Privacy Policy
Introduction
OMNIO is committed to protecting the privacy and security of the personal data of our current and prospective customers and the data of their individual customers and clients. In accordance with the Data Protection Act 2018 this privacy notice sets out how we collect, use, store and dispose of personal data.
With respect to any personal data of your customers that you provide to us, we would be a “data processor”, which means we hold data on behalf of you, as the Data Controller, to carry out an operation or set of operations, such as but not limited to consultation of that data.
We provide this notice so that you, our prospective and current customers, are aware of what personal data we hold, how we process and protect it. It is also provided to our employees so they understand their obligations for storing, using and disposing of the data provided to OMNIO. This policy is composed from OMNIO’s perspective, herein referred to as “we” and “our”, for our prospective and current customers and their staff, herein referred to as “you” and “your”.
Key Principles
When processing personal information the following principles, stipulated by the GDPR, define the way that we handle it and the measures we take to look after it:
We will have a legitimate business or legal reason for collecting personal information
We will be open and transparent about how we use personal information
We will only use personal information for the purposes for which we collect it
We will only collect the personal information that we need
We will keep personal information accurate and up to date
We will not retain personal information for longer than necessary
We will keep personal information secure and appropriately manage 3rd party access to it
We will have appropriate measures and records in place to be able to demonstrate our compliance with applicable privacy laws and regulations.
When do we collect your personal data?
We collect and process personal data in two distinct contexts:
A. Our customers (financial institutions and business partners)
We collect personal data directly from our customers when:
You first become an OMNIO customer.
You contact us by phone, email, or other electronic means (such as our website, social media channels, or electronic marketplaces).
You interact with us for account management, billing, support, product information, demos, or marketing (where consent applies).
This data typically includes business contact details, billing information, and communication history. We collect this data to perform our contract with you, to provide requested services, and as part of our legitimate interests in improving our products and communicating relevant information.
We may obtain this data directly from you or via designated third-party services or providers.
B. End customers of our customers (financial institutions’ clients)
We also process personal and transactional data about the end customers of our financial institution clients.
This data is not collected directly by OMNIO; it is provided to us by our customers in order to enable AML/KYC screening, monitoring, and risk assessment.
The scope of the data shared is determined by each client, based on their AML/CFT compliance programs, business model, and regulatory obligations.
We act strictly as a data processor with respect to this information and use it only to deliver AML services in accordance with our clients’ instructions and applicable laws.
What personal data do we collect and use?
A. Data relating to our customers (financial institutions)
For our direct business relationships, we may process:
Identification and contact details: name, business email address, phone number, job title, employer.
Account and billing details: company name, billing address, payment details.
Communication details: correspondence, support requests, and service-related interactions.
B. Data relating to end customers of our customers
When our clients choose to share information about their end customers for AML compliance purposes, we may process:
4.1. Personal and identification data
Full name (first, middle, last)
Date of birth, country of birth, country of residence
Marital status
Nature of employment, employer, job title/position
Tax ID, national identification number (EU), Social Security Number (USA)
Identification document number (passport, ID card, driver’s license) and document expiry date
Contact details: address/ZIP code, email address, phone number
Bank account details (and currency)
4.2. Transactional data
Basic details: type of transaction, date, time, description, amount, currency code, reference number
Card/payment details: card issuer, card type, transfer type (e.g., wire), merchant category code (MCC)
Transaction outcome: declined status and reason (if applicable)
Sender information:
Bank details (bank name, bank code, IBAN)
Identity/contact details (first name, last name, residential address, country)
Device/network details (device name, IP address)
Unique sender identifier (if provided)
Recipient information:
Bank details (bank name, bank code, IBAN)
Identity/contact details (first name, last name, residential address, country)
Device/network details (device name, IP address)
Unique recipient identifier (if provided)
Important clarification on assessments
Our role is limited to providing our clients with tools, alerts, flags, and analysis based on the data they choose to share with us.
We do not make final decisions or form conclusions about an end customer’s risk status, eligibility, or compliance outcome.
Any assessments, assumptions, or regulatory conclusions are made solely by our clients (the financial institutions), in line with their own compliance policies and obligations.
OMNIO does not act as a substitute for our clients’ compliance function.
Purposes and lawful bases of processing
Purpose | Lawful basis |
Delivering AML/KYC screening, monitoring, and alerting services | Contractual necessity with our clients; compliance with legal obligations |
Generating alerts, reports, and case files for compliance teams | Contractual necessity; compliance with legal obligations |
Improving and developing our SaaS platform and detection models | Legitimate interests |
Providing account management, billing, and support to our customers | Contractual necessity; legitimate interests |
Providing product information, demos, and marketing to our customers (never end customers) | Legitimate interests; consent where required |
4.3. Data Sharing
We do not sell, trade, or otherwise transfer your Personal data or the Personal data of your customers to outside parties without your consent, except for the following circumstances:
Service Providers: We may share your information with third-party service providers who assist us in operating our Website, conducting our business, or servicing you, as long as these parties
Legal Requirements: We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or a government agency).
We may use cookies and other tracking capabilities for purposes including website analytics, engagement analytics, logging your preferences, and enabling remarketing activities. Our use of Cookies is outlined in our Cookie Policy and as such is subject to customizable consent preferences. We also use email marketing software which uses a clear image to track the results оf the campaign, including information on whether recipients have opened or clicked email content. If you wish to turn off tracking for future emails you receive from OMNIO, please use our communications preferences link (located in the footer of our email communications) to opt out, block emails from our address, or turn off / reject downloading of images.
Data Security
We implement a variety of security measures to maintain the safety of your Personal Information:
to prevent your personal data from being lost, used or accessed in an unauthorised way
to deal with any suspected data security breach, and will notify you and any applicable regulator of a suspected breach where are legally required to
data provided by you to us is done in a secure manner
We at OMNIO Ltd. have approved specific policies and standards to protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration, damage or destruction. We suggest that you follow the OMNIO Policy and always keep your own personal information and that of your colleagues and third parties secure.
Never share your (or anybody else’s) personal information – including your network username and password – unless there is a legal reason for doing so. Any access to personal information must be strictly role-based and limited to those employees, contingency workers, contractors and third parties who have a genuine business need and legal ground to process it. It is strictly prohibited to access personal information for your own personal purposes. In addition to being a serious disciplinary breach this may also be a criminal offence. If you have questions about sharing of personal information, please contact us at Legal@omniocompliance.com.
Never download or install non-approved software on OMNIO-issued IT resources as this can expose our IT networks and resources to damage and personal information to loss or theft.
You must report suspected or actual data incidents immediately by contacting Legal@omniocompliance.com. This would include any situation where personal information is lost, disclosed, destroyed, or altered in an unauthorized way either deliberately or accidentally, for example:
Personal information being lost due to an accident or theft of your OMNIO issued device
Personal information not being destroyed or overwritten correctly
Sending someone’s personal information on email to someone who shouldn’t have seen it
Granting access to someone who is not entitled access to another’s personal information
A systems error that leads to incorrect information being written to an individuals’ records
A hacker accessing your computer network or OMNIO issued device.
Privacy laws require us to embed appropriate technical and organizational measures within our processing activities, products and services to ensure that our privacy principles are complied with and that the data rights of individuals can be respected. This approach is known as “Privacy by Design and by Default.”
This means we need to factor how best to integrate privacy into our products, services and internal processing activities across the entire personal information lifecycle, from the initial design stage through in-life to decommissioning and destruction. By considering privacy as part of the design and implementation of our systems, applications, products and services it can prevent OMNIO from having to apply costly retro-fixes in-life or being subject to litigation, negative publicity, loss of business and/or regulatory enforcement action.
When personal information is provided we must ensure that it is accurately captured, complete and where necessary, that it is current. It must be managed in accordance with the business rules that apply to the system that it will be processed on. Where possible, interrelated systems should interact to ensure that any modifications and updates are reflected in an accurate and consistent manner.
The Privacy Impact Assessment process outlined below is designed to help you identify the necessary actions to achieve these aims.
Data Retention
We will only retain personal information for as long as it is required for business or legal purposes.
Our processes are tailored to ensure the regular periodic review of the personal information that is being processed and that the continued need to retain it complies with the above policies. Where possible, both the review and retention processes should be automated to minimize the reliance on conducting a manual review.
Data rights
In line with the Data Protection Act, in certain circumstances, you have several rights with respect to your personal data. You can:
Request access to your personal data. This is known as a Data Subject Access Request and enables you to ask about and receive a copy of your personal data that we hold and check that we are processing it lawfully.
Request correction of your personal data that we hold, this enables you to have any incomplete or incorrect information we hold about you corrected.
Request erasure of your personal data. This enables you to ask us to delete or remove personal information where we no longer have a legitimate reason for storing it.
Object to processing of your personal data where we are relying on a legitimate interest (either of OMNIO or a third-party) and you have a reason which makes you want to object to processing on this ground.
Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of your personal data, for example if you want to establish the accuracy of your data or understand the reason for us processing it.
Request the transfer of your personal data to another party, for example if you want to transfer your data to a new service provider.
If you want to exercise any of your rights, we may ask for specific information from you to confirm your identity and ensure your right to access this information. We will never disclose any of your personal data to anyone acting on your behalf. This is to protect your personal data and ensure it is not disclosed to any person who does not have the right to access it.
