Privacy Policy

Last updated [date]

DRAFT — not for publication. Placeholders marked [like this] must be completed and the whole document reviewed by a data-protection lawyer before going live. Internal documents (Legitimate Interests Assessment, Appropriate Policy Document, ICO registration) are required separately for the intelligence processing described in §10.

1. Who we are

This website and the You.Grey service are operated by [Legal entity name] (“You.Grey”, “we”, “us”), a company registered in England & Wales under company number [Companies House no.], registered office [registered address]. We are registered with the UK Information Commissioner’s Office (ICO) under registration number [ICO registration no.]. We are the data controller for the personal data described in this policy.

2. Scope

This policy covers personal data we process about visitors to this website and our business customers and contacts. Our processing of intelligence data about individuals linked to suspected financial crime is summarised separately in §10.

3. What we collect

Contact & enquiry data — name, work email, company and anything you tell us when you request a demo or contact us.
Booking data — when you book a call, scheduling data processed via our scheduling provider (Cal.com).
Usage & device data — basic analytics and cookie data (see §6).

4. How we use it & our lawful basis

Respond to enquiries and run demos — legitimate interests / steps prior to a contract.
Provide and administer the service to customers — contract.
Security, fraud prevention and service improvement — legitimate interests.
Non-essential cookies and any marketing — consent.

5. Who we share it with

We use trusted service providers acting as our processors — including hosting [hosting provider], scheduling (Cal.com) and email [email provider]. We do not sell website-visitor or customer contact data. We may disclose data where required by law.

6. Cookies

We use essential cookies to run the site[, and — if enabled — privacy-friendly analytics]. You can control non-essential cookies via [cookie banner / your browser].

7. International transfers

Where personal data is transferred outside the UK/EEA, we rely on appropriate safeguards — [UK IDTA / EU SCCs + UK Addendum].

8. Retention

We keep website and customer data only as long as needed for the purposes above — typically [retention period] — then delete or anonymise it.

9. Your rights

Subject to law, you have the right to access, rectify, erase, restrict or object to processing, to data portability, and to withdraw consent. To exercise these, contact [privacy@…]. You may also complain to the ICO (ico.org.uk).

10. Intelligence data (individuals linked to suspected financial crime)

Separately from the above, we process limited personal data about individuals connected to suspected money-mule, scam and grey-banking activity (for example a name associated with a payment account) in order to provide fraud-intelligence to regulated financial institutions.

We process this data on the basis of legitimate interests — our own and our customers’ interest in the prevention and detection of fraud and financial crime (UK GDPR Article 6(1)(f); Recital 47). Where the data relates to suspected criminal conduct, we also rely on the relevant condition for processing criminal-offence data under the Data Protection Act 2018 and maintain the required policy document.

Data-subject rights apply, but may be restricted to the extent that complying would be likely to prejudice the prevention, investigation or detection of crime (DPA 2018 crime-and-taxation exemption), assessed case by case. Requests relating to this data should be sent to [privacy@…].

11. Changes & contact

We may update this policy; material changes will be posted here. Questions or requests: [privacy@…][ / Data Protection Officer: name].