Privacy Policy
First Line Done Ltd · Effective date: 28 February 2026 · Terms of Service
1. Who We Are and Our Role
First Line Done Ltd, [Registered Address], United Kingdom is the data controller for personal data relating to our customers (institutional accounts), their authorised users, and marketing website visitors.
Dual-role clarification: FLD acts in two distinct roles under UK GDPR:
- Data Controller — for account holders, billing contacts, authorised users, and marketing contacts.
- Data Processor — for personal data that customer institutions upload to the platform as part of their compliance workflows (e.g., KYC records, entity data, UBO structures, transaction subjects). In this capacity, we act strictly on the customer institution's documented instructions as set out in the Data Processing Addendum (DPA).
The institution is the data controller for all compliance workflow data it processes through our platform. If you are an individual whose data has been submitted to FLD by a financial institution for compliance purposes, you should contact that institution directly as the data controller. We will forward any requests we receive to the appropriate institution as required by law.
2. Personal Data We Collect
2.1 Account and Billing Data (as Controller)
| Category | Data Points | Purpose |
|---|---|---|
| Identity | Full name, job title, organisation name | Account creation, user access management |
| Contact | Business email address, phone number | Account management, notifications, support |
| Authentication | Hashed password, MFA secrets (encrypted at rest), session tokens | Secure login and identity verification |
| Billing | Billing email, VAT number, subscription tier, invoice history (card details held by Stripe) | Payment processing, invoicing |
| Usage & Logs | IP address, browser type, pages visited, API calls, action timestamps | Security, audit trail, service improvement |
| Support | Communications and attachments submitted via support channels | Resolving support queries |
2.2 Compliance Workflow Data (as Processor)
When customer institutions use the platform's compliance features, they may upload or generate the following categories of personal data on behalf of their own customers or subjects. We process this strictly as a data processor:
- KYC / Entity Data: names, dates of birth, nationalities, addresses, identification documents (passport, driving licence), biometric data where provided, tax identification numbers.
- Ultimate Beneficial Owner (UBO) Data: ownership percentages, director and shareholder details, corporate structure graphs.
- Transaction Data: counterparty names, amounts, currencies, account references, transaction timestamps and narrative details.
- Sanctions & Adverse Media Screening Data: names, aliases, nationalities, dates of birth used as screening inputs; screening outputs and match rationale.
- SAR/STR Data: subject identities, account details, suspicious activity descriptions, evidence files, narrative summaries.
- Due Diligence Cases: case notes, risk ratings, supporting documentation, and workflow decisions.
- Customer Communication Records: names, email addresses, requested document metadata, response statuses.
- Special Category Data: institutions may occasionally upload data that constitutes special category data (e.g., criminal conviction data relevant to AML investigations). This is processed only under the lawful basis of substantial public interest (Schedule 1, Part 2, UK GDPR) and only to the extent instructed by the institution.
2.3 Marketing Website Data
- Enquiry form submissions (name, email, message).
- Cookie and analytics data (see clause 12).
- Email marketing preferences for newsletter subscribers.
3. How We Collect Personal Data
- Directly from you — when you register an account, complete a contact form, subscribe to updates, or communicate with us.
- Automatically — through log files, cookies, and analytics tools when you use our platform or marketing site.
- From third parties — authentication data from Google OAuth (if used); payment data from Stripe; information from public registries (Companies House UK, ACRA Singapore, CAC Nigeria, etc.) where we are instructed by a customer institution to retrieve corporate data.
- Via customer upload — when customer institutions import data into the platform for compliance processing.
4. Legal Bases for Processing
We rely on the following lawful bases under UK GDPR Article 6 (and Article 9 for special category data):
| Processing Activity | Lawful Basis |
|---|---|
| Providing the Service to account holders | Contract Art. 6(1)(b) — necessary for performance of contract |
| Billing and payment processing | Contract Art. 6(1)(b) |
| Security monitoring and audit logging | Legitimate Interests Art. 6(1)(f) — securing the platform and preventing fraud |
| Marketing emails to existing customers | Legitimate Interests Art. 6(1)(f) — soft opt-in under PECR |
| Marketing to new prospects | Consent Art. 6(1)(a) — explicit opt-in |
| Legal and regulatory obligations (e.g., tax records, responding to lawful requests) | Legal Obligation Art. 6(1)(c) |
| Processing compliance workflow data on behalf of institutions (as processor) | Contract — pursuant to the DPA; lawful basis determined by the institution as controller |
| Special category / criminal offence data in compliance workflows | Substantial Public Interest UK GDPR Art. 9(2)(g) — Schedule 1 Part 2 DPA 2018 (AML/financial crime prevention) |
5. How We Use Personal Data
We use personal data to:
- Create, manage, and support your account and user access.
