Privacy Policy
Effective 21th of Jan 2021
V3.1.2
Who we are

Elucidate GmbH, located in Berlin, Germany, registered in: Amtsgericht Charlottenburg HRB 196707B, is responsible for your Personal Data (later referred throughout this document as “Elucidate”, “we”, “us” or “our”).

Elucidate acts either as a Data  Controller or as a Data Processor. Both roles – Controller and/or Processor – will be carried out in pursuant of GDPR and EU-Regulations, where different obligations will apply according to each role. 

We collect and process Personal Data relating to: (i) visitors to efi.elucidate.co and elucidate.co in relation to the services we provide; (ii) our Clients that are global financial institutions and regulators. The data we process differs depending on the different interactions with us, as detailed below. 

1. Scope and purpose

This privacy policy (“Policy”) sets out to give you information on:

  • How we collect your data;
  • How and on what legal basis we use and disclose your personal data;
  • How data is processed throughout the determination of our benchmarks;
  • How we keep data safe and for how long;
  • Who has access to your data;
  • Your data rights;
  • Cookies information;
  • Our legal and obligatory obligations.

Third-party links

This website includes links to third-party websites, plug-ins and applications, including Calendly, Zapier and Webflow. Upon clicking on those links, you will be redirected to a third-party website where our privacy policy no longer applies.

2. Data Protection Officer

Our Data Protection Officer oversees how we collect, use, share and protect information gathered to ensure all required rights are fulfilled. Our external Data Protection Officer is:

Dr. Christoph Bauer, CEO of ePrivacy GmbH,
Große Bleichen 21
20354 Hamburg
Germany.

3. How we keep information safe

The information we have collected is stored in a GCP data centre, a GDPR compliant data processing facility in Frankfurt am Main, Germany (“Hosting Provider”). This Hosting Provider holds the following certifications ISO 27001, ISO 27017,  ISO 27018, SOC1, SOC2, SOC 3, FIPS 140-2, PCi, CSA STAR. All data stored in our databases is encrypted using 256-bit Advanced Encryption Standard (AES-256).

4. What data we collect and how we collect it

The information we have collected is stored in a GCP data centre, a GDPR compliant data processing facility in Frankfurt am Main, Germany (“Hosting Provider”). This Hosting Provider holds the following certifications ISO 27001, ISO 27017,  ISO 27018, SOC1, SOC2, SOC 3, FIPS 140-2, PCi, CSA STAR. All data stored in our databases is encrypted using 256-bit Advanced Encryption Standard (AES-256).

DATA TYPE DATA SOURCE ROLE LEGAL BASIS
Data from website visitors to Elucidate.co (“Website Data”) Data collected through our Contact Page and/or when downloading our WhitePaper and/or through our website Cookies Data Controller Consent (Art. 6 (1) lit. a GDPR) for Statistic and Marketing cookies and Legitimate Interest for Necessary cookies (Art. 6 (1) lit. f GDPR).
Personal Data from job candidates (“HR Data”) Provided directly by any job candidate, collected through the elucidate.co website Data Controller Processing is necessary for the performance of a contract or to take steps to enter into a contract (Art. 6 (1) lit. b GDPR).
Client's Personal Data and information (“Client Data”) Provided directly by our Clients through and in accordance to contractual agreements Data Processor Data Processing Agreement signed with our Clients.
Publicly available information relevant to the Elucidate FinCrime Index (“EFI”) - (“Public Data”) Public search Data Processor Our legitimate interest to perform our services and produce the EFI (Art. 6 (1) lit. f GDPR).
Business contacts, contact information or any publicly available data regarding a position in a company (“CRM Data”) Provided directly by business contacts and/or via public search Data Controller Processing is necessary for the performance of a contract or to take steps to enter into a contract (Art. 6 (1) lit. b GDPR).

4.1 Website Data

When you are using the website you may provide us your Personal Data. If you contact us through our Contact page, we collect your name and email address so we can respond to you.

If you download our WhitePaper on our webpage, we collect your first and last name, email address, phone number, job title and organization name so we may send you the WhitePaper and information on our products and services.

You can revoke your consent and/or unsubscribe anytime by submitting a request to: privacy@elucidate.co.

Additionally, when using the website we might collect Personal Data on your internet browser, operating system, IP address, time of the page request, referrer URL, device information, session information, size of the requested file and any status or error codes through the usage of cookies. Cookies are text files placed on your computer that we use to ensure the functionality of our website, gather statistical information about the use and development of our website, and for general data security and error analysis purposes. For further information, visit all aboutcookies.org.

Elucidate Cookies are defined in Cookiebot, please refer to that section for it's type, name and purpose

You can set your browser not to accept cookies, and the above website tells you how to remove cookies from your browser. Additionally, if you wish to enable or disable the above cookies please use our Cookiebot Consent Management Platform available on our website.

However, in a few cases, some of our website features may not function as a result.

4.2 HR Data

If you apply for a job on the website, we collect your first and last name, email, phone number, citizenship, work permit information, education level, employment history, salary history, and any Personal Data you choose to submit on a cover letter, recommendation letter or CV (“Job Applications”). We use this information to assess your qualifications for open positions and to contact you for further information if we deem it necessary.

You can revoke your consent anytime by submitting a request to: privacy@elucidate.co.

4.3 Client Data

We receive different Personal Data sets from our Clients in a pseudonymised format, using secure hashing algorithms. We receive the following categories of Personal Data from our Clients:

  • Client's customers socio-demographic data;
  • Client´s customers geo-location;
  • Client's customers account information;
  • Client's employees socio-demographic data.

We process the Client Data in combination with Public Data, to perform comprehensive data analysis for the measurement, assessment, standardisation and reporting of financial crime risk.

The consent collected by our Clients complies with the GDPR’s requirements and enables Elucidate´s processing activities. Any processing of your Personal Data by Elucidate is subject to your rights of choice and control as explained below in the “Data protection rights” Section. You can contact our Clients at any time to revoke your consent and/or if you contact us at privacy@elucidate.co and we will promptly share such request to our Clients directly.

4.4 Public Data

Together with the Client Data or on a standalone basis, we process the following Public Data, including among others: (i) Financial Action Task Force (“FATF”) information; (ii) Transparency International Corruption Perceptions Index (“CPI”); (iii) Global Legal Entity Identifier Foundation (“GLEIF”) information, as necessary to provide our services to our Clients and produce the Elucidate FinCrime Index (“EFI”). 

4.5 CRM Data

We receive the following categories of Personal Data from our business contacts and/or via public search, in order to maintain business communication, manage our business relationship, set up and manage your account for our services:

  • Business contacts email addresses;
  • Business contacts information.

You can revoke your consent anytime by submitting a request to: privacy@elucidate.co. Additionally, whenever you receive an email from us, you can click on the Unsubscribe link at the bottom of the email communication. 

5. Why we collect data
Website Data Used for marketing, statistical and functional purposes and to ensure a correct usage of our website.
HR Data Collected with the purpose of assessing the applicant’s suitability for a role.
Client Data Collected for the express purpose of producing the Elucidate FinCrime Index (“EFI”).
Public Data Collected for the express purpose of producing the Elucidate FinCrime Index (“EFI”) and adverse media sentiment analysis.
CRM Data To maintain business communications, manage our business relationship, set up and manage your account for our services.
6. How we handle data / With whom do we share data

Information which has been gathered is available to selected parties as detailed below:

Website Data Necessary: Cookiebot (https://www.cookiebot.com/en/privacy-policy/);
HR Data Stored in an externally provided HR system, to which only selected Elucidate employees have access in order to determine candidate suitability.
Client Data Encrypted, to which only selected Elucidate employees have access to, on an as-needed basis.
CRM Data Externally provided CRM application, accessible only by Elucidate employees, specifically sales, marketing and client success team.

The sub-processors list is available under the following link: https://elucidate.co/sub-processors.

7. International transfers of data

Our data processing centre and our backup data centre are located in Frankfurt am Main in Germany. We have configured the data centres to store data within the EU only. 

In all cases, we strive to ensure that data remains within the EU/EEA and select our processors and/or sub-processors with that in mind. In such exceptional cases where a processor and/or sub-processor stores data outside the EU/EEA, the selected processor and/or sub-processor is required to provide the suite of GDPR protections to such data. By law we are required to ensure that the level of protection guaranteed to your Personal Data by the EU laws is not undermined by such transfer, therefore we enter into EU Standard Contractual Clauses with such processor and/or sub-processor.

8. For how long do we retain information
Website Data Until the cookie expiration date (Necessary and Statistics: 1 year; Marketing: 1 years)
HR Data For unsuccessful candidates, data will be removed after 6 months. Successful candidates’ information becomes subject to our employee privacy policy
Client Data Information is retained subject to the conditions outlined in the contract in accordance with GDPR and EU-Regulations
CRM Data Information in our CRM is categorised by activity and inactive data is removed after a period of 5 years, or unless specifically requested by an individual

Insofar statutory storage obligations exist, until the end of the storage period.

9. Data protection rights

Elucidate would like to make sure you are fully aware of all of your data protection rights. In accordance with GDPR, we commit to handling your data in a transparent manner. Every user is entitled to the following:

The right to access You have the right to request copies of your personal data
The right to rectification You have the right to request that Elucidate correct any information you believe is inaccurate. You also have the right to request to complete the information you believe is incomplete
The right to erasure You have the right to request the erasure of your personal data, under certain conditions subject to EU-Regulations (eg. REGULATION (EU) 2016/1011)
The right to restrict processing You have the right to request that we restrict the processing of your personal data, under certain conditions
The right to object to processing You have the right to object to our processing of your personal data, under certain conditions
The right to data portability You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions

You can always contact the DPO regarding GDPR issues, regardless of Elucidate’s role as Processor or Controller, via email to privacy@elucidate.co.

If there is a concern regarding the proper handling of personal data, a complaint can be made to our data protection regulator, the German Information Commissioner’s Office or in Berlin.

10. Children's Privacy

We do not knowingly process Personal Data of children under the age of sixteen (16).

11. Meeting our legal and regulatory obligations

We rely on contractual and legal obligations in order to collect and process all data lawfully. We ensure to protect the legitimate interest of all parties and to act according to the principle of transparency.

Elucidate is a regulated benchmark and therefore subjected not only to GDPR but to other EU-Regulations (eg. REGULATION (EU) 2016/1011). According to EU-Law we are obliged to retain all data exclusively related to the process of generating and providing the Elucidate FinCrime Index (“EFI”) platform for 5 years before deleting it. 

Data from website visitors, job candidates and business contacts do not fall into this category and are handled separately according to GDPR regulations.

12. Updates to this notice

This Policy may change from time to time, so please check back periodically to ensure that you are aware of any changes in our processing of your Personal Data, particularly when we change how we use your information or the processor and/or sub-processors we engage. If at any time in the future we plan to use Personal Data in a way that differs from this Policy, we will post Policy edits here and place notices on other pages of the Site as applicable, or by other means if required by law. You are responsible for ensuring that you are aware of the most recent version of this Policy. This Policy was last modified on: January 21st, 2021.