Privacy Policy

Regulatory DataCorp, Inc., its affiliates and subsidiaries (called in this Privacy Policy “RDC”, “we”, “us”, or “our”) respect your privacy. RDC is committed to safeguarding the Personal Data it receives from its Subscribers, Business Partners and vendors; as well as via our website ( and in publicly available and third party sources which are incorporated into our product database (which we call “GRID”) as well as our regulatory compliance services (together “Services”).

We are providing the information in this policy to meet our obligations as a controller(s) of Personal Data under applicable data protection laws. See ‘How to contact us’ below for our company details.

This policy covers both:
• individuals whose Personal Data is processed in connection with our Services that we provide as a controller, and
• users of our website and those who interact with our Services, including representatives of Subscribers, Business Partners and vendors, job applicants, others who contact us via the website with queries about our Services, partnering opportunities or media inquiries, people who access content such as webinars and whitepapers, and subscribers to our newsletter and RDC events.

This website is not intended for use by children and we do not knowingly collect or use Personal Data relating to children. Some technical terms are used in this Privacy Policy. If you are unsure of the meaning you can use this glossary

What does RDC do?

RDC’s main activity is in providing GRID to financial institutions and other entities with regulatory compliance requirements (“Subscribers”). Subscribers sign agreements with us to enable them to access GRID and send us Personal Data to enable them to check GRID in relation to their customers or those with whom they are looking to do business. Some of the customers identified by Subscribers are companies or other legal entities and some are individuals or sole traders. We process this Personal Data on behalf of Subscribers, and when we do this RDC acts as a processor. Our Subscribers are responsible for the Personal Data processing that we carry out on their behalf. In this scenario, they are the controller and will be responsible for ensuring that their use of RDC Services complies with data protection laws, including providing the necessary privacy notices and establishing an appropriate legal basis to provide RDC with Personal Data.
This Privacy Policy describes the types of Personal Data we collect, the purposes for which we collect that Personal Data, the other parties with whom we may share it, and the measures we take to protect the security of the data and other key information. It also tells you about your rights and choices with respect to your Personal Data, and how you can reach us to update your contact information or get answers to questions you may have about our privacy practices.

This privacy policy covers the following sections:
1. Personal Data We May Collect
2. How We May Use Your Personal Data
3. How We Share Your Personal Data
4. Your Rights and Choices
5. How We Protect Your Personal Data
6. Retention of Personal Data
7. Data Transfers
8. California Consumer Act Privacy Notice
9. Working with RDC
10. Features and Links to Other Websites
11. Updates to This Privacy Policy
12. How to Contact Us

For the purpose of this Privacy Policy, “Personal Data” means any information relating to an identified or identifiable individual. We obtain Personal Data relating to you from various sources described below.
Where applicable, we indicate whether and why you must provide us with your Personal Data, as well as the consequences of failing to do so. If you do not provide Personal Data when requested, you may not be able to benefit from our Services if that information is necessary to provide you with the service or if we are legally required to collect it.

  • Personal Data Provided by You: You may provide us with your Personal Data (e.g. your name and address as part of a request for information, or information that you submit as part of a job application – see ‘Working with RDC below’) via our website
  • Personal Data Provided in the Context of our Contractual Relationship: We may receive contact information (e.g., name, professional email address) of employees of Subscribers, Business Partners and vendors in the context of our contractual relationship with such entities. Our Business Partners may also provide us with Personal Data from their customers. For example, some of our Business Partners resell our Services as part of their own products. In those situations, our Business Partners may provide us with Personal Data (e.g. name, address, date of birth). We also maintain the emails or other communications that our Subscribers may send us, such as customer support inquiries, and their content.
  • Personal Data Obtained from Subscribers: Subscribers provide us with Personal Data (i.e., name, address, date of birth) of individuals who we check against our Services, upon our Subscribers’ requests.
  • Personal Data Obtained from Your Interaction with our Services: When you visit our website or interact with our Services, they automatically log certain technical information, including: your IP address, the date and time of your visit to the RDC site, and information about the browser you use. We collect information via cookies and similar technologies. You can read more about how we use these technologies in our Cookies Policy, which is incorporated by reference into this Privacy Policy. We also gather usage data and analytics in relation to your use of our Services.
    • Personal Data Obtained from Public Sources: RDC may collect Personal Data from the following sources in order to build out GRID and to make our Services available to the requesting Subscriber:

    •  public records databases (“Public Records”)
    • reputable publicly available sources (“Publicly Available Data”), and
    • from third parties.

