Privacy Notice


Protecting your privacy is a fundamental component of our service. We have been committed to maintaining the confidentiality, integrity and security of Personal Information entrusted to us by you.

Article 5 of the GDPR states that Personal Data must be processed lawfully fairly and in a transparent manner. This Privacy Notice explains why and how we collect, process and destroy your data. Please read the following carefully to understand our views and practices and do not hesitate to reach out if you have any questions. After Brexit Leo is subject to two regulatory regimes: the UK and the EEA ones. The UK GDPR one applies when we process Personal Data of individuals in the UK and GDPR applies when we process Personal Data of individuals in Europe. This document refers to both pieces of regulation to reassure our UK and EEA users. To clarify, the UK GDPR means the GDPR is form which was applicable in the EEA on 31 December 2020- the last day of the Brexit transition period.

For purposes of this Privacy Notice, the following terms will be defined as follows:

“Personal Data” or “Personal Information” means any information about an individual from which that person can be identified. Personal Data and/or Personal Information does not include data where the identity has been removed (i.e., anonymous data).

“Special Categories” means more sensitive personal data which require a higher level of protection, such as information about a person’s health, sexual orientation, political views etc. For the full list please refer to Article 9 of the GDPR&UK GDPR.

“Data Subject” refers to any individual person who can be identified, directly or indirectly, via an identifier such as name, ID number or location data.

Identity of the Firm

Leo RegTech Limited is registered at 11 Old Jewry, EC2R 8DU with company number 04829021 (“Leo”).

If you are Leo’s employee, vendor or client, for the purposes of the regulations we are data controller what means that we determine the means and purposes of processing your Personal Data.

If you are user of Leo app, we are data processor processing your Personal Information on written instruction of a data controller i.e. Leo’s direct client.

What types of Personal Data do we collect, for what purpose and on what lawful basis?

Please refer to the table in Schedule 1 below.

Data inquires and updates

If you want to review, change or update the Personal Information that you have provided to us; request that you be removed from a mailing list; or address any other privacy concerns you may have, please contact us at [email protected]

Who we share our information with

We will not share Personal Information about you with third parties unless we are required to do so by law or if we use well established and trusted cloud services providers.

The service providers that we share your personal data with are

  • Cloud service provider with servers in the EEA
  • IT Infrastructure US company with servers in the EEA
  • IT Support including backups a UK company with servers in the UK
  • Analytics provider: US company which anonymises data in the UK, prior processing it in the UK
  • Client Relationship Management Software (CRM): US company with servers in the EEA
  • Accountancy Advisor: UK company
  • Telephone system provider: UK company
  • Project Management tool for client servicing: US company with servers in the US
  • ID Verification: UK company with servers in the EEA
  • AML Background checks: Dutch company with servers in the EEA

International transfer outside the EEA

Leo does not transfer your Personal Information outside of the European Economic Area (EEA).If a need for international transfer arises, we will ensure that it is a permitted transfer, including:  performance of a contract between Leo and the Data Subject, reasons of public interest, to establish, exercise or defend legal claims or to protect the vital interests of the Data Subject where the Data Subject is physically or legally incapable of giving consent and, in some limited cases, for our legitimate interest in case of not repetitive transfers.

We will always ensure that appropriate safeguards accompany all transfers.


We will keep your Personal Data for no longer than reasonably necessary, for reasons of legal obligation or legitimate business interest.

Personal data within our CRM system is stored indefinitely for the reason of legitimate interest of Leo business advancement, it is stored securely and with limited employee access.

Personal data of our clients or service providers, in relation to which we act as controller, is stored  for seven years from client’s contract termination to meet the deadlines within civil statue of limitations.

Personal data of our clients, in relation to which we act as data processor, is stored for 6 months from the date of the departure of the client.

Your rights and your Personal Data

You have a right:

RIGHT OF ACCESS: you have the right to whether or not personal data concerning him or her are being processed.

RIGHT TO RECTIFICATION: You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

RIGHT OF ERASURE: You have the right to ask us to erase your personal information if we no longer need your data for the original reason the data was collected for, or if you are withdrawing your consent if the processing relied on your consent as legal basis, or we process your data unlawfully, or we have a legal obligation to erase the data or the data was collected from you as a child.

RIGHT TO RESTRICTION OF PROCESSING: You have the right to ask us to restrict the processing of your information to temporarily limit the use of your data when we are considering:

  • a challenge you have made to the accuracy of your data, or
  • an objection you have made to the use of your data.

You may also ask us to limit the use of your data rather than delete it if:

  • we processed your data unlawfully but you do not want it deleted, or
  • we no longer need your data but you want the organisation to keep it in order to create, exercise or defend legal claims. 

RIGHT TO OBJECT TO PROCESSING: you have the right to object to processing if we process your information:

  • for a task carried out in the public interest;
  • for the exercise of official authority;
  • for their legitimate interests;
  • for scientific or historical research, or statistical purposes; or
  • for direct marketing purposes

Note that we may not need to stop the processing if we can give strong and legitimate reasons to continue using your data.

RIGHT TO DATA PORTABILITY: This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.