- Process subscription payments and issue invoices.
- Send transactional emails (account notifications, security alerts, password resets) via Resend.
- Provide customer support and respond to enquiries.
- Monitor the platform for security threats, abuse, and performance issues.
- Comply with our own legal and regulatory obligations.
- Improve the platform using anonymised, aggregated usage analytics.
- Send product updates and marketing communications (with opt-out on every email).
- Operate the AI features of the Service (e.g., SAR narrative generation, adverse media screening) using data you provide, within the constraints of our Sub-Processor agreements.
6. Sub-Processors and Third-Party Sharing
We share personal data with the following categories of trusted sub-processors. All sub-processors are contractually bound to process data only as instructed, maintain appropriate security, and comply with UK GDPR / GDPR:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Cloud infrastructure, database hosting (Cloud SQL), caching (Memorystore), file storage, secret management | UK (europe-west2) |
| Stripe | Payment processing, subscription management, Customer Portal | USA (SCCs / Adequacy) |
| Resend | Transactional email delivery (account, security, notification emails) | USA (SCCs) |
| OpenAI / Anthropic / Google Gemini | AI-assisted SAR narrative generation, adverse media summarisation, compliance recommendations. Only anonymised or pseudonymised extracts are sent where possible. | USA (SCCs) |
| LSEG / World-Check | Enhanced screening against commercial PEP, sanctions, and adverse media databases (Enterprise plan only) | UK / EU |
| Companies House (UK) | Public company registry lookups for UBO discovery and entity verification | UK |
| OFAC / HM Treasury (Gov APIs) | Automated sanctions list downloads and screening | USA / UK (public APIs) |
| Tavily | Adverse media web search for entity screening | USA (SCCs) |
| Amazon Web Services (S3) | Document and evidence file storage (where configured) | EU / UK (configurable) |
We do not sell, rent, or trade personal data to any third party for their own commercial purposes.
We may also disclose personal data: (a) where required by law, court order, or regulatory authority (e.g., FCA, NCA); (b) to professional advisors bound by confidentiality; or (c) to successors in a merger, acquisition, or asset sale (subject to equivalent privacy protections).
7. International Data Transfers
Our primary infrastructure is hosted in the United Kingdom. Some sub-processors are based in the United States or other third countries. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place under UK GDPR Chapter V, specifically:
- Adequacy decisions — for transfers to countries recognised by the UK as providing adequate protection.
- International Data Transfer Agreements (IDTAs) — the UK's equivalent of EU Standard Contractual Clauses, incorporated into sub-processor agreements where required.
- EU Standard Contractual Clauses (SCCs) — where these remain operative and provide comparable protection.
Enterprise customers may request data residency in a specific GCP region. Please contact us at privacy@firstlinedone.com.
8. Data Retention
| Data Category | Retention Period | Basis |
|---|---|---|
| Account and user data (active subscription) | Duration of subscription + 30 days post-termination | Contract performance |
| Billing records | 7 years | UK tax law (HMRC) |
| Audit logs (platform activity) | Indefinitely (or as agreed in Enterprise SLA) | Regulatory audit requirements |
| Compliance workflow data (active) | 7 years from last activity on the record | POCA 2002, MLR 2017 (5-year minimum + buffer) |
| Archived compliance records | 3 years in archive tier after moving from active | Regulatory obligation |
| SAR/STR records | 5 years minimum from filing date (UK: POCA 2002 s.338; US: 31 CFR § 1020.320) | Legal obligation |
| Marketing contacts (opted in) | Until opt-out or 3 years of inactivity | Consent / legitimate interests |
| Support correspondence | 3 years | Legitimate interests |
After applicable retention periods, data is securely deleted or anonymised using methods consistent with NIST SP 800-88 guidance. Deletion from backups may take up to 90 days due to backup cycle overlaps.
9. Data Security
We implement technical and organisational measures appropriate to the risk, including:
- Encryption in transit: TLS 1.2+ on all connections; HTTPS enforced platform-wide.
- Encryption at rest: Google Cloud's AES-256 encryption for database, storage, and backups; application-level encryption for MFA secrets and API keys.
- Access controls: Role-based access control with five permission levels; principle of least privilege for FLD engineering staff; MFA required for all internal systems.
- Tenant isolation: Row-level security enforced in the application layer; each institution's data is strictly isolated — no cross-tenant data access is possible.
- Audit logging: All data access, modifications, and deletions are logged with user identity, IP address, and timestamp.
- Vulnerability management: Regular dependency audits, penetration testing, and responsible disclosure policy.
