Privacy Policy — DDcheck

1Who we are

DDcheck provides know-your-business (KYB) and anti-money-laundering (AML) screening software. For the purposes of UK data-protection law — the UK GDPR and the Data Protection Act 2018 — DDcheck is the data controller for the processing described in this policy, except where we act as a processor on a customer's behalf (see section 3). Where we serve users in the European Economic Area, the EU GDPR applies on an equivalent basis.

2Whose data we process

This policy covers two distinct groups of people:

Users — the individuals who register for and use the Service (our customers and their authorised users).
Search Subjects — the companies, and the individuals behind them, whom you screen or look up through the Service, such as company directors, beneficial owners, shareholders and managers, politically exposed persons (PEPs), and people named in sanctions, watchlist or adverse-media sources (referred to below as "screened persons"). These people are usually not our users, and the data about them generally comes from public and third-party sources rather than from the person directly.

3Controller and processor roles

Our role depends on the activity:

We act as an independent controller for the collection, aggregation, curation, scoring and presentation of the screening information that makes up the Service. Because we decide which sources to draw on and how that information is organised, we are the controller for that processing — not merely a processor.
When you submit a search (for example, a name or registration number) and we process it to return a result for you, we act as a processor on your documented instructions — and you act as an independent controller for your own use of the result.

We do not make decisions or recommendations about any screened person; any decision based on a result is yours.

4What data we process

About users

account and identity data (name, work email, organisation, login credentials in hashed form);
billing and subscription data (plan, quota usage, invoices; card details are handled by our payment provider, not stored by us);
technical and usage data needed to operate and secure the Service (IP address, request logs, API-key usage, error and audit logs).

About screened persons

identity and role data (name, role/title, date of birth where published, nationality, country, company associations and ownership);
risk-relevant data such as sanctions designations, PEP status and connections, watchlist entries, insolvency records and adverse-media references.

5Where the data comes from

User data comes from you. Data about screened persons is aggregated from public and private third-party sources, including: official company and beneficial-ownership registries; sanctions and watchlists (such as OFAC, EU, UN and UK OFSI consolidated lists); PEP and adverse-media sources; aggregators such as OpenSanctions and ICIJ Offshore Leaks; insolvency and tax registers; and commercial data providers. We do not control these sources and do not independently verify their content.

6Why we process data, and our lawful basis

To provide the Service to users — lawful basis: performance of a contract (UK GDPR Art. 6(1)(b)).
To run screening and present information about screened persons — lawful basis: our legitimate interests and those of our customers (Art. 6(1)(f)) in preventing money laundering, terrorist financing, sanctions evasion and fraud, and in enabling regulated businesses to meet their legal obligations. The data concerns adults acting in a business or public capacity, the processing is limited and proportionate to that purpose, and it falls within their reasonable expectations. We have carried out a Legitimate Interests Assessment and we do not rely on consent for this processing. Where the processing supports the prevention of money laundering and terrorist financing, we additionally rely on the performance of a task in the public interest (Art. 6(1)(e)) and, for any special-category data, the substantial-public-interest condition (Art. 9(2)(g)).
To secure, maintain, account for and bill the Service, and to comply with law — lawful basis: legitimate interests and, where applicable, legal obligation (Art. 6(1)(c)).

Our customers are typically regulated firms that rely on their own legal obligation and/or legitimate interests for their use of the results.

7Sanctions, PEP and other sensitive data

Some screening information — for example sanctions designations, PEP status or adverse-media references — may amount to criminal-offence data (UK GDPR Art. 10 / DPA 2018) or special-category data (Art. 9). Where it does, we process it under the substantial-public-interest and crime-prevention conditions in Schedule 1 to the Data Protection Act 2018 (including preventing or detecting unlawful acts and the prevention of money laundering or terrorist financing), and we maintain an Appropriate Policy Document covering this processing as required.

8We do not retain your search data

We are not a long-term store of your screening activity. Searches are processed to give you a result and are not kept or re-used afterwards.

Search queries and the results returned to you are processed on a transient, pass-through basis and are not retained, sold or re-used for any purpose other than delivering the result to you. We keep only:

limited operational and security logs (such as authentication events, error logs and abuse-prevention data), kept for short periods to run and protect the Service;
usage counts needed to apply quotas and billing; and
any records we are required by law to keep (for example, AML record-keeping rules).

Where you actively choose to save a case, dossier or monitoring entry, that content is stored for your convenience under your control; you can export or delete it, and you decide its retention period. We do not use it for any purpose other than providing the Service to you.

9Notifying screened individuals

Because data about screened persons is collected from public and third-party sources — often without reliable contact details and at scale — providing individual notice to each person would involve disproportionate effort, and notice may also be restricted where it would prejudice the prevention of crime. We therefore rely on the exemptions in UK GDPR Art. 14(5) and the relevant DPA 2018 crime-prevention provisions, and we generally do not notify each screened person directly. Where you use results to make decisions about an individual, you are responsible for any notice or transparency obligation that your own law places on you.

10Who we share data with

We do not sell personal data. We share it only with:

service providers / sub-processors who help us run the Service — such as reputable cloud hosting and infrastructure providers and our payment processor — under contracts that require appropriate safeguards; we will provide the current list of sub-processors on request;
authorities, regulators or courts where we are required to do so by law, or to establish, exercise or defend legal claims; and
a successor in the event of a merger, acquisition or reorganisation, subject to this policy.

11International transfers

We aim to store and process data within the UK and the EEA. Where data is transferred outside the UK or EEA, we put appropriate safeguards in place — such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, and EU Standard Contractual Clauses where relevant — together with a transfer risk assessment.

12How long we keep data

We keep personal data only for as long as reasonably necessary for the purposes set out above, taking into account its sensitivity, the risk of harm, and applicable legal, regulatory, tax and accounting requirements. Search queries are not retained beyond delivering the result (section 8). Account data is kept for the life of your account and a reasonable period afterwards. Records required by AML law are kept for the period that law specifies (typically five years).

13Your rights

Subject to applicable law, you have the right to: access your personal data; have inaccurate data corrected; request erasure; restrict or object to processing; data portability; and to withdraw consent where we rely on it. To exercise a right, contact us at privacy@ddcheck.uk; we do not charge for genuine requests.

These rights have limits. Where we process data for AML, crime-prevention or other legitimate-interest or legal-obligation purposes, we may be unable to erase or stop processing it, and we may decline manifestly unfounded or excessive requests. If you are unhappy with how we handle your data you can complain to the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority.

You also have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. We do not make such decisions: any risk score, flag or rating we provide is decision-support only, and the decision is taken by a person in the customer's organisation.

14Security

We use appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, hashed credentials and least-privilege access. No system is perfectly secure, and we cannot guarantee absolute security.

15Children

The Service is intended for business use by adults and is not directed at children. We do not knowingly collect data from children as users.

16Changes to this policy

We may update this policy from time to time. We will post the updated version here and change the "Last updated" date; material changes will be notified by reasonable means.

17Contact

For privacy questions or to exercise your rights, contact privacy@ddcheck.uk.