This includes individuals’ names and information relating to their jobs, companies, political affiliations, religious beliefs, sanctions, political exposure, and unlawful activities including terrorism and other criminal activities. Subscribers use such Personal Data as part of their compliance with their legal and regulatory obligations related to preventing and detecting money laundering, terrorism, and other criminal activity.

We will not routinely obtain email addresses for those individuals, and we rely on Subscribers (which do hold those contact details) to notify those individuals that they will run checks on them using GRID and to provide a copy of this policy to them at that stage, unless it would undermine the purpose of processing to do so. Further, given the nature of our Services that are used to identify banned and suspect entities and for fraud protection and meeting regulatory requirements relating to unlawful acts and dishonesty, there may be circumstances where providing the information to the individual would make impossible or seriously impair the achievement of the objectives of the processing.

We may use the Personal Data we obtain about you to:

  • Create and manage subscription agreements, provide our Services, and respond to inquiries from Subscribers.
  • Communicate with you, including by periodically emailing you service-related announcements.
  • Promote our Services and send you marketing communications about products, services, offers, programs and promotions of RDC, and partners (in accordance with required marketing permissions).
  • Aggregate or anonymize your Personal Data for the purpose of analyzing and reporting the effectiveness of and any trends in corporate ethics and compliance programs according to industry, company size, country, geographic region or other relevant classification or for other uses as RDC may inform you about (as permitted by our subscription agreements, where relevant, and as permitted by applicable law).
  • Operate, evaluate and improve our business and our Services, including by:
    • developing, maintaining, enhancing and improving our Services;
    • developing new products and services;
    • managing our communications;
    • determining the effectiveness of our advertising;
    • analyzing how the Services are being accessed and used;
    • tracking performance of the Services;
    • facilitating the use of our Services.
  • Maintain and improve the security of our Services.
  • Manage our vendor and partner relationships.
  • Enforce our subscription agreements and our other legal rights.
  • Respond to your queries or questions and to provide you with information that you have requested.
  • Comply with applicable legal requirements, industry standards and our policies.
  • Perform auditing, research and analysis in order to maintain, protect and improve our Services.
  • Meet our legal, regulatory and compliance obligations, including with regulators, courts, investors and shareholders.

We may process your Personal Data for the above purposes when:

  • We or a third party (e.g., Business Partners or Subscribers) have a legitimate interest in using your Personal Data. In particular, in line with the EU General Data Protection Regulation (GDPR) which recognizes fraud prevention as a legitimate interest, our Subscribers have a legitimate interest in the processing of your Personal Data for managing their financial risks, protecting against fraud, knowing who they are doing business with, and meeting compliance and regulatory obligations. Also, we have a legitimate interest in using your Personal Data to ensure and improve the safety, security, and performance of our Services and better understand organisations, industries, and markets.
  • You have consented to the use of your Personal Data;
  • We need your Personal Data to provide you with services and products requested by you, or to respond to your inquiries;
  • We have a legal obligation to use your Personal Data.
  • In relation to our use of criminal offence data, this will generally be processed either
    •  with consent of the relevant individual (where reasonable to do so); or
    • in order to provide our Services in circumstances where the processing is necessary for the purposes of complying with, or assisting our Subscribers to comply with, a regulatory requirement (including under AML, KYC, anti-bribery and corruption, FCPA, sanctions and PEP regulations or under industry good practice principles and regulatory guidance applying to Subscribers), which involves taking steps to establish whether the individual has committed an unlawful act, been involved in dishonesty, malpractice or other seriously improper conduct; or where the individual has manifestly made such data public.

We do not sell or otherwise disclose Personal Data we collect about you, except as described in this Privacy Policy or otherwise disclosed to you by us or our Subscribers (or the vendor or Business Partner that you represent) at the time the data is collected.

  • Affiliates and Business Partners (e.g., Reseller).We may share the Personal Data we collect or receive with our affiliates and other offices, and Business Partners to whom it is reasonably necessary or reasonable for us to disclose your Personal Data to operate our business and to perform Services for our Subscribers or for our Business Partners (namely channel partners who resell RDC’s services) or their customers or for other legitimate purposes.
  • Service Providers. We may share Personal Data with our service providers who perform services on our behalf and in relation to the purposes described in this Privacy Policy. For example, we may use third parties to help us analyze data as part of the Services, help us provide customer support, manage our Services, and build out GRID. We contractually require these Service Providers to only process Personal Data in accordance with our instructions and as necessary to perform services on our behalf or comply with legal requirements. By way of further example, we use third parties to host and store GRID and Personal Data. Those third parties include, our hosting provider in the UK, Rackspace US, Inc. and their affiliates and Amazon Web Services, Inc. (AWS). You can find out more about Rackspace and the measures they put in place to protect Personal Data here You can find out more about AWS and the measures they put in place to protect Personal Data here
  • Following the Law. We may disclose your Personal Data to third parties if we determine that such disclosure is reasonably necessary to comply with the law, respond to valid legal process, establish, assert or defend our legal rights, or prevent fraud or abuse of RDC or our users. In particular, we may disclose your Personal Data in response to lawful requests by public authorities, such as to meet national security or law enforcement requirements.
  • Business Transfers. If we’re involved in a reorganization, merger, acquisition or sale of any or all of our company, business or assets, your Personal Data may be transferred as part of that deal or disclosed in connection with due diligence. The transferee may not be in the same line of business as us. We will put in place contractual provisions designed to ensure that any other parties commit to keep your Personal Data confidential and to only use it for the purpose of the relevant transaction and for purposes that are consistent with those outlined in this Privacy Policy.

We respect your data protection rights. You may have data protection rights under:

2. The law of your own country
Your rights may include:
1. The right of access
2. The right to rectification
3. The right to erasure / right to be forgotten
4. The right to restrict processing
5. The right to data portability
6. The right to object
7. Rights in relation to automated decision making and profiling

You can find out more about GDPR rights here
You can find out more about the rights you may have under Swiss law here
There are various exceptions and restrictions to these rights. Those rights may also be limited in some circumstances by local law requirements, or different requirements may apply.

For further information and to exercise any of those rights, please see our Data Subject Request Form and Data Subject Request FAQs.

Inquiries may also be directed to RDC’s Data Protection Officer at:
Where required by law, we obtain your consent for the processing of certain Personal Data collected by cookies or similar technologies, or used to send you direct marketing communications, or when we carry out other processing activities for which consent may be required. (See also our Cookies Policy). If we rely on consent for the processing of your Personal Data, you have the right to withdraw it at any time and free of charge. When you do so, this will not affect the lawfulness of the processing before your consent withdrawal.
To update your marketing preferences, ask us to remove your information from our mailing lists, delete your account or submit a request to exercise your rights under applicable law, please contact us as specified in the “How to Contact Us” section below. If you would like to alter your marketing communications subscription preferences, or opt out, you can do so at anytime by visiting our communications preference center.
In addition to the above-mentioned rights, you also have the right to lodge a complaint with a competent supervisory authority, including in your country of residence, place of work or where an incident took place, subject to applicable law. In the UK this is the Information Commissioner’s Office (ICO):

We maintain administrative, technical and physical safeguards that are intended to appropriately protect Personal Data against accidental or unlawful destruction, accidental loss, unauthorized alteration, unauthorized disclosure or access, misuse, and any other unlawful form of processing of the Personal Data in our possession. In particular, RDC uses security methods and procedures designed to safeguard Personal Data during transmission and storage.

