.

Backups

Where we remove personal data from this database (for example, where we become aware that the information is not, or is no longer, relevant), it will remain in our backups for 30 days.

 

Recipients of data
  • Other data controllers on whose behalf we act as processors, who search for information matching given profiles
  • Partners who are reselling our services to data controllers, on whose behalf we act as subprocessors
  • ComplyAdvantage group employees
  • Our hosting and cloud storage providers
  • Vendors we use to monitor the accuracy and performance of the data

 

Business contacts

Information we receive from you (e.g. business cards, correspondence during the sales process)

What do we do with your data A member of our sales team may contact you if we determine through your submission that you may be interested in our products and services.

This information – along with details of our interactions including phone calls and correspondence – is added to, and managed through, our CRM. We analyse our CRM data to understand, track, and improve how we market and sell our services. We save some correspondence to provide precedents and examples to other members of the team, and add your personal data to our e-signing and billing systems if appropriate.

We may make recordings of telephone calls with clients and prospective clients.

We may send you questionnaires or forms asking for feedback on our services, which are used to help improve the services we provide.

Our basis for data processing Taking steps at your request prior to entering into a contract:

If you request that we contact you to provide more information on our services to you, we’ll process your data and contact you on this basis.

Legitimate interests

We’ll retain and analyse information gained from our interactions with you as part of understanding, tracking and improving our services and how we market and sell our services.

We process data in relation to billing and contracting in order to operate the legal and financial elements of our business.

We retain records of consent-based and other processing in order to demonstrate our historic compliance with data protection law.

 

How long do we hold the data for Email newsletters:

We’ll keep your details on this list until you unsubscribe, at which point we’ll move your details to an opted-out list to ensure that we don’t send you marketing emails from other sources in future.

Sales process

We retain information relating to our sales interactions with you for up to five years following our determination that we’re not an appropriate sales fit. We use this period as service contracts in our industry often last for 3-5 years, so a new opportunity may arise during the retention period.

General

We retain historic information relating to any consent you provided, or other bases for processing that have since lapsed, for six years from the date that the basis for processing lapsed.

 

Recipients of data Within ComplyAdvantage

Personal data will be available for our marketing and sales personnel, as well as customer success and other teams as necessary to fulfil the purposes set out above.

Outside of ComplyAdvantage

Our cloud storage providers, CRM, sales and marketing automation tools, third party providers of online forms, customer support/servicing tools, debt collection service providers.

 

Information we collect from publicly available sources

The data we process
  • Name, contact details, professional activity
  • Publicly available information relevant to your position in your organisation, and industry events you’re attending
  • Bought in data from third party providers (containing the above mentioned data).

 

What do we do with your data We use this data to generate sales leads and to run marketing campaigns.

A member of our sales team may contact you to understand more information about your organisation’s anti-money laundering and sanctions compliance operations, and gauge your organisation’s potential interest in our services.

This information – along with details of our interactions including phone calls and correspondence – is added to, and managed through, our contact database. We analyse our contact database data to understand, track, and improve how we market and sell our services.

 

Our basis for data processing Taking steps at your request prior to entering into a contract:

If you subsequently request that we contact you to provide more information on our services to you, we’ll process your data and contact you on this basis.

Legitimate interests:

  • Identifying stakeholders in organisations with requirements for software similar to that provided by ComplyAdvantage
  • To hold as a reference point should you make any further applications within the retention period.
  • We’ll retain and analyse information gained from our interactions with you as part of understanding, tracking and improving how we market and sell our services.

 

How long do we hold the data for Sales process

We retain information relating to our sales interactions with you for up to five years following our determination that we’re not an appropriate sales fit. We use this period as service contracts in our industry often last for 3-5 years, so a new opportunity may arise during the retention period.

General

We retain historic information relating to any consent you provided, or other bases for processing that have since lapsed, for six years from the date that the basis for processing lapsed.

 

Recipients of data Within ComplyAdvantage:

Personal data will be available for our marketing and sales personnel, as well as customer success and other teams as necessary to fulfil the purposes set out above.

Outside of ComplyAdvantage:

Our cloud storage providers, CRM, sales and marketing automation tools, and customer support/servicing tools.

 

 

Supplier information

What do we do with your data We will use publicly available contact information in order to approach you or your employer for services, or to respond to an approach.

We may make recordings of telephone calls with suppliers and prospective suppliers.

We may send you questionnaires or forms asking for further information on how you or your employer provide services, which are used to facilitate our supplier management and to comply with our governance obligations.

As part of receiving services from you or your employer, we will process personal data concerning employees of the supplier, that are necessary for assessing the suitability of the supplier, or for the purposes of receiving the services.

Our basis for data processing Processing is necessary for the performance of a contract/taking steps prior to entering into a contract:

We’ll process your data as part of considering if we wish to enter into a supplier relationship with you/your employer, and subsequently to facilitate the receipt of services from the supplier, to comply with our ongoing supplier governance processes and processing invoices.

 

How long do we hold the data for We retain information relating to the supply of services for six years from the date that the contract for the provision of the services is terminated.

 

Recipients of data Within ComplyAdvantage:

Personal data will be available for personnel, as necessary to fulfil the purposes set out above.

Outside of ComplyAdvantage:

• our cloud storage providers,
• CRM,
• finance tools (for example to generate Purchase Orders),
• third party providers of online forms,
• ticketing systems, and
• file and office management tools.

 

 

Business Transfers

In addition to the circumstances described above, we may also share personal data with another company in connection with or during negotiations of any merger, acquisition, financing, re-organization, bankruptcy, sale of all or a portion of our assets, or transition of services to another provider.

Your personal data may be processed outside of the UK. We will only transfer your data if there is a legal mechanism in place to ensure that your data is safeguarded.

Minors

Our Services are intended for adults, and we do not knowingly collect personal data from children below the age of 16. If you are a parent or legal guardian and think your child has given us personal data without your consent, please contact us at [email protected].

Links to Other Websites and Third-Party Content

We may provide links to third-party websites, services, and applications that are not operated or controlled by ComplyAdvantage. This Privacy Notice does not apply to the privacy practices of those third parties. The fact that we link to a website, service, or application is not an endorsement, authorisation, or representation of our affiliation with that third party. We encourage you to review the privacy policies of any third-party service before providing any personal data to or through them.

Security

ComplyAdvantage uses generally accepted administrative, physical, and technical safeguards we believe are appropriate to protect the confidentiality, integrity and availability of your personal data. Although we make reasonable efforts to protect personal data from loss, misuse, or alteration by third parties, you should be aware that there is always some risk involved in transmitting information over the internet and storing information electronically. ComplyAdvantage cannot and does not guarantee absolute security.

Changes to Our Privacy Notice

We may change this Privacy Notice from time to time to reflect changes in our practices or in the law. If we make changes, we will post the updated Privacy Notice on our website and indicate when it was last revised. You are advised to review this Privacy Notice periodically, to stay informed of our practices. If we make material changes, we may provide you with additional notice, such as posting a statement on our homepage or sending you an email notification, if we have your email address on file. Your continued use of the Services after the revised Privacy Notice has become effective indicates that you have read, understood, and agreed to the current version of this Privacy Notice, to the extent permitted by law.

If you have any queries, complaints, or would like to request a data subject right please contact our DPO [email protected].