Last updated [EFFECTIVE DATE]

Privacy Policy

How Sophia KYC handles personal information collected through this website.

1. Scope of this policy

This policy explains how Sophia KYC handles personal information collected through sophiakyc.com and any subdomains we operate (together, "this site").

This site is a marketing and information resource. It is not the Sophia KYC product. Personal information processed by the Sophia KYC platform when deployed at a customer is governed by a separate Data Processing Agreement (DPA) with that customer — Sophia acts as a processor in that context, not a controller. This policy applies only to information collected via this site.

2. Who we are

For the purposes of UK and EU data protection law, the data controller for this site is:

  • Legal entity: [REGISTERED COMPANY NAME, e.g. Sophia KYC Ltd]
  • Companies House number: [NUMBER]
  • Registered office: [REGISTERED OFFICE ADDRESS]
  • ICO registration: [ICO REGISTRATION NUMBER, if applicable]
  • Privacy contact: info@sophiakyc.com

We have not appointed a statutory Data Protection Officer; given our scale and the nature of processing on this site, one is not currently required. [UPDATE IF DPO APPOINTED]

3. What we collect

Information you provide directly

When you submit the contact form on this site, email info@sophiakyc.com, or otherwise reach out about Sophia KYC, we collect the information you choose to share with us. This usually includes name, work email, organisation, country, the contents of the message, and the context you provide (client segment, area of interest). If you proceed to a pilot conversation, we may also collect business-context information you choose to share (current onboarding stack, regulatory timeline, etc.).

Information collected automatically

When you visit this site, our hosting provider (Cloudflare Pages) automatically processes standard server logs including IP address, user agent, referrer, and the pages you request. These logs are used for security and operational purposes and are retained for a short period in line with the hosting provider's defaults.

We [CONFIRM: do / do not] use a third-party analytics tool. [IF YES: list tool, e.g. Plausible, Fathom, Google Analytics — and link to its policy]

What we do not collect

This site does not require you to create an account. We do not collect identity documents, government IDs, biometric data, or any of the verification artefacts that the Sophia KYC product processes for customers in production. None of that processing takes place here.

4. How we use it

  • To respond to enquiries you send us.
  • To organise pilot conversations, evaluations, and follow-up correspondence.
  • To operate, secure, and improve this site.
  • To send occasional updates if you have specifically asked to receive them (we do not run a marketing newsletter; any such contact is on direct request).
  • To comply with our legal obligations.

We do not sell your information. We do not use it for automated decision-making or profiling.

5. Lawful bases (UK GDPR)

We rely on the following lawful bases under UK GDPR Article 6:

  • Legitimate interests — to respond to a business enquiry you've initiated, and to operate and secure this site. We have considered your interests and rights and believe our use is proportionate to the context (B2B outreach you have started).
  • Consent — for any optional analytics or cookies that require it. You can withdraw consent at any time.
  • Contractual necessity — once a pilot scoping agreement is in place, to perform under it.
  • Legal obligation — to comply with applicable record-keeping, tax, or regulatory requirements.

6. Sharing and third parties

We share information only with service providers that we engage to operate this site and our business. Each is bound by appropriate contracts and processes data on our instructions.

  • Hosting: Cloudflare, Inc. (Cloudflare Pages) — static hosting and CDN.
  • Email: [CONFIRM PROVIDER, e.g. Google Workspace, Microsoft 365] — to send and receive correspondence.
  • Analytics: [CONFIRM PROVIDER if any, otherwise remove]
  • Professional advisers: accountants and legal advisers, where necessary.

We do not share information with advertising networks, data brokers, or affiliate partners.

We may disclose information where required by law, court order, or to protect our rights, your safety, or the safety of others.

7. Data retention

We keep correspondence for as long as is reasonably necessary to respond, evaluate any resulting business relationship, and meet our record-keeping obligations. As a guide:

  • General enquiries with no follow-up: up to 24 months, then deleted.
  • Pilot scoping correspondence: for the duration of the engagement plus 6 years (UK statutory retention).
  • Server logs: per hosting provider defaults, typically 30 days or less.

8. Your rights

Under UK and EU data protection law you have the right to:

  • Access the personal information we hold about you.
  • Have inaccurate information corrected.
  • Have your information erased, where the lawful basis no longer applies.
  • Restrict or object to our processing of your information.
  • Receive a portable copy of information you provided to us.
  • Withdraw any consent you previously gave.
  • Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) — though we'd appreciate the chance to address your concern first.

To exercise any of these rights, email info@sophiakyc.com. We will respond within one month.

9. International transfers

Our service providers may process information outside the United Kingdom or European Economic Area, including in the United States. Where this occurs, we rely on:

  • UK and EU adequacy decisions where they exist; or
  • Standard Contractual Clauses (with the UK Addendum) supplemented by reasonable technical and organisational safeguards.

10. Cookies

We aim to keep cookie usage on this site minimal.

[CONFIRM CURRENT STATE] Our defaults today: this site does not set marketing or advertising cookies. We [do / do not] use a single analytics cookie via [PROVIDER]. Strictly necessary cookies (e.g. for security against hostile traffic, set by our CDN) may be used without consent under UK PECR.

You can disable or delete cookies in your browser settings at any time. Disabling strictly necessary cookies may affect site availability.

11. Security

We apply reasonable technical and organisational measures to protect information against loss, misuse, and unauthorised access. These include limiting access on a need-to-know basis, encryption in transit (TLS) on all pages, and contractual safeguards with our service providers.

No system is impregnable. If we ever become aware of a security incident affecting your personal information, we will notify you and the ICO in accordance with our legal obligations.

12. Changes to this policy

We may update this policy from time to time. The "last updated" date at the top of the page reflects the most recent revision. For material changes — for instance, the introduction of analytics tools or new categories of processing — we will surface a notice on this site and, where appropriate, contact you directly.

13. Contact

For any privacy-related question, please contact: