Privacy Policy
Last updated: May 2026
1. Overview
Entity Ledger ("we", "us", or "our") operates a compliance and counterparty intelligence platform. This Privacy Policy explains how we collect, use, store, and disclose information when you use our Service. We are committed to processing data in accordance with the General Data Protection Regulation (GDPR) and applicable Cypriot data protection legislation.
2. Information We Collect
2.1 Information You Provide
We collect information you voluntarily submit, including when you contact us by email or register for access. This may include your name, email address, organisation, and the nature of your enquiry.
2.2 Information Collected Automatically
When you use the Service, we automatically collect certain technical data, including:
- IP address and approximate geolocation;
- Browser type, version, and operating system;
- Pages visited, search queries, and timestamps;
- Referring URLs.
This information is collected for security, abuse prevention, and service improvement purposes and is not used to identify individual users beyond what is necessary for these purposes.
2.3 Entity Data
The Service displays information about legal entities and individuals sourced from the following public registries and databases:
- Cyprus Registrar of Companies — company filings, directors, shareholders, and corporate notices;
- UK Companies House — company filings, persons with significant control (PSC), and director disqualifications;
- Official sanctions lists — the US Consolidated Screening List (OFAC, BIS, State Department), the EU Consolidated Financial Sanctions List, and the UK Sanctions List (OFSI);
- ICIJ Offshore Leaks Database — leaked offshore corporate records of public interest;
- GLEIF — Global Legal Entity Identifier reference data;
- Cyprus Government Gazette — official corporate notices and regulatory publications.
This information is collected and processed on the basis of legitimate interest (GDPR Article 6(1)(f)), specifically the public interest in transparency, compliance, and fraud prevention recognised under Recital 47. Where the data includes special categories — such as sanctions exposure or criminal-record information about identified individuals — we additionally rely on the substantial public interest condition (Article 9(2)(g)).
2.3a Beneficial Ownership and Individuals
Where source registries publish persons with significant control, beneficial owners, or directors, we surface this information only as published by the originating registry. We do not display home addresses, full dates of birth (only month and year, where the source registry permits), or personal contact details of natural persons. Risk signals attached to named individuals are sourced verbatim from public records and are traceable to their origin.
3. Legal Basis for Processing
We process personal data on the following legal bases:
- Legitimate interest — for compliance, fraud prevention, and counterparty transparency research;
- Legal obligation — where processing is required to comply with applicable law;
- Consent — where you have explicitly provided consent, which may be withdrawn at any time.
4. How We Use Information
We use collected information to:
- Operate and improve the Service;
- Detect and prevent abuse, fraud, and unauthorised access;
- Respond to enquiries and support requests;
- Comply with legal obligations;
- Conduct internal analytics to understand how the Service is used.
We do not sell personal data to third parties. We do not use personal data for automated profiling or decision-making that produces legal or similarly significant effects.
5. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Server logs are retained for up to 90 days. Entity data sourced from public registries is retained for as long as it remains relevant to compliance use cases and is periodically reviewed for accuracy.
6. Your Rights
Under GDPR, you have the following rights with respect to personal data we hold about you:
- Right of access — to obtain a copy of your personal data;
- Right to rectification — to correct inaccurate data;
- Right to erasure — to request deletion where there is no legitimate basis for continued processing;
- Right to restriction — to limit how we use your data;
- Right to object — to object to processing based on legitimate interest;
- Right to portability — to receive your data in a structured, machine-readable format.
Note that the right to erasure may be limited where data originates from public registries and where processing is justified by public interest or legal obligation. We will assess each request on its merits, balancing your rights against our legitimate interest. If we are unable to fulfil a request, we will explain why and inform you of your right to lodge a complaint with the supervisory authority.
6.1 Takedown and Correction Process
To exercise any of these rights, contact us at [email protected]. Requests should include:
- The URL of the affected entity page (or other content);
- The specific information you believe is inaccurate, outdated, or unlawfully processed;
- Supporting documentation where applicable.
We respond within 30 days, in line with GDPR Article 12(3). If we refuse a request — most commonly because the data accurately reflects a current public registry record — we will explain why and inform you of your right to complain to the supervisory authority listed in Section 11.
7. Cookies and Analytics
We use only technically necessary cookies required for authentication and session continuity (for example, the Rails session cookie used to keep you signed in). These are exempt from consent requirements under Article 5(3) of the ePrivacy Directive.
7.1 Privacy-respecting Analytics
We use Google Analytics 4 in Consent Mode v2, configured to operate without storing identifiers on your device:
analytics_storageis set todeniedby default — Google Analytics receives cookieless pings rather than cookie-tagged events;ad_storage,ad_user_data, andad_personalizationare all set todenied— no advertising cookies, no Google Ads or remarketing data is shared;anonymize_ipis enabled — your IP address is truncated by Google before storage;allow_google_signalsandallow_ad_personalization_signalsare set tofalse— Google Signals demographic and interest data is disabled.
As a result, Google Analytics receives only aggregate, session-scoped event data (page views, navigation events, search counts) and cannot identify individual visitors or follow them across sessions or sites.
7.2 No Consent Banner
Because we do not set advertising or tracking cookies, and because our analytics configuration is cookieless under Consent Mode v2, no cookie consent banner is presented. The technically necessary session cookie used for authentication is exempt under Article 5(3) of the ePrivacy Directive.
Note: Google Analytics may briefly set a short-lived session token under Consent Mode for technical session deduplication; this token contains no personal identifiers and is not used to track you across visits. We do not control Google's implementation and may revise our analytics provider at any time to reduce reliance on third parties.
7.3 What We Do Not Use
We do not use advertising cookies, marketing trackers, third-party retargeting pixels, fingerprinting, behavioural profiling, or any analytics tools that identify individual users.
8. Data Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or destruction. These include encrypted connections (TLS), access controls, and rate limiting. No method of transmission over the internet is completely secure, and we cannot guarantee absolute security.
9. International Transfers
The Service is operated from within the European Union. If data is transferred outside the EEA, we ensure appropriate safeguards are in place in accordance with GDPR Chapter V, including Standard Contractual Clauses where required.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be indicated by an updated date at the top of this page. Continued use of the Service after changes constitutes acceptance of the revised policy.
11. Contact and Supervisory Authorities
For privacy-related enquiries, contact us at [email protected].
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement. The most relevant authorities for users of this Service are:
- Cyprus — Office of the Commissioner for Personal Data Protection of the Republic of Cyprus (www.dataprotection.gov.cy);
- United Kingdom — Information Commissioner's Office (ico.org.uk);
- European Union — your national data protection authority. A directory is maintained by the European Data Protection Board at edpb.europa.eu/about-edpb/members_en.