We also take measures to delete your Personal Data or keep it in a form that does not permit identifying you when this information is no longer necessary for the purposes for which we process it in the context of the Services or when you request their deletion, unless we are required by law to keep the information for a longer period. RDC performs periodic reviews of our databases, and have established specific time limits for data retention, based on the criticality of the Personal Data and the purposes of the data processing. Personal Data that is collected through our website will be retained for 3 years.
Personal Data obtained from our Subscribers and Business Partners will be maintained for the length of the associated agreement and the required time after the termination to meet any contractual audit or regulatory obligations or to otherwise comply with applicable law.

RDC is a global business. As a result, the Personal Data that we collect may be transferred to, and stored at, any of our locations which may be inside or outside the European Economic Area (“EEA”), the UK and Switzerland, including the United States. Data may also be processed by people around the world who work for RDC or for one of our suppliers/vendors. These people may be engaged in, among other things, the fulfillment of your information requests, answering inquiries about our Services and the provision of support services. Your Personal Data may be transferred to countries that do not have the same data protection laws as the country in which you initially provided the information. When we transfer or disclose your Personal Data to other countries, we will protect that information as described in this Privacy Policy.

Individuals Located in the EEA, UK or Switzerland
If you are located in the EEA, UK or Switzerland, we comply with applicable legal requirements for the transfer of Personal Data to countries outside of the EEA, UK or Switzerland. In particular, RDC has put in place a number of measures designed to protect Personal Data which is transferred from Europe (including Switzerland) or UK to the US, India, Bangladesh, South America, China, Canada and the Asia Pacific region. RDC maintains a network of specific agreements to require contracting parties to observe data protection legislation, such as the European Commission’s Standard Contractual Clauses. You may contact us as specified in the “How to Contact Us” section below to obtain a copy of these measures. We may also transfer Personal Data to countries for which the EU Commission has issued an adequacy decision.
We commit to comply with the European Commission’s Standard Contractual Clauses with respect to the Personal Data we receive and subsequently transfer.This Privacy Policy describes (i) the types of Personal Data we collect, (ii) the purposes for which we collect and use Personal Data, (iii) how we may share your Personal Data, and (iv) your rights and choices with regard to your Personal Data.
We take commercially reasonable steps to ensure that Personal Data is reliable, accurate, complete, and current for its intended purpose, primarily by accessing Public Records and Publicly Available Data from reputable sources only.

We may use third parties to process data on our behalf as described in this Privacy Policy, and we remain liable if they do so in a manner inconsistent with RDC’s data privacy practices, or other applicable data privacy laws, unless we prove that we are not responsible for the event giving rise to the damage.

If you believe we maintain your Personal Data, you may direct any of your inquiries or concerns concerning our Privacy Policy to, or using the contact details in the “How to Contact Us” section below. We commit to resolve complaints about our collection or use of your Personal Data. We will respond within 30 days. In the unlikely event that we fail to respond within 30 days, or if our response does not address your concern, we will undertake to refer the concern to our Data Protection Officer who will investigate the matter and communicate with you within 14 days.

This California Consumer Act Privacy Notice (“Notice”) applies to the Personal Information (“PI”) of California “Consumers” as defined by the California Consumer Privacy Act (“CCPA”).
A. PI We Collect
We collect the following categories of PI from the corresponding sources and for the corresponding purposes set forth in the table below. The below table also includes information as to categories of third parties with whom PI is shared, as discussed below in more detail in Section B.

Category of PI Source of PI Business or Commercial Purposes for PI Collection Categories of Third Parties with whom PI shared Purposes of Third Parties Receiving Data
Identifiers, Personal Records, Consumer Characteristics, and Professional or Employment Information Government databases, publicly-available news and information databases, customers, consumers Legal and regulatory compliance including fraud detection and crime prevention Service providers, channel partners, and customers, which are regulated businesses including financial service institutions Service providers assist us in providing services; channel partners and customers use PI we provide to assist their customers in legal and regulatory compliance including fraud detection and crime prevention
Biometric Information Government databases Legal and regulatory compliance including fraud detection and crime prevention Service providers, channel partners, and customers, which are regulated businesses including financial service institutions Service providers assist us in providing services; channel partners and customers use PI we provide to assist their customers in legal and regulatory compliance including fraud detection and crime prevention
Inferences from PI Collected Internal analytics Legal and regulatory compliance including fraud detection and crime prevention Channel partners and customers, which are regulated businesses including financial service institutions Channel partners and customers use PI we provide to assist their customers in legal and regulatory compliance including fraud detection and crime prevention


