Privacy Policy
Your privacy is important to us. This policy explains how we collect, use, and protect your personal data.
Effective Date: October 28, 2025
|Version: 1.0.0
1. Introduction
Welcome to iTrack, an AML/CTF/CPF risk assessment platform operated by Comsure Technology Limited (“we”, “us”, or “our”). We are committed to protecting your personal data and respecting your privacy.
This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our Service. It applies to all users of the iTrack platform, including account administrators, end users, and visitors to our website.
This policy is designed to comply with the Data Protection (Jersey) Law 2018 and reflects principles consistent with the UK General Data Protection Regulation (UK GDPR) and other applicable data protection laws.
Important Note:
When you use iTrack to process your clients' data for AML/CTF/CPF assessments, you act as the data controller and we act as the data processor. This Privacy Policy focuses on our processing of your personal data as a user of our Service. For details on how we process your clients' data on your behalf, please refer to our Terms of Service, particularly Section 4.
2. Data Controller Information
For the purposes of data protection law, the data controller for your personal data is:
Comsure Technology Limited
Registration Number: 104136
Registered Office: Tower House, La Route Es Nouaux, St Helier, Jersey JE2 4ZJ
Business Address: No 1 Bond Street Chambers, St Helier, Jersey, Channel Islands, JE2 3NP
Email: info@itrackaml.com
Phone: +44 (0) 1534 626841
3. What Data We Collect
We collect and process the following categories of personal data:
3.1. Account and Identity Data
- Full name
- Email address
- Phone number
- Company/organisation name
- Job title
- Business address
- Account credentials (encrypted passwords)
3.2. Usage and Technical Data
- IP address
- Browser type and version
- Device type and operating system
- Time zone setting and location
- Login dates and times
- Pages viewed and navigation paths
- Features used and actions taken within the Service
- Session duration and frequency of use
3.3. Communication Data
- Support requests and correspondence
- Feedback and survey responses
- Meeting notes and recordings (with consent)
- Email communications with our team
3.4. Payment and Billing Data
- Billing address
- Card Payments: Payment method information (processed by Stripe; we do not store full card details)
- Bank Transfers: Payee information, transaction date, proof of payment, and payment reference
- Transaction history
- Invoice records
3.5. Client Data (Processed on Your Behalf)
When you use iTrack to conduct AML/CTF/CPF risk assessments, you input data about your clients. This may include:
- Client names and contact details
- Financial information
- Identification documents
- Risk assessment data and scores
- Transaction monitoring data
Important: For this Client Data, you are the data controller and we are the data processor. We process this data solely on your instructions as set out in our Terms of Service.
4. Legal Basis for Processing
Under the Data Protection (Jersey) Law 2018, we must have a lawful basis to process your personal data. We rely on the following legal bases:
Contractual Necessity (Schedule 2, Part 1, Paragraph 1(1)(b))
Processing your Account and Identity Data, Payment Data, and Usage Data is necessary to provide the Service under our contract with you (the Terms of Service).
Legitimate Interests (Schedule 2, Part 1, Paragraph 1(1)(f))
We process Technical Data, Usage Data, and Communication Data based on our legitimate interests in:
- Improving and optimising the Service
- Ensuring security and preventing fraud
- Providing customer support
- Marketing our services to existing customers
- Conducting business analytics
We have balanced these interests against your rights and freedoms and have implemented appropriate safeguards.
Legal Obligation (Schedule 2, Part 1, Paragraph 1(1)(c))
We may process your data to comply with legal obligations, such as:
- Tax and accounting requirements
- Regulatory reporting obligations
- Responding to lawful requests from authorities
Consent (Schedule 2, Part 1, Paragraph 1(1)(a))
For certain activities, such as marketing communications to prospects or the use of certain cookies, we rely on your explicit consent. You may withdraw consent at any time by contacting us or using opt-out mechanisms provided.
5. How We Use Your Data
We use your personal data for the following purposes:
Service Delivery: To provide, maintain, and improve the iTrack platform, including user authentication, data storage, and feature functionality.
Account Management: To create and manage your account, process registrations, and handle subscription changes.
Payment Processing: To process payments, issue invoices, and manage billing through our payment processor, Stripe.
Customer Support: To respond to your inquiries, provide technical assistance, and resolve issues.
Security and Fraud Prevention: To detect, prevent, and address security incidents, fraudulent activity, and abuse of the Service.
Service Improvement: To analyse usage patterns, conduct research, and develop new features and enhancements.
Communication: To send you service-related notifications, updates, security alerts, and support messages.
Marketing (with consent): To send you information about our products, services, events, and promotions. You may opt out at any time.
Training and Support: To provide documentation, training videos, and optional trainer-led sessions.
Compliance: To comply with legal obligations, respond to lawful requests, and enforce our Terms of Service.
Aggregated Analytics: To create anonymised, aggregated statistics about Service usage for internal business purposes and industry insights.
6. Data Sharing and Disclosure
We do not sell, rent, or trade your personal data. We may share your data with the following categories of recipients in limited circumstances:
Service Providers (Subprocessors)
We engage trusted third-party service providers to help us operate the Service. These include:
- Cloud Hosting: IONOS UK (data storage and infrastructure in United Kingdom data centers)
- Payment Processing: Stripe (payment and billing services for card payments)
- Email Services: MailChimp and Brevo (transactional and marketing emails)
- Analytics: Google Analytics (anonymised usage analytics)
- Customer Support: Email-only support provided directly through info@itrackaml.com (no third-party support tools)
All service providers are bound by data processing agreements and are required to implement appropriate security measures. We require them to process your data only as instructed and for the specific purposes outlined.
Legal and Regulatory Authorities
We may disclose your data to law enforcement, regulators, courts, or other authorities when:
- Required by law or legal process
- Necessary to comply with AML/CTF/CPF obligations
- To enforce our Terms of Service or protect our rights
- To protect the safety and security of users or the public
Business Transfers
If we are involved in a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and ensure the receiving party commits to protecting your data under terms at least as protective as this Privacy Policy.
With Your Consent
We may share your data with other third parties when you have given us explicit consent to do so.
7. International Data Transfers
Your data is primarily stored and processed in the United Kingdom. Our servers are hosted by IONOS UK in United Kingdom data centers.
However, some of our service providers may be located outside of Jersey or the UK. When we transfer your personal data to countries outside Jersey, we ensure appropriate safeguards are in place in accordance with Part 8 of the Data Protection (Jersey) Law 2018, including:
- Adequacy Decisions: Transferring data to countries deemed to provide an adequate level of protection by the Jersey Office of the Information Commissioner or the UK Information Commissioner's Office.
- Standard Contractual Clauses: Using standard data protection clauses approved by the relevant authorities.
- Binding Corporate Rules: Relying on binding corporate rules approved by the relevant authorities.
- Additional Safeguards: Implementing technical and organisational measures to ensure data protection, including encryption and access controls.
You may contact us for more information about the specific safeguards we have implemented for international data transfers.
8. Data Security
We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction.
Security Measures Include:
- Encryption at Rest: All data stored in our databases is encrypted using AES-256 encryption.
- Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3 protocol.
- Access Controls: Strict role-based access controls ensure that only authorised personnel can access personal data on a need-to-know basis.
- Authentication: Two-factor authentication (2FA) is enabled and required for all user accounts to provide an additional layer of security.
- Regular Security Audits: We conduct regular security assessments and penetration testing to identify and address vulnerabilities.
- Daily Backups: We perform daily automated backups of all data to ensure business continuity and disaster recovery.
- Monitoring: Continuous monitoring of our systems for suspicious activity and security incidents.
- Staff Training: All personnel with access to personal data receive regular training on data protection and security best practices.
- Incident Response: We maintain a comprehensive incident response plan to address any data breaches promptly.
While we implement robust security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we continuously work to protect your data using industry-standard practices.
Your Security Responsibilities:
- Keep your account credentials confidential
- Use a strong, unique password
- Enable multi-factor authentication
- Log out after each session, especially on shared devices
- Report any suspected security incidents to us immediately
9. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.
Retention Periods by Data Type:
Account and Identity Data
Retained for the duration of your account plus 7 years after account closure (in accordance with financial services record-keeping requirements).
Payment and Billing Data
Retained for 7 years after the last transaction for tax, accounting, and audit purposes (as required by Jersey tax law).
Usage and Technical Data
Retained for 24 months for service improvement and analytics purposes, then anonymised or deleted.
Communication Data
Support tickets and correspondence retained for 3 years after the last interaction for quality assurance and legal purposes.
Client Assessment Data (Processed on Your Behalf)
Retained according to your instructions as data controller. Upon termination of service, we will return or delete this data within 90 days unless you request otherwise or legal retention is required. We recommend retaining AML/CTF records for at least 5-7 years in accordance with regulatory requirements (e.g., JFSC, FATF guidelines).
Marketing Data
Retained until you withdraw consent or 2 years after your last engagement with our marketing communications, whichever comes first.
Security and Audit Logs
Retained for 12 months for security monitoring and incident investigation purposes.
After the applicable retention period expires, we will securely delete or anonymise your personal data. If deletion is not possible (for example, because data has been backed up to archive storage), we will securely isolate your data from further processing until deletion becomes possible.
If legal obligations require us to retain data for longer periods (e.g., for litigation, regulatory investigations), we will retain only the minimum necessary data for the required period.
10. Your Rights
Under the Data Protection (Jersey) Law 2018, you have the following rights regarding your personal data:
1. Right of Access (Article 26)
You have the right to request a copy of the personal data we hold about you. This is commonly known as a “data subject access request” (DSAR).
2. Right to Rectification (Article 28)
You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
3. Right to Erasure (“Right to be Forgotten”) (Article 29)
You have the right to request that we delete your personal data in certain circumstances, such as:
- The data is no longer necessary for the purposes for which it was collected
- You withdraw consent (where consent was the legal basis)
- You object to processing and there are no overriding legitimate grounds
- The data has been unlawfully processed
Note: This right is not absolute. We may need to retain certain data to comply with legal obligations (e.g., 7-year retention for financial records).
4. Right to Restriction of Processing (Article 30)
You have the right to request that we restrict how we use your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.
5. Right to Data Portability (Article 32)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as CSV or PDF) and to request that we transmit it to another controller where technically feasible.
6. Right to Object (Article 33)
You have the right to object to processing of your personal data where we are relying on legitimate interests as the legal basis. This includes the right to object to direct marketing at any time.
7. Right Not to be Subject to Automated Decision-Making (Article 34)
You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you. Note: iTrack provides risk assessment tools, but final compliance decisions are always made by you (the user), not by automated processing alone.
8. Right to Withdraw Consent
Where we process your data based on consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.
How to Exercise Your Rights:
To exercise any of these rights, please contact us at:
Email: info@itrackaml.com
Subject Line: “Data Subject Rights Request”
We will respond to your request within 4 weeks (extendable to 8 weeks for complex requests), as required by Article 27 of the Data Protection Law. We may need to verify your identity before processing your request.
Right to Complain:
If you are unhappy with how we have processed your personal data or how we have responded to a request, you have the right to lodge a complaint with the Jersey Office of the Information Commissioner (JOIC):
Jersey Office of the Information Commissioner
2nd Floor, 5 Castle Street
St Helier, Jersey JE2 3BT
Email: enquiries@dataportal.je
Website: www.dataportal.je
12. Third-Party Links
Our website and Service may contain links to third-party websites, applications, or services that are not operated by us. We are not responsible for the privacy practices of these third parties.
We encourage you to review the privacy policies of any third-party sites you visit. This Privacy Policy applies only to information collected by iTrack.
13. Children's Privacy
iTrack is designed for use by businesses and professionals in the financial services industry. Our Service is not intended for children under the age of 18, and we do not knowingly collect personal data from children.
If we become aware that we have inadvertently collected personal data from a child under 18, we will take steps to delete that information as quickly as possible. If you believe we have collected data from a child, please contact us immediately.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the “Effective Date” and “Version” at the top of this page
- Notify you via email (to the address associated with your account)
- Display a prominent notice on our website for at least 30 days
- For material changes that affect your rights, obtain your consent where required by law
We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes have been posted constitutes your acceptance of the updated policy.
We maintain an archive of previous versions of this Privacy Policy. You may request access to prior versions by contacting us.
15. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:
Email:
info@itrackaml.com(For data subject rights requests, please use subject line: “Data Subject Rights Request”)
Postal Address:
Comsure Technology Limited
Data Protection Officer
No 1 Bond Street Chambers
St Helier, Jersey
Channel Islands, JE2 3NP
Phone:
+44 (0) 1534 626841We aim to respond to all inquiries within 4 weeks (extendable to 8 weeks for complex requests).
Document Version: 1.0.0
Effective Date: October 28 1, 2025
Last Reviewed: October 28, 2025