- Incident response: Documented breach response procedure with regulatory notification within 72 hours of becoming aware of a notifiable breach (UK GDPR Art. 33).
- Secrets management: API keys and credentials stored in Google Cloud Secret Manager, never in code or logs.
To report a security vulnerability, please contact security@firstlinedone.com.
10. Your Rights Under UK GDPR
If we are acting as a data controller for your personal data, you have the following rights under the UK General Data Protection Regulation and the Data Protection Act 2018:
| Right | What This Means |
|---|---|
| Access | Request a copy of the personal data we hold about you (Subject Access Request — SAR). |
| Rectification | Ask us to correct inaccurate or incomplete personal data. |
| Erasure | Request deletion of your personal data where there is no lawful reason to continue processing it. |
| Restriction | Ask us to suspend processing of your data in certain circumstances. |
| Portability | Receive your personal data in a structured, machine-readable format (where processing is automated and based on consent or contract). |
| Objection | Object to processing based on legitimate interests or for direct marketing purposes. |
| Withdraw Consent | Withdraw consent at any time where processing is consent-based, without affecting the lawfulness of prior processing. |
| Automated Decision-Making | Not to be subject to solely automated decisions that produce legal or similarly significant effects, without human review. |
Note on AI-assisted decisions: The platform uses AI to generate risk scores, screening matches, and SAR narratives. These outputs are always presented as decision-support recommendations and are subject to human review by the customer institution's compliance team before any action is taken. No solely automated decisions with legal effect are made through the Service.
To exercise any of these rights, email us at privacy@firstlinedone.com. We will respond within one calendar month. Requests are free of charge; we may charge a reasonable fee or decline manifestly unfounded or excessive requests.
You also have the right to lodge a complaint with the UK's data protection supervisory authority, the Information Commissioner's Office (ICO): ico.org.uk / 0303 123 1113. We would, however, appreciate the opportunity to address your concern before you contact the ICO.
11. Data Processing Addendum (DPA)
Where FLD processes personal data on behalf of a customer institution (as data processor), the following key terms apply in addition to the main Terms of Service:
11.1 Processor Obligations
FLD will:
- Process personal data only on documented instructions from the institution (as set out in the Terms of Service and this DPA).
- Ensure persons authorised to process data are bound by appropriate confidentiality obligations.
- Implement technical and organisational security measures as described in clause 9.
- Not engage sub-processors without prior written notice to the institution (customer institutions can subscribe to sub-processor change notifications at privacy@firstlinedone.com).
- Assist the institution in responding to data subject requests, security breach notifications, and data protection impact assessments.
- Delete or return all personal data at the end of the service relationship, per clause 8.
- Make available to the institution all information necessary to demonstrate compliance with UK GDPR Article 28 obligations.
11.2 Controller Obligations
The institution confirms that: (a) it has a valid lawful basis for processing personal data uploaded to the Service; (b) it has provided all required notices to data subjects; (c) it will not instruct FLD to process data in a way that would breach applicable data protection law; and (d) it accepts responsibility for the accuracy and legality of Customer Data.
11.3 Breach Notification
FLD will notify the institution without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach affecting Customer Data. Notifications will be sent to the registered account email address.
12. Cookies and Tracking Technologies
12.1 Marketing website (firstlinedone.com)
We use the following cookies on our marketing website:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| session | Strictly necessary | Maintains login session | Session |
| csrf_token | Strictly necessary | CSRF protection | Session |
| _ga, _gid | Analytics (with consent) | Usage analytics (Google Analytics) | 2 years / 24 hours |
Strictly necessary cookies do not require consent. Analytics cookies are set only with your consent. You can manage cookie preferences via the consent banner on first visit or by adjusting your browser settings.
12.2 Application (app.firstlinedone.com)
The application uses HTTP-only session cookies and CSRF tokens strictly necessary for authentication and security. No third-party tracking or advertising cookies are set in the application.
13. Children
The Service is not directed at or intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data without parental consent, we will delete it promptly.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in the law, our data practices, or the Services we offer. We will notify registered customers of material changes by email at least 30 days in advance. The "Effective date" at the top of this page will always show when the policy was last updated. Continued use of the Service after the effective date constitutes acknowledgment of the updated policy.
15. Contact and Data Protection Officer
For general privacy queries, data subject rights requests, or sub-processor enquiries:
Privacy Team
First Line Done Ltd
First Line Done Ltd, [Registered Address], United Kingdom
Email: privacy@firstlinedone.com
For data protection compliance matters and DPA-related enquiries:
Data Protection Officer
Email: dpo@firstlinedone.com
You may also contact the Information Commissioner's Office (ICO) at ico.org.uk if you have unresolved concerns about how we handle your personal data.