  • To lodge a complaint with the Information Commissioners Office (the UK Supervisory Authority) or your local data protection regulator if you are in the EEA.

You can contact the Information Commissioners Office on 0303 123 1113 or via email or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Please note that Leo does not conduct automated individual decision making about you.

If we rely on consent in processing of your information, you can withdraw it at any time.

To exercise any of the above rights please contact us at [email protected]

Further Processing

Where we may seek to further process your data other than for the original purpose for which it was collected, Leo will only further process such data where the new processing is compatible with the original purpose or if personal data is anonymised and cannot be reidentified.

Safeguarding measures

Maintaining data security means guaranteeing the confidentiality, integrity and availability (for authorized purposes) of the Personal Data.

Leo has put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties on a ‘need to know’ basis. They will only process your Personal Data on our instructions and they are subject to a duty of confidentiality.

Leo will only transfer Personal Data to a third party if they agree to comply with those procedures and policies, or put in place adequate measures prior to receiving it.

We have put in place procedures to deal with any suspected Personal Data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Special Categories of Data

We may, in certain cases and only as permitted by law, control and process Personal Data which are more sensitive in nature – for example, when making available to you Leo’s modules providing for: a Know Your Client / Anti-Money Laundering check or client/vendor onboarding.  These modules may also store information on  past criminal convictions.

Legitimate Interests

When we process your Personal Data on legal basis of legitimate interest, we have carried out a Legitimate Interests’ Assessment (LIA) to ensure that we have weighed your interests and any risk posed to you against our own and that such interests are proportionate and appropriate, such as for the purposes of HR, marketing and day-to-day operations.


When sending marketing materials to customers, we may have the option to rely on your consent or legitimate interest.

We only use legitimate interests for marketing if we have assessed that the information being sent is beneficial to the customer, and have weighed our interests against your own and there is little to no risk posed, the method and content is non-intrusive, and the material being sent is something you would usually expect to receive.

Our customer relations management system notifies us when you open an email sent by us and when you click a link inside so that we can build meaningful connections with you. If you do not want to share this information with us, please go to any email communication from Leo and hit ‘Unsubscribe’ at the bottom of the email.

Cookies, analytics and traffic data

Cookies are small text files which are transferred from this website and stored on your device. We use cookies to help us provide you with a personalised service, and to help make our website, applications and services better for you.

We provide the following information with some explanations to ensure transparency to our users:

  • what types of cookies are set;
  • how long they persist on your user’s browser;
  • what data they track;
  • for what purpose (functionality, performance, statistics, marketing, etc.;
  • where the data is sent and with whom it is shared;
  • how to reject cookies, and how to subsequently change the status regarding the cookies.

Should you wish to change your preferences regarding cookies, please hit an icon in the bottom left corner of the website.

Changes to our Privacy Policy

Any changes we may make to our Privacy Policy in the future will be posted on this page and, where appropriate, notified to you by email.


What types of Personal Data do we collect, for what purpose and on what lawful basis?

Marketing Name, email address, direct phone numbers, associate company, IP addresses   Legitimate interest: advancement of Leo’s business by targeting well researched audience who would benefit from the services offered  
Client relations Name, email address, direct phone numbers, associate company names based on legitimate interests, IP addresses, marriage status, interests, content of emails   Legitimate interest: Communication with and client relationship management proportionate to the services provided
Credit control Name, email, residential address, outcome of credit control   Legitimate interest: Contracting with credit worthy businesses not to expose Leo to credit risks
Recruitment name, residential address, contact details, interviews notes, CV contents, salary expectations, D.O.B., nationality, mother’s maiden name   Legitimate interest: Talent acquisition and management of the recruitment process in relation to individuals interested in working with Leo  
Invoicing Name and contact details at an associated company   Legitimate interest: Charging fees, including final invoices after the contract termination  
Provision of Leo’s services Log in details, name, contact number, roles and names, email addresses, phone numbers, addresses associated with the BCP; name, previous names, position within firm, other directorships, references number for FCA, email address, NIN, home address, history of residential addresses, certified copies of: passport, proof of address; CV; criminal proceedings information; civil proceedings information; other relevant matters;  disciplinary matters; potential complaints against person; potential disqualification or reprimand by the FCA or other regulatory body;  nationality, shareholding, country of residence; names, address, PEP status of PSCs  and clients complaints; training records Legitimate interest: Processing of personal data necessary  for the provision of the services, including post contract termination but accordingly to contractual provisions
Prospecting Name, email address, direct phone numbers, associate company names based on legitimate interests, IP addresses, marriage status, interests   Legitimate interest: advancement of Leo’s business by targeting well researched audience who would benefit from the services offered and entering into prospecting processes with individuals interested in Leo services  
Third party management Name, contact details, associated company Legitimate interest: Management of Leo’s business relationships with third parties like suppliers and strategic partners
Meeting HMRC requirements Name and associated accounting data Legal obligation
ID Verification Service Name, photograph of the face, nationality, passport number  We act here as data processor and therefore we conduct the processing upon your instructions if you purchased the service
AML Background Checks Name and publicly available data associated with the search We act as data processor and therefore we conduct the processing upon your instructions if you purchased the service.