Company Records — Privacy Notice

Version 1.0 · Effective date: 15 July 2026

Self-serve pay-as-you-go company reports · reports.knowyourcustomer.com

This notice explains how we process personal data in connection with the Company Records service, including personal data about individuals who appear on official company registers. It supports our Terms of Service and Acceptable Use Policy.

Who we are

Company Records is operated by Know Your Customer (Ireland) Limited (CRO number 595161), registered office Castleyard OfficePods 14, 20 St. Patricks Road, A96 D573 Dalkey, Co. Dublin, Ireland. We are the controller of the personal data described here. You can contact our data protection contact at legal@knowyourcustomer.com.

What data we process and where it comes from

To produce company due-diligence reports for our business customers, we process information published on official company registers. Where a company’s records name individuals — for example directors, officers, and natural-person beneficial owners of corporate shareholders — we process their name, role or position, appointment or cessation dates, register-listed address, and shareholding, as those details appear on the official register. Our reports contain official company-registry data only; they do not include any screening data (AML, sanctions, or PEP) or any other data source. We do not seek special-category data.

We also process the account, contact, and usage data of our business customers’ own personnel (for example the name and business email used to register, and the record of searches and orders placed). That data is provided to us by the customer or generated as they use the Service.

Why we process it (purposes and lawful basis)

We compile and supply these reports so that regulated and other businesses can carry out KYC/CDD, anti-money-laundering and sanctions compliance, counterparty and supplier due diligence, and fraud prevention. Our lawful basis for processing the personal data that appears in reports is our legitimate interests, and the legitimate interests of our customers and the public, in enabling accurate due diligence and combating financial crime (Article 6(1)(f) GDPR). We have carried out a balancing assessment; you can ask us for a summary.

For our business customers’ account and usage data, we rely on our legitimate interests and, where applicable, the performance of our contract with the customer and our legal obligations (for example tax and accounting record-keeping).

Who receives it

Our business customers receive the reports they purchase and use them, as independent controllers, only for permitted business purposes under our Acceptable Use Policy (which prohibits, among other things, consumer-credit, employment, tenancy, marketing, profiling, harassment, bulk extraction, and resale). Our reports are supplied only to businesses; we do not offer a people-search product on individuals, and follow-on reports are on corporate entities only.

We use service providers to host the Service (Microsoft Azure, in the EU/West Europe), to process payments, and to deliver email; company-register retrieval is carried out via our group’s KYC engine in Hong Kong under intra-group Standard Contractual Clauses.

International transfers

Where data is transferred outside the EEA (for example to our KYC engine in Hong Kong), we use Standard Contractual Clauses and a transfer risk assessment to protect it. No processing takes place in the United States.

How long we keep it

We keep report content for 90 days and then purge it. We keep usage records for 12 months and then purge them. We retain transaction records (for accounting, tax, and legal record-keeping) for 6–7 years. After the report-content purge, only transaction metadata is kept.

Your rights

You have the right to access, rectify, erase, restrict, and object to our processing of your personal data, and the right to data portability where it applies. You also have the right to complain to the Irish Data Protection Commission (www.dataprotection.ie).

Because our reports draw on official registers, the authoritative record is the register itself, and we will also point you to the relevant register for corrections; we will restrict or delete the report content we hold about you on request where appropriate. The short retention above already limits how long we hold report content.

Right to object (Article 21). Because we rely on legitimate interests, you can object to our processing of your personal data. We will assess your objection and, unless we have compelling legitimate grounds that override your interests, we will stop processing your data in report content.

To exercise any right, or to object under Article 21, contact legal@knowyourcustomer.com. We log requests and answer them within the statutory timeframes.

Company Records Privacy Notice v1.0. Effective 15 July 2026. Know Your Customer (Ireland) Limited, CRO 595161. Data protection contact: legal@knowyourcustomer.com.