Forsyte logo

Privacy

These terms may be varied from time to time. The terms in force at the effective date of first use of first use of the forsyte application, available at www.forsyte.co shall govern the Agreement to the exclusion of all other terms and conditions.

Users activate their license by creating an account and signing into Forsyte. Each sign-in constitutes acceptance of these terms.

Definitions

This Privacy Policy explains how Forsyte (a trading name of etiCloud Ltd) ("Forsyte", "we", "us", or "our") handles personal data when acting as a data processor for clients using our Forsyte Risk platform for compliance and risk assessment activities.

INTRODUCTION AND SCOPE

This Privacy Policy explains how Forsyte (a trading name of etiCloud Ltd) ("Forsyte", "we", "us", or "our") handles personal data in two distinct capacities:

1.1 As Data Processor: When your organisation uses the Forsyte Risk platform for compliance and risk assessment activities, we process personal data on your behalf

1.2 As Data Controller: When you interact with our marketing activities (newsletters, webinars, events, enquiries), we determine the purposes and means of processing your personal data

The relevant sections of this policy clearly identify our role for each processing activity.

OUR ROLE AS DATA PROCESSOR

When you use the Forsyte Risk platform, your organisation is the data controller, and we act as your data processor. This means:

2.1 Your organisation determines the purposes and means of processing personal data

2.2 We process personal data based on how your organisation uses our platform features and the processing activities you initiate through the Forsyte Risk system

2.3 We assist you in complying with data protection obligations

2.4 Data subjects should direct rights requests to your organisation as the controller

Key contacts

Data Protection Officer: Duncan Austin

Email: [email protected]

Address: First Floor, 2 Broadfield Ct, Sheffield S8 0XF, United Kingdom

Artificial intelligence & automated processing

AI processing disclosure

When we process personal data through our platform, we may use artificial intelligence and automated decision‑making systems including but not limited to:

  • Risk scoring algorithms: Automated calculation of risk ratings based on multiple data points.
  • Pattern recognition: AI‑powered identification of suspicious activities or compliance flags.
  • Natural language processing: Analysis of data processed through our platform.
  • Predictive analytics: Risk trend analysis and compliance forecasting.

AI training & development

  • We do not use personal data processed through our platform to train or improve underlying AI models.
  • We may use anonymised, aggregated patterns from platform usage to enhance our risk assessment methodologies.
  • Any machine‑learning optimisation uses only anonymised usage patterns, never personal data.

Automated decision rights

Under GDPR Article 22, individuals have the right not to be subject to decisions based solely on automated processing. Our AI systems provide risk assessments and recommendations that require human review and decision‑making at your organisation.

Beta features data processing

  • When your organisation accesses Beta Features, we may conduct enhanced logging of user interactions for development purposes, including anonymised usage analytics to improve feature stability.
  • All Beta processing remains subject to the same privacy safeguards as established features.

Data processing activities

Processing on behalf of clients

When your organisation uses our Forsyte Risk platform, we process personal data based on the platform features you access and the processing activities you initiate. This includes:

Risk assessment processing categories

  • Identity & profile data: Names, addresses, dates of birth, nationality, government‑issued ID documents, photographs, biometric data.
  • Financial data: Bank account details, transaction histories, source of funds/wealth documentation, beneficial ownership structures, corporate financial records.
  • Risk assessment data: Risk status indicators, screening results, adverse media findings, risk scores, compliance ratings, enhanced due diligence outcomes.
  • Regulatory compliance data: Due diligence documentation, compliance records, regulatory screening results, reporting data.
  • Technical processing data: Document uploads, risk assessment timestamps, user interaction logs, system‑generated flags and alerts.
  • Third‑party verification data: External database queries, verification service responses.

Our obligations as your data processor

  • Process data only as required to deliver the platform features your organisation uses.
  • Ensure appropriate technical and organisational security measures.
  • Maintain confidentiality of all processed data.
  • Provide reasonable assistance with data subject rights requests where technically feasible.
  • Notify your organisation without undue delay of any data breaches.
  • Delete or return data within a reasonable period upon termination, subject to our terms and conditions.
  • Provide reasonable assistance with compliance queries.

Sub‑processors

  • Currently, we do not engage any sub‑processors. All data processing is conducted directly by Forsyte personnel using our own systems and infrastructure.
  • Should we need to engage sub‑processors in future, we will provide advance notice to your organisation, ensure equivalent data protection obligations, obtain necessary approvals before engagement, and update this policy accordingly.

Data subject rights

  • Data subjects should direct all rights requests to your organisation (as the data controller for the processing).
  • Your organisation determines the legal basis and retention periods for the personal data.
  • We assist your organisation in responding to data subject requests within statutory timeframes.
  • For urgent requests, data subjects may contact us directly, and we'll coordinate with your organisation.

