Privacy policy

Speak to an expert

We are committed to protecting your data, and your privacy. We will not sell your personal data.

This privacy notice describes who we are and how and why we collect, store, use, and share your personal data in accordance with the Data Protection Legislation. It explains your associated rights and how to contact us or the supervisory authorities if you are unsatisfied with the response.

This Privacy Notice is relevant to anyone who interacts with our services, including website users. If you have signed an agreement with us, the agreement shall prevail and this notice shall be used for information purposes only.

We are subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are also subject to the EU General Data Protection Regulation (EU GDPR) in relation to goods and services we offer to individuals and our wider operations in the European Economic Area (EEA).

1.    About us

We are API Compliance Ltd, a regulatory compliance consultancy offering authorisations, advisory services, regulatory reporting and more. We are committed to protecting your data, and your privacy in accordance with applicable data protection laws.

Our contact details are:

  • Office: API Compliance Ltd, WeWork The Monument, 51 Eastcheap, London EC3M 1DT;
  • Email: dataprotection@apicompliance.co.uk

We are not required to have a Data Protection Officer, so any enquiries about our use of personal data should be addressed to the contact details above.

2.   Why do I need to read this notice?

This policy details what information we collect, how we use it, and your rights over your personal data.

‘Personal data’ includes information which:

  • We know about you, and,
  • Can be used to personally identify you

3.   When and why we collect personal data about you

We may collect personal data when you:

  • Browse our website
  • Submit an enquiry via our website;
  • Sign up to receive our newsletter;
  • Download resources from our website;
  • Take part in our feedback survey;
  • Engage with us for compliance consultancy services;
  • Provide information as part of due diligence, regulatory applications, or client onboarding

Browsing our website (Cookies)

What we collect this information for

We use this information to measure the performance of our online marketing activities.

For information about our use of Cookies, please see our cookie policy.

Legal basis for processing

Consent, where you agree to us collecting your personal data.

Legitimate interests, to gather data useful for improving the delivery for your website.

When you submit an enquiry via our website

When you submit an enquiry via our website, we ask you for your name and email address.

What we collect this information for

We use this information to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry to follow up on your interest and ensure that we have answered it to your satisfaction. We will do this based on our legitimate interest in providing accurate information before a sale.

Legal basis for processing

Consent, where you agree to us collecting your personal data.

Legitimate interests, API Compliance has a legitimate interest in responding to enquiries and providing potential customers with relevant information about its services.

Necessary for the performance of a contract, if the enquiry could lead to a contractual relationship, processing is justified to fulfil this.

When you sign up to receive our newsletter

When you sign up to receive our newsletter, we ask for your name and your email address.

What we collect this information for

We will ask for your consent to use your name and email address to send you our newsletter which contains information about our products and other information that we feel might be of interest to you.

Legal basis for processing

Consent, where you agree to us collecting your personal data.

When you take part in our feedback survey

When you take part in our feedback survey, we record your name, your email address, your organisation name, your job role and your answers to questions we ask about your opinion of, and use of, our products and services.

What we collect this information for

We use this information to develop and improve our products and services and our customer relationships. Your job role, organisation and some or all your comments, but not your name or any other personal details, may be publicly displayed on our website as a testimonial. We will do this based on our legitimate interest in marketing our products and services.

Legal basis for processing

Consent, where you agree to us collecting your personal data.

Legitimate interests, API Compliance has a legitimate business interest in improving its services and customer relationships by gathering feedback.

When you engage with us for compliance consultancy services

When you engage with us for compliance consultancy services, we may collect the following personal data:

  • Business-related contact details such as:
    • Full name;
    • Email address;
    • Phone number;
    • Job title, and company name

What we collect this information for

We use this information to contact you to assess your regulatory needs and agree upon contractual terms.

Legal basis for processing

Consent, where you agree to us collecting your personal data.

Legitimate interest, API Compliance has a legitimate business interest to collect said data to deliver professional compliance services and ensure compliance with regulatory frameworks.

Provide information as part of due diligence, regulatory applications, or client onboarding

When you provide data for due diligence, regulatory applications, or client onboarding, we may collect information including company data such as:

  • Full name and email address of the director signing on behalf of the company;
  • Ownership structure down to 10% control;
  • List of directors;
  • Identification details for at least one director for UK companies and two directors for non-UK companies;
  • HMRC tax records for the last three years;
  • Information about bank accounts opened

This also includes individual data such as:

  • Full name;
  • Passport details (e.g. passport number);
  • Residential address;
  • Email address;
  • CV, date of birth, previous names;
  • Current and previous nationalities;
  • DBS check documentation;
  • Source of income and overview of current activities

What we collect this information for

We collect the necessary information to verify identity, assess financial and operational standing, and ensure compliance with regulatory frameworks.

