Gain critical insights into modern slavery and human rights challenges in global supply chains, and discover strategies to strengthen compliance and mitigate risks for 2025 and beyond. 

Gain critical insights into modern slavery and human rights challenges in global supply chains, and discover strategies to strengthen compliance and mitigate risks for 2025 and beyond. 

Gain critical insights into modern slavery and human rights challenges in global supply chains, and discover strategies to strengthen compliance and mitigate risks for 2025 and beyond. 

Gain critical insights into modern slavery and human rights challenges in global supply chains, and discover strategies to strengthen compliance and mitigate risks for 2025 and beyond. 

PRIVACY NOTICE

LAST UPDATED: MAY 2025

Introduction: 

This Privacy Notices describes how the Ethixbase360 Group of companies (Ethixbase360, we, us or our) collects, uses, shares, stores and protects personal data about you when:

  1. you interact with us in an individual capacity
  2. in the context of the supply of due diligence services to our customers (Due Diligence Services).

This Privacy Notice does not cover our collection, use, sharing, storage and protection of your personal data if you are an employee of or individual contractor or consultant to, Ethixbase360.

Who we are:

The Ethixbase360 group of companies includes the following data controllers:

  • Ethixbase UK Limited, registered in the United Kingdom, ICO reference number ZA261305
  • Ethixbase 360 Pte Ltd, registered in Singapore
  • Ethixbase360, Inc. registered in the USA

Contact Us

You can contact our Data Protection Officer for any queries regarding this Privacy Notice and our processing of your personal data at:

Email: [email protected]

Please click on any of the arrows below to expand any subject.

data controller: a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

data processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.

Ethixbase360 platform: our third party risk due diligence, software as a service platform

public domain sources: sources available to the public at large usually by search of the internet using a standard browser. Examples include personal information available from: (i) government or intergovernmental organisation sanctions or watch lists; (ii) official websites of law enforcement organisations, courts, regulators, or other government bodies; (iii) political sources such as parliamentary, local government, or individual politician websites; (iv) reputable news outlets and published media; and (v) content made publicly available by an individual, such as through their personal website, blog, or social media platforms.

When we act as a data controller:

Ethixbase360 is the data controller for processing your personal data in all cases when you interact with us either in an individual capacity or on behalf of a customer, prospect or supplier of ours.   

When we act as a data processor:

Ethixbase360 is the data processor if we are processing your personal data to include in a due diligence report as part of our Due Diligence Services. Our customers will act as the data controller.

Children:

Our services are not aimed at children. We do not generally collect personal data of anyone under 13. If we have collected such information, we will only keep it if the law allows and for a valid reason. This could apply if you are a child of a Politically Exposed Person and applicable law requires our customers to be aware of your identity as part of our Due Diligence Services. Once that reason no longer applies, we will make reasonable efforts to delete the information.

Links to Other Sites
Our services may include links to websites or apps we don’t control. We’re not responsible for their content or how they handle your privacy. Please check their privacy policies and terms before using them.

Structure of this Privacy Notice

This rest of this Privacy Notice is divided into three sections that deal with (1) when we act as a data controller, (2) when we act as a data processor and (3) information that applies to both situations.

SECTION 1: WHEN WE ACT AS A DATA CONTROLLER

How we collect personal data about you

  • When you interact with us and our services: for example by visiting our website, requesting we contact you, downloading marketing materials, purchasing or using our services, registering for an account, attending an event or completing a questionnaire
  • Automatically when our technologies collect information about you and your devices: This can include personal data like your IP address, User ID, and how you use our services. We use this information to run and manage our services, keep them secure (e.g. by spotting fraud or threats), improve how our services work, understand how people use our services and make the user experience better
  • From third parties: These include your employer or organisation (if they arrange your access to our services), our partners and service providers. If someone else gives us your personal data, they’re responsible for ensuring the relevant data protection laws permits it.
  • Through our use cookies and similar technologies to improve user experience, analyse performance and ensure security.

Personal data we collect about you

The type of personal data we collect depends on how you interact with us and which services you use.