B. CCPA Privacy Rights
We provide California Consumers the privacy rights under the CCPA as described in this Section B. You have the right to exercise these rights via an authorized agent who meets the agency requirements of the CCPA and related regulations. As permitted by the CCPA, any request you submit to us is subject to an identification and residency verification process (“Verifiable Consumer Request”). We will not fulfill your CCPA request unless you have provided sufficient information for us to reasonably verify you are the California Consumer about whom we collected PI. Please follow the instructions at our Consumer Rights Request form here and respond to any follow up inquires we may make. Given the sensitive nature of the information we collect, and to maintain the integrity of our databases, we require a government-issued photo identification card to complete the verification process.

Some PI we maintain about California Consumers is not sufficiently associated with enough PI about the California Consumer for us to be able to verify that it is a particular California Consumer’s PI when a California Consumer request that requires verification pursuant to the CCPA’s verification standards is made (e.g., clickstream data tied only to a pseudonymous browser ID). As required by the CCPA we do not include that PI in response to those requests. If we cannot comply with a request, we will explain the reasons in our response. We will use PI provided in a Verifiable Consumer Request only to verify your identity or authority to make the request and to track and document request responses, unless you also gave it to us for another purpose.

We will make commercially reasonable efforts to identify California Consumer PI that we collect, process, store, disclose, and otherwise use and to respond to your California Consumer privacy rights requests. In some cases, particularly with voluminous and/or typically irrelevant data, we may suggest that you receive the most recent or a summary of your PI and give you the opportunity to elect whether you want the rest or not We will typically not charge a fee to fully respond to your requests; provided, however, that we may charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded or overly burdensome. If we determine that the request warrants a fee, or that we may refuse it, we will give you notice explaining why we made that decision. You will be provided a cost estimate and the opportunity to accept such fees before we will charge you for responding to your request.

Consistent with the CCPA and our interest in the security of your PI, we will not deliver to you your social security number, driver’s license number or other government-issued id number, financial account number, any health or medical identification number, an account password, or security questions or answers in response to a CCPA request. To make a request according to you rights to know or to request deletion of your PI set forth below, please follow the instructions on our Consumer Rights Request form here email, or call us at 1-888-585-5697 to submit your request. RDC will instruct you on additional information you will need to provide to fully respond to your request. For your specific pieces of information, as required by the CCPA, we will apply heightened verification standards, including by requiring you to provide a government-issued photo identification card.

Your California Consumer privacy rights are as follows:
a. The Right to Know

i. Information Rights

You have the right to send us a request, no more than twice in a twelve-month period, for any of the following for the period that is twelve months prior to the request date:

  • The categories of PI we have collected about you.
  • The categories of sources from which we collected your PI.
  • The business or commercial purposes for our collecting or selling your PI.
  • The categories of third parties to whom we have shared your PI.
  • The specific pieces of PI we have collected about you.
  • A list of the categories of PI disclosed for a business purpose in the prior 12 months, or that no disclosure occurred.
  • A list of the categories of PI sold about you in the prior 12 months, or that no sale occurred. If we sold your PI, we will explain:
    • The categories of your PI we have sold.
    • The categories of third parties to which we sold PI, by categories of PI sold for each third party.

Please note that PI is retained by us for various time periods, so we may not be able to fully respond to what might be relevant going back 12 months prior to the request.

ii. Obtaining Copies of PI
You have the right to make or obtain a transportable copy, no more than twice in a twelve-month period, of your PI that we have collected in the period that is 12 months prior to the request date and are maintaining.