Important: Certain data subject rights may be restricted where exercising them would prejudice the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties, as permitted under applicable data protection laws.

Technical & organisational measures

Security measures

  • End‑to‑end encryption for data transmission and storage.
  • Multi‑factor authentication for all system access.
  • Periodic security assessments.
  • Appropriate access controls and audit logging.
  • UK‑domiciled cloud infrastructure.
  • Automated security monitoring and threat detection.
  • Privacy‑by‑design architecture principles.

Data minimisation

  • We only process data necessary for the specified purpose based on your organisation's use of the platform.
  • Privacy by design principles in system development.

International transfers

All personal data is processed and stored within UK data centres. We do not transfer personal data outside the UK/EEA.

Our cloud infrastructure is located exclusively in UK‑domiciled data processing facilities with appropriate security certifications.

Usage analytics & platform monitoring

Platform analytics

We may collect usage analytics for platform operation and improvement.

Exclusions: We explicitly exclude personal data from our analytics processing.

Cookies & tracking

Our platform uses essential and analytical cookies:

  • Essential cookies: Authentication, session management, security features.
  • Analytics cookies: Platform performance monitoring.
  • Preference cookies: User interface settings, dashboard configurations.

You can control cookie preferences through your browser settings, though disabling essential cookies may impact platform functionality.

Data breach notification

Breach response obligations

As your data processor, we notify your organisation without undue delay of any personal data breach, including the nature of the breach and categories of data affected, approximate number of data subjects and data records involved, likely consequences and measures taken to address the breach, and contact details for further information.

Breach mitigation

  • Immediate containment and system security restoration.
  • Forensic analysis to determine scope and impact.
  • Implementation of additional safeguards to prevent recurrence.

Marketing Data Processing (Forsyte as Data Controller)

Scope of Marketing Processing

When you interact with our marketing activities, we act as data controller for your personal data. This section applies to:

  • Newsletter subscriptions and email marketing communications
  • Webinar registrations and event participation
  • Conference attendance and networking activities
  • Content downloads and resource requests
  • Sales enquiries and product demonstrations
  • Partnership and business development communications

Data We Collect for Marketing

  • Contact Information: Name, job title, organisation, work email address, work telephone number
  • Professional Information: Industry sector, firm size, regulatory responsibilities, areas of interest
  • Engagement Data: Webinar attendance, email opens and clicks, content downloads, event participation
  • Communication Preferences: Topics of interest, preferred communication frequency, opt-out preferences

Legal Basis for Marketing Processing

Consent: Where you've explicitly opted in to receive marketing communications, webinar invitations, or event updates

Legitimate Interests: Where we have an existing business relationship or you've engaged with our content, we may contact you about similar products and services that may be relevant to your professional interests

Performance of Contract: Where necessary to deliver webinars, events, or services you've registered for

How We Use Marketing Data

  • Sending newsletters, product updates, and industry insights
  • Inviting you to webinars, conferences, and events
  • Providing access to educational resources and technical content
  • Following up on enquiries and providing relevant information
  • Improving our marketing content based on engagement patterns
  • Conducting market research and audience analysis (using anonymised, aggregated data)

Marketing Data Retention

We retain marketing contact data for as long as you remain engaged with our communications or until you request removal

We consider contacts inactive after 24 months of non-engagement and will either re-confirm consent or remove the data

You can request deletion at any time using the contact details in Section 3

Your Marketing Rights

Unsubscribe: Use the unsubscribe link in any marketing email or contact us directly

Preference Management: Update your communication preferences by contacting [email protected] or using preference centres in our communications

Access and Correction: Request a copy of your marketing data or correct inaccuracies

Deletion: Request removal from our marketing lists at any time

Object to Processing: Object to marketing communications based on legitimate interests

Third-Party Marketing Services

We may use third-party service providers to support our marketing activities, which may include:

  • Email marketing and newsletter distribution platforms
  • Webinar and virtual event hosting services
  • Customer relationship management (CRM) systems
  • Analytics and engagement measurement tools
  • Event registration and management platforms

All third-party processors are selected based on appropriate security standards and are subject to data processing agreements that require equivalent data protection measures

We do not sell or share your personal data with third parties for their own marketing purposes

A current list of marketing service providers can be provided upon request by contacting [email protected]

Marketing to Organisations

Where we market to professional contacts at law firms and legal organisations, we rely on legitimate interests as our legal basis

You retain the right to opt out of these communications at any time without affecting your organisation's use of our platform

Updates to this policy

We review this policy regularly and will notify your organisation of material changes.

Continued use of our platform after policy updates constitutes acceptance of the revised terms.