Privacy Statement
Last updated: 29 April 2026
1. Introduction
Know Your Customer Limited (KYC, we, us, our) is subject to:
– the EU General Data Protection Regulation (GDPR),
– Hong Kong’s Personal Data (Privacy) Ordinance (PDPO), and
– Singapore’s Personal Data Protection Act (PDPA).
This Statement explains how we collect, use, disclose and safeguard personal data as both a data processor (for KYC Clients’ Customers) and a data controller (for our own subscribers).
2. Roles & Scope
For KYC Clients’ Customers: We act solely as a processor/data user. All personal data (e.g. names, ID numbers, location data) is collected on behalf of, and remains accessible only to, the engaging KYC Client.
For Subscribers (marketing, newsletters): We act as controller/data controller, collecting names, emails, phone numbers, etc., to send marketing updates.
3. Personal Data We Collect
– Identity & Contact Data: name, title, company, job role, email, telephone, postal address.
– Technical & Usage Data: IP address, browser type, device identifiers, pages visited, support requests.
– Sources: Directly from you (forms, uploads), or automatically via cookies and analytics.
3A Two distinct data-processing contexts
Separately, when KYC processes personal data on behalf of our client institutions as part of delivering our KYB and customer due-diligence platform, KYC acts as a data processor and the client institution is the controller. That processing is governed by the data-processing terms in each client’s commercial agreement with KYC, including a separate sub-processor list specific to the platform service. Those processor-side sub-processors are not the same as the controller-side sub-processors listed below, and clients receive that list and any updates to it through their account contacts under the terms of their agreement with us.
3B Sub-processors supporting KYC controller activities
- Microsoft Ireland Operations Limited: Email, calendar, document storage and collaboration platform (Microsoft 365) and underlying cloud infrastructure (Microsoft Azure) used by KYC staff to conduct corporate operations, including responding to support enquiries from website visitors and existing clients. Contact details, correspondence content, attachments, account and authentication data. EU (primary), with limited replication to other Microsoft regions in line with Microsoft’s published data-residency commitments. EU Standard Contractual Clauses where applicable; Microsoft EU Data Boundary commitments for in-scope services. https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA
- Anthropic, PBC (United States): AI-assisted analytics and summarisation of KYC’s internal operational data, including support tickets and internal correspondence, to produce management-visibility digests. KYC does not use Anthropic to automate customer-facing communications or to take automated decisions affecting individuals. Limited personal data contained in support-ticket text and internal correspondence (e.g. names, business contact details, message content). Special-category data is not intentionally processed. United States. EU Standard Contractual Clauses (Modules Two and Three) under Anthropic’s Commercial Data Processing Addendum, together with the UK and Swiss addenda where applicable. https://www.anthropic.com/legal/data-processing-addendum and https://www.anthropic.com/legal/privacy
4. Purposes of Processing
KYC Clients’ Customers:
– Verify identity to comply with AML regulations;
– Share results with KYC Clients via restricted access;
– Perform any KYC Client–specified processing;
– Meet legal/regulatory obligations of KYC Clients.
Subscribers:
– Deliver news, marketing updates and industry insights;
– Improve our offerings;
– Obtain and manage consent for marketing.
5. Legal Bases
GDPR (EEA data subjects): consent; contract necessity; legal obligation; legitimate interests.
PDPO & PDPA (HK/Singapore/other): consent; contract necessity; compliance with legal obligations.
6. Data Retention
We keep personal data only as long as necessary for the above purposes, in line with statutory requirements and our internal retention policies.
7. Data Transfers & Security
– International transfers: Data may be transferred to and stored in Ireland, Hong Kong, Singapore, UK, China, etc., under EU Standard Contractual Clauses or equivalent safeguards.
– Security measures: Role-based access controls with MFA; 256-bit AES encryption at rest; SSL/TLS in transit; regular audits.
8. Cookies
We use cookies for analytics and to enable pseudonymous identifiers (e.g. IP addresses) as part of our identity-verification services.
On first visit you’ll be asked to consent. You may withdraw consent by emailing our DPO or disabling cookies in your browser. Guidance at www.aboutcookies.org.
9. Rights of Data Subjects
Depending on your jurisdiction, you may have the right to:
– access, correct or erase your data;
– restrict or object to processing;
– data portability;
– withdraw consent (without affecting prior lawful processing).
Customers: exercise rights via the KYC Client.
Subscribers: exercise rights by emailing our DPO or writing to us at the address below.
10. Acceptance of Terms
By uploading data via our website/mobile app or subscribing to communications, you accept the practices in this Statement and consent to cross-border transfers within the KYC group for the stated purposes.
11. Contact Our Data Protection Officer
If you have any queries, requests or complaints, please reach out:
Data Protection Officer
Know Your Customer Limited
Hong Kong Office:
Spaces, 8 Queen’s Rd East, Wan Chai, Hong Kong
Tel: +852 5803 0898
Singapore Office:
26 Eng Hoon Street, Singapore 169776
Tel: +65 3158 2539
Email: dataprotection@knowyourcustomer.com
12. Amendments & Updates
We may revise this Statement to reflect changes in law, regulation or business practices. Updated versions will be posted here with a “Last updated” date.