Privacy Policy
Effective 15 June 2020
1. Scope and purpose
Elucidate GmbH is committed to protecting and respecting privacy. Elucidate GmbH collects and processes personal data relating to visitors to and, and in relation to the services we provide. The data we process differs depending on the different interactions with us, as detailed below.
This policy includes information on Elucidate, how we collect and use information, how we keep it safe, how long we keep this information, who has access to this information and the right of access to the data.
2. Who we are
When we talk about “Elucidate”, or “us” or “we” in this notice, we are talking about Elucidate GmbH, located in Berlin, Germany (Amtsgericht Charlottenburg HRB 196707B).
3. Data Protection Officer
Our Data Protection Officer oversees how we collect, use, share and protect information gathered to ensure all required rights are fulfilled. Our Data Protection Officer can be contacted at
4. How we collect information and how we use it about you
The information we collect varies in line with the use cases below:
  • Visitors to - data regarding site usage, obtained through cookies which includes IP addresses and browser versions used;
  • Candidates for jobs with Elucidate - this includes personal contact information and data regarding the applicant’s suitability for the role;
  • Data provided to us for the express purpose of using the Elucidate FinCrime Index (“EFI”) platform - this data is provided as part of an underlying contractual agreement;
  • Business contacts - this includes contact information or any publicly available data regarding position in a company.
5. How we keep information safe
The information we have collected is stored in a GDPR compliant data processing facility in Frankfurt am Main, Germany. This facility holds the following certifications ISO 27001, ISO 27017, ISO 27018, SOC1, SOC2, SOC 3, FIPS 140-2, PCi, CSA STAR. All data stored in our databases is encrypted using 256-bit Advanced Encryption Standard (AES-256).
6. For how long do we retain information
  • Visitors to - until the cookie expiration date;
  • Candidates for jobs with Elucidate - for unsuccessful candidates, we will remove the information after 6 months. Successful candidates’ information becomes subject to our employee privacy policy;
  • Data provided to us for the express purpose of using the Elucidate FinCrime Index platform - Information is retained subject to the conditions outlined in the contract;
  • Business contacts - email marketing has unsubscribe functionalities. Information in our CRM is categorised by activity and inactive data is removed after a period of 5 years, or unless specifically requested by an individual ( ;
7. Meeting our legal and regulatory obligations
To use information lawfully, we rely on:
  • Performance of a contract;
  • Legal obligation;
  • Protecting legitimate interests of all parties;
  • Explicit consent, where required.
To meet our regulatory and legal obligations, we collect some personal information and delete it once we no longer require it. We may also gather information from public sources to help us provide our services through the EFI platform.
8. Information recipients
Information which has been gathered is available to selected parties as detailed below:
  • Visitors to - website analytics tools provided in our secure cloud infrastructure and our employee marketing team;
  • Candidates for jobs with Elucidate - we store this information in an externally provided HR system, to which only selected Elucidate employees have access to determine candidate suitability;
  • Data provided to us for the express purpose of using the EFI platform - data is encrypted and only selected Elucidate employees have access, on an as-needed basis;
  • Business contacts - our externally provided CRM application is accessible only by Elucidate employees, specifically sales, marketing, and client engagement team.
9. International transfers of data
Our data processing centre and our backup data centre are located in Frankfurt am Main in Germany. We have configured the data centres to store data within the EU only.
In all cases, we strive to ensure that data remains within the EU/EEA and select our sub-processors with that in mind. In such exceptional cases where a sub-processor stores data outside the EU/EEA, the selected sub-processor is required to provide the suite of GDPR protections to such data.
If you wish to view and subscribe to our sub-processors list, it is available here
10. Access rights
Upon request by the appropriate party, we can correct, erase, or grant access to the personal data we hold, or (where processing is based on consent) withdraw consent to our processing of this personal data. One can exercise these rights by email to
If there is a concern regarding the proper handling of personal data, a complaint can be made to our data protection regulator, the German Information Commissioner’s Office ( or in Berlin
11. Updates to this notice
We will make changes to this notice upon annual review or as required due to changes, particularly when we change how we use your information or the sub-processors we engage. We will always publish an up-to-date version of this notice on our website at