  • Basic contact details – name, email, phone number, address
  • Work information – job title, employer, industry, certifications
  • Login details – passwords or security Information for your account
  • Files or messages – anything you upload or send us when using the service
  • Device data – IP address, location, device ID, browser type, etc.
  • Usage data – how and when you use our services
  • Location – if the service uses your location (we’ll ask for consent if needed)
  • Demographic Information – like your nationality country, language and date of birth
  • CCTV footage – if you visit or work from our offices, or come to our events
  • Photos or videos – if taken at our offices or events
  • Sensitive data – like health or religion, but only if needed (e.g. for accessibility or dietary needs at an event)
  • Identifiers – such as cookie IDs, national insurance numbers, or other unique numbers

Why we process your personal data

  • It’s needed to carry out a contract – for example, to provide services you or your employer has signed up for. This will include registering you as a service user and responding to support requests,
  • It’s in our legitimate interests – for example, sending marketing communications and/or email alerts to you, personalising content provided to you, gathering website analytics and service usage data and maintaining and improving our website and Ethixbase360 platform functionality and user experience
  • It’s required by law and for public interest reasons – for example, to prevent fraud, money laundering, terrorism, or other criminal activity.
  • You’ve given your consent – for example, when you sign up for marketing emails or take part in a survey. If we need your consent, we’ll ask clearly and separately. Consent can be withdrawn at any time.
  • We’re legally obliged to do so – for instance, to respond to court orders, comply with laws or share data with authorities (like the police or tax office).

If we need to use sensitive personal data (like health or religion details), we only do so when it’s needed for legal claims or court proceedings or the law allows it because there’s a strong public interest reason.

Our lawful basis for processing

Where we process your personal data we must have a valid legal basis.

  • Contractual obligation – where we process your information in order to provide our services to our customers or to administer your user account
  • You have given us your consent – such as where you provide your information and confirm you wish to sign up to receive marketing communications from us
  • Legitimate interests – we can your process personal data if: (a) we (or someone else) have a genuine reason to do so (a “legitimate interest”) (b) the processing is necessary to achieve that interest and (c) your rights and interests don’t override our reasons.

To set up and manage your Ethixbase360 platform user account

  • Create and manage your user account
  • Let you log in and access our services
  • Provide customer support and technical help
  • Verify your identity
  • Send you important updates about your account or the services you use
  • Offer suggestions and recommendations related to our services

To manage our relationship with you and others

  • Administer our business relationships, including with customers and service providers
  • Send invoices and other administrative documents
  • Communicate with you about events, webinars, meetings and other activities
  • Run promotions you choose to enter

To improve and personalise our services

  • Understand how our services are used
  • Identify customer needs and trends
  • Make the services more relevant and easier to use
  • Personalise your experience based on your preferences and activity
  • Show you relevant content or advertising, where permitted
  • To develop, train, or enhance artificial intelligence or machine learning models to enable us to improve the way we provide our services

For research and analysis

  • Invite you to take part in surveys, polls or research
  • Analyse feedback and data to improve our services
  • Share usage insights with your employer or another third party who gave you access to our services

For marketing (where permitted)

  • Send you marketing emails or promotions, where the law allows
  • Use browsing and usage data to tailor content or advertising
  • Share insights across our services to make them more intuitive and connected

To meet legal, audit, and security obligations

  • Meet our own and our customers’ and partners’ audit and compliance requirements
  • Respond to court orders, regulators, and other legal obligations
  • Prevent fraud and ensure the security of our services and premises (e.g. via ID checks and CCTV)
  • Enforce our terms and conditions

To conduct background and screening checks

For certain relationships, we may:

  • Perform background and identity checks (e.g. for suppliers, partners, or key company roles)
  • Screen you using the Ethixbase360 platform

To support business operations and legal claims

  • Manage relationships with customers, partners, suppliers, and advisers
  • Help with business transactions like mergers, acquisitions or business sales
  • Investigate potential crimes, regulatory breaches or misconduct
  • Build and manage content databases used in our services
  • Defend legal claims or exercise our legal rights

Marketing and Communication

We may contact you with marketing updates through various channels, including:

  • Email
  • Phone
  • Text message
  • Direct mail
  • Online platforms
  • Chat or messenger tools on our services

Where required by law, we will ask for your consent before sending you marketing communications.

If we send you marketing messages, they will always include a clear way for you to opt out.

Your right to opt out

You can opt out of direct marketing at any time. We are committed to respecting your preferences.

Marketing tools we use

We may use technologies such as:

  • Cookies and tracking tools to deliver tailored ads
  • IP address tracking and unique IDs to show relevant content
  • Email tracking (e.g. links or images) to understand what you engage with
  • Activity tracking (e.g. clicks, searches, form entries) to improve relevance
  • User identification tools to distinguish between known and unknown users

We also carry out marketing on third-party platforms, like social media. These platforms have their own privacy policies and terms, which apply to your interactions there.

How to manage your preferences

You can stop receiving marketing messages by:

  • Clicking unsubscribe links in our emails
  • Using the “Contact Us” feature on our website
  • Speaking to your usual Ethixbase360 contact
  • Emailing [email protected]

Even if you opt out of marketing, if you are a user of our services we may still send you essential service messages, such as account updates, transaction notices, or support-related information.

SECTION 2: WHEN WE ACT AS A DATA PROCESSOR

We provide due diligence reports (Reports) to our customers to support them manage their legal or regulatory compliance obligations regarding (a) supply chain sustainability or Environmental, Social, and Governance risk factors  (b) regulatory and suspicious activity reporting (c) sanctions (d) embargoes (e) financial crime (f) other regulatory risks and associated obligations.  

We also collect responses to due diligence questionnaires (DDQs) on behalf of, our customers.

Reports are prepared and responses to DDQs are collected at the request of our customers before they enter into relationships and/or transactions with individuals and/or entities or as part of a periodic review of those relationships.

Your personal data may be included in a Report or DDQ if you are an actual or prospective customer, vendor, business partner or other counterparty of a customer of ours (Third Party) or an employee or officer of a Third Party.

Reports may be provided:

  • Digitally through the Ethixbase360 platform
  • Through more detailed reports known as Enhanced Due Diligence or Collaboration Reports. Collaboration Reports are prepared in collaboration with the Third Party and include personal data found from Public Domain Sources and provided in responses to a DDQ provided with the consent of the Third Party.

Responses to DDQs are collected through the Ethixbase360 platform with the consent of the Third Party.

When ordering a Report, our customers instruct us to carry out searches of predominantly Public Domain Sources and, in the case of a DDQ, to collect information direct from the Third Party.  Personal data collected this way are presented in one of our standard Report formats. We do not prepare Reports or collect responses to DDQs other than at the specific request of our customers.

Who is the Data Controller?

Our customer who pays for a Report is the data controller of the Report.  Who pays for the Report varies depending on the type of Due Diligence Service we provide.

The data controller of DDQ responses again varies depending on the type of Due Diligence Service we provide.

In all cases we are the data processor to the data controller.

How do we collect personal data about you?

  • Our customers when they ask us to prepare a Report on or to issue a DDQ to, a Third Party
  • From the Third Party in the case of responses to DDQs
  • Our third-party data providers who source personal data from public domain sources
  • From our own searches of public domain sources using standard search engines
  • When specifically requested by a customer, by taking reference information from reliable sources with knowledge of the Third Party

Personal data we collect about you?

The type of personal data we collect can vary considerably depending on the Due Diligence Service we are providing. Personal data found from public domain sources is often limited.  Data subjects are generally aware of their personal data that is in the public domain and should have a reasonable expectation that such personal data will be used by our customers for the purposes of regulatory and legal compliance.

Identification details – such as name, any known aliases, age, date of birth, gender, country of residence, passport details, and citizenship

Public identification numbers – like social security or national insurance numbers.  These are not routinely available from public domain sources.

Family or close associate-related information – such as marital status, dependents or close associates if you are a politically exposed person (PEP) when applicable law requires our customers to be aware of these relationships

PEP relationships – your status as a family member or close associate of a PEP when applicable law requires our customers to be aware of these relationships

Political opinion, religious views or sexual orientation – if this can be inferred from your status as a PEP or a PEP family member

Employment and education history – including your job title, employer, public or official roles (e.g. political, military, religious, diplomatic, or judicial positions)

Professional and personal connections – such as associations with individuals or organisations, including sanctioned vessels or aircraft

Financial background – for example, public records of bankruptcy or insolvency

Public listings – if your name appearing on sanctions lists or public records of disqualified directors or similar restricted roles

Companies Registry information – such as your status or former status as a director, officer or shareholder of a company

Public information about criminal or alleged criminal activity – such as money laundering, terrorist financing, or related financial crimes

Reference information – information about your good standing collected from sources with local knowledge about you

Online content – any posts or content you’ve made publicly available on websites, blogs, or social media platforms

Lawful basis for processing

We process standard personal data on the basis of our customers’/the data controller’s legitimate interests to conduct due diligence checks to comply with their legal or regulatory obligations.

We generally process special category (e.g. political opinion or religious views) and criminal data for reasons of substantial public interest on the basis of applicable law.

SECTION 3: INFORMATION THAT APPLIES WHEN WE ACT AS A DATA CONTROLLER AND A DATA PROCESSOR

Who we share your personal data with

  • Ethixbase360 group companies – so they can use your personal data as described in this Privacy Notice
  • Our customer or their service providers – if they arranged your access to our services or commissioned a Report
  • Business partners – for co-branded or co-sold services, joint events, co-marketing or content collaborations.  In relation to Reports, this will generally be limited to business partners who resell our Due Diligence Services to their own customers
  • Vendors and service providers – who help us deliver our services or act on our behalf (e.g. hosting providers, technology providers, subcontractors, processors). We only share what is necessary and ensure vendors and service providers use your information only to provide services on our behalf, unless the law allows otherwise.
  • Government agencies, regulators or courts – where we are legally required or permitted to share personal data (e.g. law enforcement or tax authorities)
  • Transaction partners – if we are involved in a sale, merger, acquisition, restructure, or similar corporate deal, your personal data may be shared with the other parties and their advisors or transferred as part of the deal
  • Legal and security professionals – where needed to protect our rights, users, networks, or services
  • Other third parties at your request – for example, if you post content in a public area or ask us to share personal data with someone else

We take care to ensure all recipients handle your information lawfully and securely and only for the purposes set out in this Privacy Notice.

We do not sell your information to third parties but anonymised and statistical information generated by your personal data may be sold to other organisations.

International data transfers

As a global organisation, we may store or process your personal data outside your home country, including in countries that do not have a formal adequacy decision from regulators like the UK Information Commissioner or European Commission.

We have safeguards in place to protect your information when it is transferred internationally, in line with applicable data protection laws. These safeguards often include contractual protections (such as standard contractual clauses). You can contact [email protected] to request more information about these safeguards.

How and why we transfer your personal data

  • Networks, databases, servers and systems around the world
  • Global support and helpdesk services
  • Third-party providers such as cloud hosting services, technology support, and other suppliers

Transfers may be to countries where Ethixbase360 operates or has business partners, such as:

  • The United States, Canada, Australia, and countries across Europe
  • Regions in Asia, including Singapore, and Malaysia
  • Other countries where Ethixbase360 has a business presence or partner

Safeguards and your rights

We ensure all international data transfers comply with legal requirements, including the EU GDPR (Articles 44–50) and equivalent rules in other countries.

If you would like to learn more about how we protect your information during international transfers, or to request details of the safeguards we use, please [email protected].

How do we secure your information

We take the security of your personal information seriously. We use a combination of technical, administrative, and physical safeguards to protect your data, based on the level of risk.

Ethixbase has a dedicated Information Security Management function.

Our security policies and procedures are:

  • Aligned with international standards such as ISO27001
  • Regularly reviewed and updated to reflect changes in technology, business needs, and regulatory requirements

While we take reasonable steps to protect your information, no internet transmission is completely secure.  No organisation can guarantee the security of data sent to or by it over the internet.

How long do we keep your information

We keep your personal information for as long as it is needed in connection with the purpose for which it was originally collected.

  • When you (or our customer) stop using our services
  • How long it’s reasonable to keep records to show we met our legal and contractual obligations
  • Any legal time limits for bringing claims
  • Any legal or regulatory retention requirements
  • Whether any legal proceedings are ongoing or expected

If we are acting as a data processor for our customer in connection with our Due Diligence Service, we will keep your personal data until instructed otherwise by our customer.

Your Rights

Under the UK and EU GDPR, you have the:

  • Right to access: you can request access to copies of your personal data
  • Right to rectification: you can request to have your personal data corrected
  • Right to erasure right to be forgotten: you can request your personal data to be erased in certain circumstances
  • Right to restriction: you can request to restrict the processing of your personal data in certain circumstances
  • Right to object: you can object to the processing of your personal data in certain circumstances
  • Right to data portability: you can request that we transfer your information to you or to a third party in certain circumstances.
  • Right to withdraw consent: where you have previously consented to a processing activity and wish for your data not to be processed anymore for that activity, you can withdraw your consent.

If you wish to exercise any of the above rights, please contact us at [email protected].

When we are acting as a data processor to our customer, we are obliged by law and contract to refer these requests to that customer and to act in accordance with their instructions.  We will let you know if this is the case.

You also have the right to lodge a complaint with the Information Commissioner’s Office at Information Commissioner’s Office (ICO)

Cookies:

  1. What are Cookies? Cookies are small text files that are placed on your device when you visit the Website and use any of our Products. Ethixbase UK Limited’s use of cookies is detailed below. Session cookies enable you to move from page to page within websites and any information you enter will be remembered but is deleted when you close your browser or after a short time. Persistent cookies allow us to remember your preferences and settings when you use the Website and our Products in the future, in different browser sessions. 
  2. Disabling Cookies: The use of the cookies described above improves the functionality of the Website and your experience of using them. If you do not want these cookies to be served on your device, you are able to disable them by changing the settings on your browser, or on your device. Please note that if you do decide to disable cookies you may not be able to access some of the Website, and some of the features of the Website or our Products may not function properly. By continuing to use the Website or our Products, you consent to the relevant cookies being set on your device. 
  3. Third Party Cookies: Third Party advertisers may place or read cookies on your browser or device on the Website or when using our Products. This Privacy Notice is applicable only to the use of cookies by Ethixbase 360 and does not cover the use of cookies by any third parties (including advertisers or social media companies). 
  4. More information: To find out more about how cookies work, how to manage and delete them and to see which ones have been set please visit aboutcookies.org or www.allaboutcookies.org

Ethixbase360 uses cookies and similar technologies in the following ways when you use the Website and/or our Products: 

Session Cookie

Ethixbase360 uses session cookies to help with the navigation of a user on a website and provide the ability for a user to traverse and navigate the website without losing data or a selection made from a previous page.

Further Information
This cookie expires when a browser is closed or after 15 mins of inactivity

Permanent Cookie

Ethixbase360 uses permanent cookies to remember the user’s login and password information if they opt to from the login page. This allows the users not to re-enter their login information each time they visit the website.

Further Information
Although the cookie is persistent, it expires after a period of 3 months

First Party Cookie

Ethixbase360 uses First Party cookies to track and report website users via WordPress. This includes information such as comments on articles or forms filled in where hosted directly via WordPress.

Further Information
This cookie only includes information as submitted by users.

Google Analytics Third Party Cookie

Ethixbase360 uses Google Analytics cookies to track and report on website traffic. This cookie collects information in an anonymous form on website usage such as number of visitors on the website, frequency and volume of users at any given time which Ethixbase360 use in turn to help improve its services.

Further Information
This is a session cookie and does not store any personal identifiable information.

HubSpot Third Party Cookie

Ethixbase360 uses HubSpot session cookies to collect information on users’ behaviour while navigating the ethixbase360.com website. It tracks when users access the site, pages visited and succeeding transactions of users to identify possible ways to improve the user experience when on the ethiXbase.com website.

Further Information
HubSpot Third Party Cookie

Autopilot Third Party Cookie

Ethixbase360 uses Autopilot session cookies to collect information on users’ behaviour while navigating our website. It tracks when users access the site, pages visited and succeeding transactions of users to identify possible ways to improve the user experience of its products.

Further Information
This is a session cookie and does not store any personally identifiable information

Changes to this Privacy Notice

We may change this Privacy Notice at any time in which case we shall notify you of any changes at www. https://ethixbase360.com/privacy-policy-2/ and update the last updated date at the start of this Privacy Notice.