Privacy Policy

What personal data we process

We process different types of personal data depending on how you interact with us.

Website visitors: When you visit our website, we may collect technical information such as your IP address, browser type, device type, and pages visited. We use this information to improve our website and understand how people use it. We do not track individual users or build detailed profiles.

Waitlist subscribers: If you join our waitlist, we collect your email address, firm name, firm size, and whether you're registered (or plan to register) as an ACSP. We use this information to keep you updated on our progress and invite you to early access.

Platform users (ACSPs): If your firm uses ACSPverify, we collect your name, email address, firm details, and account information. We use this information to provide the service, manage your account, and communicate with you about your use of the platform.

Individuals being verified: When someone completes an identity verification check through ACSPverify, we process their identity document, biometric image (selfie), name, date of birth, address, and nationality. This data is processed solely to complete the identity verification check and provide the results to the ACSP who requested it.

How identity verification data is handled

Identity verification data is highly sensitive. We handle it carefully and process it only for the purpose of verifying identities in line with the Companies House standard.

When an individual completes an identity verification check, their identity document and biometric image are sent to our trusted third-party identity verification providers. These providers authenticate the document, perform biometric matching, run liveness detection, and check for fraud.

The providers process the data solely to perform the verification check and return the results to us. They do not use the data for any other purpose, and they delete or anonymise it in line with their retention policies.

Once the check is complete, we provide the results and evidence pack to the ACSP who requested the verification. The ACSP is the data controller and is responsible for storing the evidence, meeting GDPR obligations, and deleting the data when no longer needed.

ACSPverify minimises long-term storage of biometric data. We do not retain identity documents or selfies indefinitely. Evidence packs are available for download for a limited period, after which they are deleted from our systems unless the ACSP has requested extended storage.

Legal basis for processing

We process personal data under the following legal bases:

Consent: When you join our waitlist or subscribe to updates, you consent to us processing your contact details for those purposes.

Contract: When your firm uses ACSPverify, we process data as necessary to provide the service and fulfil our contract with you.

Legitimate interests: We process technical data about website visitors based on our legitimate interest in improving our website and understanding how it's used.

Legal obligation: In some cases, we may process data to comply with legal obligations, such as responding to law enforcement requests or complying with regulatory requirements.

For identity verification checks, the legal basis is usually contract (we're performing the service the ACSP requested) or legal obligation (the ACSP is required to verify identities under ECCTA and related regulations).

Our role as data processor for identity verification

When your firm uses ACSPverify to verify someone's identity, we act as a data processor. This means:

• Your firm (the ACSP) is the data controller and is responsible for compliance with UK GDPR
• We process identity verification data solely on your instructions
• We do not use the data for our own purposes
• We implement appropriate security measures to protect the data
• We assist you in meeting your GDPR obligations, including responding to data subject requests

As the data controller, your firm is responsible for having a lawful basis for processing identity verification data, informing individuals about how their data will be used, storing evidence securely, and deleting data when no longer needed.

If an individual being verified wants to exercise their GDPR rights (such as access, correction, or deletion), they should contact your firm. We will assist you in responding to those requests where necessary.

What third-party IDV providers do

We work with established identity verification providers to perform document authentication, biometric matching, and fraud detection. These providers act as sub-processors.

The providers process identity documents and biometric images solely to complete the verification check. They do not use the data for marketing, training AI models (unless explicitly anonymised), or any purpose beyond identity verification.

Our contracts with these providers require them to comply with UK GDPR, implement strong security measures, and delete or anonymise data in line with agreed retention periods.

We only work with providers who meet industry standards for identity verification and data protection. If you want details of the specific providers we use, please contact us.

Storage durations

We store personal data only as long as necessary for the purposes for which it was collected.

Website visitor data: Technical data is typically stored for 90 days or less.

Waitlist subscriber data: We keep your contact details until you unsubscribe or until we launch publicly (whichever comes first). You can unsubscribe at any time.

Platform user data: We keep your account information for as long as you use ACSPverify. If you close your account, we delete your data within 30 days unless we're required to keep it for legal or regulatory reasons.

Identity verification data: Evidence packs (including identity documents and biometric images) are available for download for a limited period (typically 90 days) after the verification is completed. After that, they are deleted from our systems unless the ACSP has requested extended storage. ACSPs are responsible for downloading and storing evidence in line with their own retention policies (typically seven years for ACSP compliance).

Your GDPR rights

Under UK GDPR, you have the following rights:

• Right of access: You can request a copy of the personal data we hold about you.
• Right to rectification: You can ask us to correct inaccurate or incomplete data.
• Right to erasure: You can request that we delete your personal data in certain circumstances (such as when it's no longer needed or you withdraw consent).
• Right to restrict processing: You can ask us to limit how we use your data in certain situations.
• Right to data portability: You can request a copy of your data in a structured, machine-readable format.
• Right to object: You can object to processing based on legitimate interests or for direct marketing purposes.
• Rights related to automated decision-making: If we use automated decision-making (such as automated verification results), you have the right to human review.

To exercise any of these rights, please contact us at [email protected]. We'll respond within one month.

If you're an individual who completed an identity verification check through ACSPverify, your GDPR rights should be exercised by contacting the ACSP who requested the check (the data controller). We will assist the ACSP in responding to your request.

Security

We implement appropriate technical and organisational measures to protect personal data from unauthorised access, loss, or misuse. These measures include:

• Encryption of data in transit and at rest
• Access controls and authentication
• Regular security testing and vulnerability assessments
• Staff training on data protection
• Contracts with third-party providers requiring strong security standards

No system is completely secure, but we take data protection seriously and continuously improve our security practices.

International transfers

Our infrastructure is hosted in the UK and EU. We do not routinely transfer personal data outside the UK or EU.

If we need to transfer data internationally (for example, to a sub-processor in another jurisdiction), we ensure appropriate safeguards are in place, such as standard contractual clauses or adequacy decisions.

Children's data

ACSPverify is designed for business use and is not intended for children under 16. We do not knowingly collect personal data from children.

Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. We'll post the updated policy on this page and update the "last updated" date.

If we make significant changes, we'll notify users by email or through a prominent notice on our website.

How to contact us for data requests

If you have questions about this privacy policy, want to exercise your GDPR rights, or need to contact us about data protection, please email:

[email protected]

We aim to respond to all data protection enquiries within one month.

If you're not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO). You can contact the ICO at ico.org.uk or by calling 0303 123 1113.