1. Overview
This Privacy Policy explains how personal data is handled in connection with Complywhistle (the “Service”), a compliance dashboard provided by AXIOMA (Axioma Corporate Services VBA) (“AXIOMA”, “we”, “us”).
2. Roles and responsibilities
Complywhistle is used by business customers (the “Client”) to perform identity verification, document verification, and AML/sanctions/PEP screening.
Client as controller
The Client is the data controller for personal data submitted to the Service. This means the Client determines the purposes and means of processing (why and how personal data is processed) and is responsible for providing required privacy notices and ensuring a lawful basis for processing.
AXIOMA as sub-processor
AXIOMA acts as a sub-processor (a service provider) to facilitate access and administration of the dashboard and to support the Client’s use of the Service. AXIOMA processes personal data only on documented instructions of the Client and/or the primary service provider used for verifications/screenings (as applicable), and only to provide and support the Service.
Third-party verification provider
The Service integrates third-party verification and screening services provided by Shufti Pro. Shufti Pro generates the verification and screening outputs displayed in the Service.
3. What personal data may be processed
Depending on the verification/screening performed and the data submitted by the Client, personal data may include:
Identity and document data
Full name, date of birth, nationality; ID/passport numbers, document issue/expiry dates; document images and related verification reference data.
Biometric/liveness data (where enabled by the Client)
Selfie images and liveness signals used to confirm authenticity.
AML screening data
Screening inputs and screening results/flags as returned by Shufti Pro (including sanctions/PEP-related indicators).
Account and audit data
Username and user access records; audit trail entries, timestamps, and activity logs.
Technical data
IP address, device/browser information, session and security logs.
4. Purposes of processing
Personal data is processed to provide, operate, and administer access to the Service for the Client; enable initiation of verifications/screenings and display of results; maintain audit logs and traceability for compliance recordkeeping; provide support and troubleshoot technical issues; and protect the security and integrity of the Service (fraud prevention, access control, incident detection).
AXIOMA does not use verification/screening data submitted by the Client for advertising or analytics purposes.
5. Lawful basis
Because the Client is the controller, the Client is responsible for establishing a valid lawful basis for processing personal data (for example, legal obligations under AML/CFT requirements and/or legitimate interests, and where applicable consent). AXIOMA, as sub-processor, processes personal data on the Client’s instructions to provide the Service and for security and operational purposes necessary to deliver the Service.
6. Data sharing
Personal data may be shared with Shufti Pro to perform verification and screening and return results to the Service; hosting and infrastructure providers supporting operation of the Service; security and support providers assisting with platform reliability and protection; professional advisers (legal/accounting) where necessary; and competent authorities where required by law, court order, or to protect rights and security. AXIOMA does not sell personal data.
7. Hosting and international transfers
Data processed through the Service is hosted within Europe in a data center environment designed for GDPR alignment and supported by ISO 27001-aligned information security controls. Where transfers outside Europe would occur through third-party providers, AXIOMA and/or the relevant provider will seek to apply appropriate safeguards consistent with applicable requirements. The Client may request additional details via AXIOMA.
8. Data retention
The Service is configured to retain verification and screening records for ten (10) years, unless a longer retention period is required by applicable law or the Client’s internal policies, or the Client provides documented instructions to retain for longer (where feasible). Platform access logs and security records may be retained for reasonable periods necessary for security, dispute resolution, and service integrity.
9. Security
AXIOMA maintains reasonable technical and organizational measures to protect personal data against unauthorized access, loss, misuse, alteration, and disclosure. Clients are responsible for maintaining appropriate user access controls and role-based access, keeping credentials confidential and secure, and promptly notifying AXIOMA of suspected account compromise or security incidents. No system is completely secure; security risk cannot be eliminated.
10. Data subject rights
If you are an individual whose personal data is processed through a Client’s use of the Service, you should direct requests (access, correction, deletion, restriction, objection, portability where applicable) to the relevant Client, as the controller. AXIOMA will support the Client (and, where applicable, the primary verification provider) in responding to rights requests to the extent required and technically feasible.
11. Cookies and analytics
Complywhistle does not use cookies for advertising or analytics (for example, Google Analytics or tracking pixels). Essential technical mechanisms necessary for login/session security may be used where required for the Service to function, but no analytics profiling is performed by AXIOMA.
12. Children
The Service is not intended for use by children. Clients should not submit personal data of minors unless permitted and justified under applicable law and the Client’s compliance obligations.
13. Changes to this policy
We may update this Privacy Policy from time to time. The updated version will be posted and the “Last updated” date will be revised accordingly.
14. Contact
For privacy questions related to the Service, contact AXIOMA through the contact details provided in your onboarding documentation or support channel.