If you would like to exercise any of the above rights, please contact us at Legal@omniocompliance.com in writing. We will not ask you to pay a fee to exercise any of these rights. However, we may charge a fee if we consider your request is unfounded or excessive. In some circumstances we can refuse to comply with your request, this is most likely to be the case where we are satisfied that the personal data we hold is accurate or where the request is repetitive in nature.
Right to Withdraw Consent
In the future, there may be limited circumstances where we will ask for your consent to the collection, processing, and transfer of your personal information of your personal data for a specific purpose; you have the right to withdraw your consent for that specific processing activity. If you would like to withdraw your consent, please contact OMNIO’s legal team in writing at Legal@omniocomliance.com.
Compliance
OMNIO must be able to demonstrate compliance with the principles set out in this Policy, applicable privacy laws and regulations.
All Personnel are required to comply with this Policy and related standards and policies. They are expected to demonstrate their compliance through successful completion of individual annual mandatory privacy and security training and to cooperate fully and truthfully in any compliance efforts.
OMNIO will cooperate with any national Supervisory Authority and will assist or respond in a reasonable time-period to any relevant request, including regulatory audit requests, and will provide all information necessary to demonstrate compliance with applicable privacy laws and regulations.
Failure to comply with this Policy or with applicable privacy laws may result in disciplinary action up to and including termination. Personal information is also subject to laws and controls and there are serious penalties for anyone, or any company, not adhering to these laws including personal liability and/or fines.
10. Jurisdiction-specific notices
California Privacy Rights (CCPA/CPRA)
Applicability
This California Privacy Rights section applies only to residents of the State of California (“consumers”) and supplements the information in our Privacy Policy.
Role Clarification
For data we process on behalf of our financial‑institution customers in connection with AML/compliance services, OMNIO acts as a “service provider”/“contractor” under California law. For our own website visitors, prospects, and workforce, OMNIO may act as a “business.”
Notice at Collection — Categories, Purposes, Retention
We collect the following categories of personal information for the business purposes described below. We retain personal information for as long as necessary to fulfill the purposes described, comply with legal obligations, resolve disputes, and enforce agreements (or as otherwise disclosed in this Policy).
Category (Cal. Civ. Code §1798.140) | Examples | Business/Commercial Purpose | Retention (criteria/period) |
Identifiers | Name, email, IP address, device IDs | Operating our website, security, analytics, responding to inquiries | 24 months for site analytics |
Customer Records | Business contact data, billing data | Account administration, customer support | Contract term + 5 years for AML-related information |
Internet/Network Activity | Log data, pages viewed, interactions | Diagnostics, security, improving services | 12 months |
Geolocation (approximate) | City/region from IP | Fraud/security, localization | 12 months |
Professional/Employment info | Role, employer (B2B) | B2B sales and support | 24 months |
Sensitive PI (if collected) | Account credentials [hashed], precise location [No], government IDs [No for site] | Security/authentication only | Only as long as necessary; otherwise not collected for website |
Sources of Personal Information
We collect information directly from you (forms, support), automatically (cookies/SDKs), and from service providers and partners (e.g., hosting, analytics). For AML services, our customers provide data to us and we process it solely to perform contracted services.
Disclosures for Business Purposes; Service Providers/Contractors
We disclose personal information to service providers/contractors for operational purposes (hosting, security, analytics, communications). We prohibit them from selling or sharing personal information and from using it for purposes other than providing services to us.
Sale or Sharing of Personal Information (Cross‑Context Behavioral Advertising)
We do not sell or share personal information, including for cross‑context behavioral advertising.
Your California Privacy Rights
California residents may have the right to: (1) Know/Access the categories and specific pieces of personal information we collected; (2) Delete personal information; (3) Correct inaccurate personal information; (4) Opt‑out of sale or sharing of personal information; (5) Limit the use and disclosure of sensitive personal information (where applicable); and (6) Non‑discrimination for exercising these rights.
How to Exercise Your Rights
Submit a request via email: Legal@omniocompliance.com. We will verify your request and respond within 45 days (with one 45‑day extension where permitted). You may use an authorized agent; we may require proof of authorization and identity verification.
We honor Global Privacy Control (GPC) signals for browser‑based opt‑outs. To manage cookie‑based preferences, use our “Do Not Sell or Share My Personal Information” link and cookie preferences center.
Sensitive Personal Information
We do not use or disclose Sensitive Personal Information for purposes other than those permitted by California law (e.g., security/authentication). If we begin any additional uses, we will provide a “Limit the Use of My Sensitive Personal Information” mechanism.
California‑Specific Metrics (if applicable)
If required by law, we will publish annual metrics regarding requests received and our responses.
Contact
For California privacy questions, contact us at Legal@omniocompliance.com.
11. Changes to this notice
We will review this notice on an annual basis, or when we are advised of regulatory changes, whichever is the soonest. Following the reviews we may update this notice. The current in force version of this will always be available on our website. We may also communicate with you in other ways about the processing of your personal data.
