ComplyZap Privacy Policy

1. Who We Are

• Company Name: Churchill Solutions FZCO. Company registered in Dubai Silicon Oasis with registration number: DSO-FZCO-49737.
• Registered Address: PO Box: 338482, Unit 3706, Platinum Tower JLT-PH1-12, Jumeirah Lakes Towers, Dubai, UAE
• Data Controller: Churchill Solutions FZCO is the data controller responsible for your personal data under this Privacy Policy.
• Contact: For privacy-related inquiries, email us at privacy@complyzap.io or write to our registered address.

2. What Data We Collect

We collect the following types of personal data:

• User Data: Name, email address, company name, and contact details when you sign up for ComplyZap or contact support.
• Client Data: Identity documents, photos, and personal details (e.g., name, date of birth) submitted for verification and PEP/sanctions screening.
• Usage Data: IP address, browser type, pages visited, and interaction data (e.g., checks performed, alerts viewed) collected via cookies and analytics tools.
• Regulatory Data: Scraped regulatory updates (e.g., FCA, SEC, UAE Central Bank, Saudi CMA rules) that may include public data but are anonymized for user access.

3. How We Collect Data

• Directly from You: When you register, upload client data, or use ComplyZap services.
• Automatically: Via cookies and tracking technologies on complyzap.io to improve functionality and analyze usage.
• Third Parties: Our partners provide verification results, and Scrapy collects public regulatory data, which we process for your use.

4. How We Use Your Data

We process your data for the following purposes:

• Service Delivery: To provide client verification and regulatory updates, fulfilling our contract with you.
• Compliance: To meet legal obligations under FCA (UK), SEC (USA), UAE Central Bank, Saudi CMA, and GDPR/CCPA/PDPL/PDPL-SA (e.g., audit trails, PEP screening).
• Improvement: To analyze usage patterns and enhance ComplyZap features.
• Communication: To send service updates, marketing emails (with opt-out), and support responses.

Legal Basis:

• GDPR (UK/Europe): Contract (Article 6(1)(b)), Legal Obligation (Article 6(1)(c)), Legitimate Interest (Article 6(1)(f)).
• CCPA (USA): Business purpose (Cal. Civ. Code § 1798.140(t)) with notice and opt-out for sales.
• PDPL (UAE) / PDPL-SA (Saudi Arabia): Consent or legitimate interest, per respective laws, with data subject rights.
• Other Jurisdictions: Based on local laws, typically consent or contractual necessity.

5. Legal Basis for Processing

• GDPR (UK/Europe): Article 6(1)(b): Performance of a contract (e.g., verification services).
• GDPR (UK/Europe): Article 6(1)(c): Compliance with legal obligations (e.g., AML regulations).
• GDPR (UK/Europe): Article 6(1)(f): Legitimate interests (e.g., improving services), balanced with your rights.
• For sensitive data (e.g., ID documents), we may also rely on Article 9(2)(f) (legal claims) with consent where required.
• CCPA (California): Processed for operational purposes, with opt-out rights for sales (if applicable).
• PDPL (UAE) / PDPL-SA (Saudi Arabia): Based on consent or contractual necessity, with data minimization per local laws.
• Other Regions: Complies with local data protection laws (e.g., Qatar Law No. 13 of 2016), ensuring consent or legal basis as required.

6. Data Sharing

• Our Partners: For client verification and PEP screening, under data processing agreements (DPAs).
• Service Providers: AWS (hosting), Google Cloud (NLP), and Intercom (support), bound by DPAs.
• Legal Authorities: If required by law (e.g., FCA, SEC, UAE, Saudi audits), with minimal disclosure.
• No Sale: We do not sell your data to third parties (CCPA definition).

7. Data Security

• We use encryption (TLS, AES-256) and secure AWS infrastructure to protect your data.
• Access is restricted to authorized personnel only.
• Regular security audits ensure compliance with GDPR Article 32, CCPA safeguards, PDPL, PDPL-SA, and other regional requirements.

8. Data Retention

• User Data: Retained for 2 years after account closure, unless longer retention is required by law.
• Client Data: Stored for 5 years post-verification (FCA, SEC, UAE, Saudi requirements), then securely deleted.
• Usage Data: Anonymized after 12 months for analytics.

9. Your Rights

• GDPR (UK/Europe): Access, rectification, erasure, restriction, portability, objection, and complaints to the UK ICO (ico.org.uk) or local EU authority.
• CCPA (California) / Other U.S. States: Know, delete, opt-out of sales, and non-discrimination; contact via support@complyzap.io or relevant state Attorney General.
• PDPL (UAE) / PDPL-SA (Saudi Arabia) / Other Middle East: Access, correction, deletion, and objection; contact UAE PDPL authority, Saudi SDAIA, or local regulator if unresolved.
• Global: Rights vary by jurisdiction; email support@complyzap.io to exercise them.

10. International Data Transfers

• Data is processed in the UAE and stored on AWS servers in the EU (Frankfurt) and USA, ensuring GDPR/CCPA compliance via Standard Contractual Clauses (SCCs), PDPL/PDPL-SA alignment, and adherence to other regional data transfer frameworks.
• Our partners may process data globally; we ensure DPAs with SCCs or equivalent mechanisms are in place.

11. Cookies and Tracking

• We use cookies for functionality (e.g., login) and analytics (e.g., Google Analytics).
• You can manage cookies via your browser settings or our cookie consent banner on complyzap.io.

12. Changes to This Policy

We may update this policy, with changes posted on complyzap.io and emailed to users.

13. Contact Us

Email: support@complyzap.io
Address: Churchill Solutions FZCO, PO Box: 338482, Unit 3706, Platinum Tower JLT-PH1-12, Jumeirah Lakes Towers, Dubai, UAE