Please note that PI is retained by us for various time periods, so we may not be able to fully respond to what might be relevant going back 12 months prior to the request.

b. Delete
Except to the extent we have a basis for retention under CCPA, you may request that we delete your PI that we have collected directly from you and are maintaining. Our retention rights include, without limitation, to complete transactions and service you have requested or that are reasonably anticipated, for security purposes, for legitimate internal business purposes, including maintaining business records, to comply with law, to exercise or defend legal claims, and to cooperate with law enforcement. Note also that we are not required to delete your PI that we did not collect directly from you.

c. Do Not Sell
We do not knowingly “sell“ PI that we collect from you, in accordance with the definition of “sell” in the CCPA, and will treat PI we collect from you as subject to a do not sell request. There is not yet a consensus as to whether third party cookies and tracking devices associated with our websites and mobile apps may constitute a “sale” of your PI as defined by the CCPA. You can exercise control over browser-based cookies by adjusting the settings on your browser. We also list cookies and provide access to their privacy information and, if available, opt-out programs in the Cookie Policy. Further, you can learn more about your choices regarding certain kinds of online interest-based advertising here and here. We do not represent that these third-party tools, programs or statements are complete or accurate.

Under Nevada law, Nevada residents may opt out of the sale of certain “covered information” collected by operators of websites or online services. We currently do not sell covered information, as “sale” is defined by such law, and we don’t have plans to sell this information. However, if you would like to be notified if we decide in the future to sell personal information covered by the Act, please contact us

If you use an RDC website to apply to work with us, we will use the information you supply to consider and process your application and to monitor recruitment statistics.
We may process your Personal Data for the above purposes when:

  • you have given consent processing is necessary for the performance of the employment contract or to take steps at your request prior to entering into the contract
  • processing is necessary for compliance with a legal obligation to which RDC is subject, and
  • processing is necessary for the purposes of the legitimate interests pursued by RDC or by a third party.

We will not typically process special categories of data such as health data, or criminal offence data (for the purposes of pre-employment vetting) without providing you with additional information and following our onboarding processes.

We may transfer your details outside of your home country and to other companies we work with. We ask others, including Hirebridge LLC to help us recruit people. Hirebridge is based in Coral Springs, Florida, USA. You can find out more about Hirebridge and see their privacy policy here 

Personal information about unsuccessful candidates will be retained for up to 12 months after the recruitment exercise has been completed, it will then be destroyed or deleted. We retain de-personalised statistical information about applicants to help inform our recruitment activities, but individuals should not be identifiable from that data. Once a person has taken up employment with us, we will compile a file relating to their employment. At that stage we will give more details about how we hold employee data and we will expect the employee to sign up to additional privacy terms as part of their employment.

See also ’Personal Data We May Collect’, ‘How We Share Your Personal Data’, ‘Your Rights and Choices’, ‘How We Protect Your Personal Data’, ‘Data Transfers above.

You may choose to use certain features for which we partner with other entities, or click on links to other websites for your convenience and information. These features, which may include social networking sites or apps, such as LinkedIn and Twitter, may operate independently from RDC. They may have their own privacy notices or policies, which we strongly suggest you review. You can review LinkedIn’s privacy policy here. You can review Twitter’s privacy policy here . To the extent any features or linked websites you visit are not owned or operated by RDC, we are not responsible for the sites’ content, any use of the sites, or the privacy practices of the sites.

We may modify this Privacy Policy from time to time, and will post the most current version on our site and indicate at the bottom of the policy when it was most recently updated.

Privacy Policy: If you have any questions or comments regarding RDC’s Privacy Policy, please contact our Data Protection Officer. You can do this
1. via telephone at +1 888-585-5697 ; or
2. via email at; or
3. write to us at
Regulatory DataCorp, Inc.
211 S. Gulph Road #125
King of Prussia, PA 19406.

Regulatory Datacorp Limited is the entity responsible for the processing of Personal Information that is subject to EEA or Swiss data protection law, and whilst the UK remains in the EU shall be Regulatory DataCorp, Inc.’s EU representative for the purposes of the GDPR. Regulatory Datacorp Limited is registered in England & Wales with company registration number 08739364. You can write to Regulatory Datacorp Limited at:

6 Lloyd’s Avenue,
London EC3N 3AX
United Kingdom
Attn: Data Protection Officer

Last updated October 14, 2020