Legal basis for processing

Consent, where you agree to us collecting your personal data.

Legal obligation, we are legally required to conduct due diligence checks under AML regulations, financial crime laws, and other regulatory obligations.

Legitimate interests, we have a legitimate interest where due diligence is not strictly required by law but is necessary for risk mitigation, fraud prevention, and ensuring compliance with ethical business practices.

Explicit consent is only required for special category data (e.g. the results of DBS checks, and photo ID where racial or ethic information may be inferred).

Necessary for the performance of a contract, we may require this data to fulfil a contractual agreement we have in place with you.

4.   Do you make automated decisions about me?

We do not make automated decisions that have a significant impact on you. However, we may conduct risk assessments as part of due diligence, which involve automated checks reviewed by compliance personnel.

5.   Do you run credit checks on me?

Credit checks are not required for any of our current services, and therefore we will not run credit checks on you.

6.   How do you use my personal data for marketing?

If you consent, we may send marketing communications about our services. You can opt-out at any time by clicking ‘unsubscribe’ in our emails or contacting us at dp@apicompliance.co.uk.

We use your personal data to personalise marketing messages about our products and services so they are more relevant and interesting to you (where allowed by law). This may include analysing how you use our services and your transactions.

You can object to profiling for direct marketing purposes. You can also adjust your preferences or tell us you don’t want to receive direct marketing at any time (see Section 8) specifying you object to profiling for direct marketing purposes. However, if you do not wish to receive personalised or general marketing communications via a particular channel, follow the unsubscribe instructions included in the communication.

If you do not want to receive personalised marketing messages, and opt out of receiving them, you will not receive any marketing communications.

We won’t pass your details on to any external organisation for their marketing purposes without your permission. You can find out more in Section 9 below.

7.   What are my rights?

Your rights under UK and EU data protection legislation are outlined below. If you attempt to exercise these rights, occasionally we may not be able to fulfil your request if we have a legitimate basis or if the right does not apply to the information we hold about you.

You have the right to be told how we use your personal data

This is detailed in this privacy notice.

You have the right to ask for a copy of your personal data

Upon request, we can provide a copy of the personal data held about you. We cannot provide personal data relating to others, personal data linked to an ongoing criminal or fraud investigation, or communication we’ve had with legal advisors.

You can ask us to rectify inaccurate or incomplete personal data

You can have inaccurate or incomplete personal data rectified. Before we rectify this, we may need to check the accuracy of the new personal data you have provided.

You can request that your personal data be erased

You have the right to request we erase your personal data if:

  • There’s no good reason for us to continue using it;
  • You gave us consent (permission) to use your personal data, and you have now withdrawn that consent;
  • You have objected to us using your personal data;
  • We have used your personal data unlawfully;
  • The law requires us to delete your personal data

We may not be able to do this under certain circumstances, such as if your data is involved in an ongoing legal investigation. We will always notify you if we can’t delete your personal data.

You can object to the processing of your data for marketing purposes

You can tell us to stop using your personal data, including profiling you, for marketing.

You can object to us processing other personal data (if we’re using it for legitimate interests)

If our legal basis for using your personal data is ‘legitimate interests’ and you disagree with us using it, you can object.

However, if there is an overriding reason why we need to use your personal data, we will not accept your request.

If you object to us using personal data which we need to provide our services, we may not be able to provide said services.

You can ask us to restrict how we use your personal data

You can ask us to suspend using your personal data if:

  • You want us to investigate whether it’s accurate;
  • Our use of your personal data is unlawful, but you don’t want us to delete it;
  • We no longer need your personal data, but you want us to continue holding it for you in connection with a legal claim;
  • You have objected to us using your personal data (see above), but we need to check whether we have an overriding reason to use it

If you object to us using personal data which we need to provide our services, we may not be able to provide said services.

You can ask us to transfer personal data to another company

If we can, and are allowed to do so under regulatory frameworks, we will provide your personal data to another company in a structured, commonly used, readable format.

You can withdraw your permission

If you’ve consented to us using your personal data, you can withdraw it at any time as detailed in Section 6.

(Please note, it is lawful for us to use your personal data up to the point you withdraw your permission).

You have the right to complain

If you have a complaint about our use of your information, we would prefer you to contact us directly in the first instance so that we can address your complaint.

However, you can also contact the UK Information Commissioner’s Office via their website at
www.ico.org.uk/concerns or write to them at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

8.   How do I exercise my rights?

You can exercise any of the rights described in Section 5 by contacting us at dataprotection@apicompliance.co.uk.

For security reasons, you may be asked for proof of ID.

If a third party exercises these rights on your behalf, we may need to ask for proof that they are authorised to do so.

When you exercise these rights, it may take up to one month to respond to you or implement these changes. This can be extended by two months under certain conditions. If this is the case, you will be informed as such.

You will typically not be charged for exercising these rights. However, under certain conditions, such as if the request is complex or repetitive, we are legally allowed to request a reasonable fee.

9.   Do you share my personal data with anyone else?

We do not sell personal data. We may, however, share it with certain third-party recipients.

Regulatory and legal authorities

We may share personal data where required by law or regulatory obligations with the following third parties:

Financial Conduct Authority (FCA) or other regulatory bodies

For compliance with financial and operational regulations.

Law enforcement agencies

For fraud prevention, money laundering investigations, or other legal requirements.

HM Revenue and Customs (HMRC)

For tax-related obligations in certain cases.

Compliance and due diligence service providers

We may share personal data for regulatory compliance and risk assessments with the following service providers:

Know Your Customer (KYC) and Anti-Money Laundering (AML) screening providers

This is to verify identities and conduct background checks.

Technology and service providers

To facilitate business operations, we may store or process personal data with the following service providers:

Cloud storage providers

Cloud service providers that host compliance-related data securely.

Social media and advertising companies

We may in the future use social media for marketing purposes. Your personal data (limited to your name and email address) may be shared with social media platforms so they can check if you also hold an account with them. If you do, we may ask the advertising partner or social media provider to:

  • Use your personal data to send our adverts to you, because you might be interested in a new product or service;
  • Not send you our adverts, because the marketing relates to a service you already use, or where you have withdrawn consent (where applicable), or exercised your rights, for example, your right to restrict processing;
  • Send our adverts to people who have a similar profile to you (for example, if one of our services is particularly useful to people with similar interests to the ones on your social media profile, we may ask our advertising partner or social media partner to send our adverts for that service to those people)

We may share your personal data with our advertising partners in the ways described above, but the personal data is hashed before we send it, and the advertising partner we share it with is only allowed to use that hashed personal data in the ways described above.

You can contact us at any time (see Section 8) if you do not want us to share your personal data for advertising purposes. You can also manage your marketing preferences directly with any social media provider that you have an account with.

Where you ask us to share your personal data

Where you direct us to share your personal data with a third party, we may do so. For example, you may authorise third parties to act on your behalf. We may need to ask for proof that a third party has been authorised to act on your behalf.

10. Will my personal data go outside the United Kingdom or Europe?

We may need to transfer your personal data outside the United Kingdom or European Economic Area (EEA) to help us provide our services.

We may send your personal data outside the United Kingdom or EEA to:

  • Keep to global legal and regulatory requirements;
  • Provide ongoing support services;
  • Fraud prevention agencies or law enforcement authorities;
  • Enable us to provide you with the products or services you have requested

If we transfer your personal data to another country that doesn’t offer a standard of data protection equivalent to the United Kingdom (or EEA if applicable), we will make sure that your personal data is sufficiently protected. For example, we’ll make sure that a contract with strict data protection safeguards such as Standard Contractual Clauses (SCC) are in place before we transfer your personal data. In some cases, you may be entitled to ask us for a copy of this contract.

If you would like more information, please contact us by sending an email to dataprotection@apicompliance.co.uk.

11.  How do you protect my personal data?

We recognise the importance of protecting and managing your personal data. Any personal data we process will be treated with the utmost care and security. This section sets out some of the security measures we have in place.

We use a variety of organisational and technical measures to:

  • Maintain the confidentiality, availability and integrity of your personal data;
  • Make sure your personal data is not improperly used or disclosed

We have detailed information security and data protection policies, which our employees are required to follow when they handle your personal data. Our employees receive data protection and information security training.

Personal data is stored on secure computer systems such as OneDrive or Hubspot with access management controls to limit physical, system, and information access to only authorised individuals.

Before we share your personal data with other companies, we perform due diligence, including assessment of:

  • The company’s legal status, its management, data processing locations, and related sub-outsourcing;
  • The security controls the company has in place to protect your personal data

While we take all reasonable steps to ensure that your personal data will be kept secure from unauthorised access, we cannot guarantee it will be secure during input into our website by you.

12. How long will you keep my personal data for?

We store personal data only as long as necessary for the purposes collected, or as legally required. Enquiry records are stored for two years, and marketing data is retained until consent is withdrawn. Due diligence records and regulatory application data may be retained for up to seven years, depending on requirements.

Once no longer needed, data will be securely deleted.

13. Updates to this privacy policy

We regularly review and, if appropriate, update this privacy policy from time to time, and as our services and use of personal data evolve. If we want to make use of your personal data in a way that we haven’t previously identified, we will contact you to provide information about this and, if necessary, to ask for your consent.

We will update the date of this document each time it is changed.