Privacy Policy
Effective 09th of Oct 2020
1. Who we are

Elucidate GmbH, located in Berlin, Germany, registered in: Amtsgericht Charlottenburg HRB 196707B, is the controller and responsible for your personal data (later referred throughout this document as “Elucidate”, “we”, “us” or “our”).

In some instances, Elucidate will take the role of data processor. Both roles – controller and/or processor – will be carried out in pursuant of GDPR and EU-Regulations, where different obligations will apply according to each role.

We collect and process personal data relating to visitors to and in relation to the services we provide. The data we process differs depending on the different interactions with us, as detailed below.

2. Scope and purpose

This privacy policy sets out to give you information on:

  • How we collect your data
  • How data is processed throughout the determination of our benchmarks
  • How we keep data safe and for how long
  • Who has access to your data
  • Your data rights
  • Cookies information
  • Our legal and obligatory obligations

Third-party links

This website includes links to third-party websites, plug-ins and applications. Upon clicking on those links, you will be redirected to a third-party website where our privacy policy no longer applies.

3. Data Protection Officer
Our Data Protection Officer oversees how we collect, use, share and protect information gathered to ensure all required rights are fulfilled. Our Data Protection Officer can be contacted at
4. How we keep information safe
The information we have collected is stored in a GDPR compliant data processing facility in Frankfurt am Main, Germany. This facility holds the following certifications ISO 27001, ISO 27017, ISO 27018, SOC1, SOC2, SOC 3, FIPS 140-2, PCi, CSA STAR. All data stored in our databases is encrypted using 256-bit Advanced Encryption Standard (AES-256).
5. What data we collect and how we collect it

The information we collect varies in line with the use cases below:

Data from website visitors to regarding site usage, including IP addresses and browser versions used Data collected through website cookies
Personal data from job candidates Provided directly by any job candidate, collected through the website
Personal client data and information Provided directly by our clients through and in accordance to contractual agreements.
Publicly available information relevant to the Elucidate FinCrime Index (“EFI”) Public search
Business contacts, contact information or any publicly available data regarding a position in a company Provided directly by business contacts
6. Why we collect data
Data from website visitors Used for marketing purposes and to ensure a correct usage of our website
Personal data from job candidates Collected with the purpose of assessing the applicant’s suitability for a role
Personal client data and information Collected for the express purpose of producing the Elucidate FinCrime Index (“EFI”)
Publicly available information Collected for the express purpose of producing the Elucidate FinCrime Index (“EFI”) and adverse media sentiment analysis
Business contacts To maintain business communications
7. How we handle data

Information which has been gathered is available to selected parties as detailed below:

Data from website visitors Elucidates uses Matomo as a web analytics platform, which provides the option to host all data within Elucidate’s secure cloud infrastructure. Data is only available to our marketing team
Personal data from job candidates Store in an externally provided HR system, to which only selected Elucidate employees have access in order to determine candidate suitability
Personal client data and information Encrypted, to which only selected Elucidate employees have access to, on an as-needed basis
Business contacts Externally provided CRM application is accessible only by Elucidate employees, specifically sales, marketing and client success team
8. International transfers of data

Our data processing centre and our backup data centre are located in Frankfurt am Main in Germany. We have configured the data centres to store data within the EU only.

In all cases, we strive to ensure that data remains within the EU/EEA and select our sub-processors with that in mind. In such exceptional cases where a sub-processor stores data outside the EU/EEA, the selected sub-processor is required to provide the suite of GDPR protections to such data.

The sub-processors list is available under the following link:

9. For how long do we retain information
Data from website visitors Until the cookie expiration date
Personal data from job candidates For unsuccessful candidates, data will be removed after 6 months. Successful candidates’ information becomes subject to our employee privacy policy
Personal client data and information Information is retained subject to the conditions outlined in the contract in accordance with GDPR and EU-Regulations
Business contacts Email marketing has unsubscribe functionalities. Information in our CRM is categorised by activity and inactive data is removed after a period of 5 years, or unless specifically requested by an individual. You can ask for removal by sending an email to
10. Cookies

Cookies are text files placed on your computer to collect standard Internet log information and visitor behavior information. When you visit our websites, we may collect information from you automatically through cookies or similar technology

For further information, visit

Types of cookies and how do we use them

Elucidate uses:

Functionality To recognize you on our website and remember your previously selected preferences. These could include what language you prefer and location you are in. A mix of first-party and third-party cookies are used
Advertising To collect information about your visit to our website, the content you viewed, the links you followed and information about your browser, device, and your IP address

How to manage cookies

You can set your browser not to accept cookies, and the above website tells you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.

11. Data protection rights

Elucidate would like to make sure you are fully aware of all of your data protection rights. In accordance with GDPR, we commit to handling your data in a transparent manner. Every user is entitled to the following:

The right to access You have the right to request copies of your personal data
The right to rectification You have the right to request that Elucidate correct any information you believe is inaccurate. You also have the right to request to complete the information you believe is incomplete
The right to erasure You have the right to request the erasure of your personal data, under certain conditions subject to EU-Regulations (eg. REGULATION (EU) 2016/1011)
The right to restrict processing You have the right to request that we restrict the processing of your personal data, under certain conditions
The right to object to processing You have the right to object to our processing of your personal data, under certain conditions
The right to data portability You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions

You can always contact the DPO regarding GDPR issues, regardless of Elucidate’s role as processor or controller, via email to

If there is a concern regarding the proper handling of personal data, a complaint can be made to our data protection regulator, the German Information Commissioner’s Office or in Berlin.

12. Meeting our legal and regulatory obligations

We rely on contractual and legal obligations in order to handle all data and collect it lawfully. We ensure to protect the legitimate interest of all parties and to act according to the principle of transparency.

Elucidate is a regulated benchmark and therefore subjected not only to GDPR but to other EU-Regulations (eg. REGULATION (EU) 2016/1011). According to EU-Law we are obliged to retain all data exclusively related to the process of generating and providing the Elucidate FinCrime Index (“EFI”) platform for 5 years before deleting it.

Data from website visitors, personal data from job candidates and business contacts do not fall into this category and are handled separately according to GDPR regulations.

13. Updates to this notice
We will make changes to this notice upon annual review or as required due to changes, particularly when we change how we use your information or the sub-processors we engage. We will always publish an up-to-date version of this notice on our website at: