Privacy Policy · OneFintel

This Privacy Policy explains how OneFintel, a trading name of 1EOR Global UK(“we”, “us”, “our”), collects, uses, stores and shares your personal data when you use our website, portal, demo, embedded tools, white-label sites, or REST API (together, the “Services”).

We act as the data controller for personal data we collect from visitors, prospects, and individual users of our website and demo. We act as a data processor on behalf of subscribed customers when we screen, monitor, or store data those customers submit through the portal, embed tokens, or API.

1. Data we collect

1.1 You provide it

Account data: name, work email, company name, billing address, role, password (hashed).
Live demo lead data: name, work email, phone number, company name, country.
Customer content submitted into our screening, monitoring, or PEP-search tools.
Support correspondence: any message you send us via email, ticket, or call transcript.

1.2 Collected automatically

Service logs: IP address, user-agent, timestamp, URL, HTTP status, response time, request size.
Telemetry: feature usage, error reports (server-side only — no client cookies).
Stripe billing metadata if you subscribe to a paid plan (we do not see card numbers).

1.3 What we don't collect

We do not run third-party advertising trackers, behavioural cookies, or marketing pixels. The website ships zero analytics cookies on first load. See our Cookies policy for the short list of strictly-necessary cookies we use after login.

2. Lawful basis (UK GDPR / GDPR)

Contract — to operate the Services for paying customers and trial users.
Legitimate interest — for fraud prevention, service security, billing reconciliation, prospect outreach where you have engaged with us.
Legal obligation — for AML record retention (5 yrs in the UK), tax records, and lawful disclosure requests.
Consent — for any non-essential outbound marketing (email, calls).

3. How we use it

To provide, secure, and improve the Services.
To bill you, send invoices, and recover overdue payment.
To send service notifications (security, outage, terms changes).
To screen for sanctions / PEP / adverse media on your instruction.
To meet our own legal obligations (AML, tax, accounting).

4. Sub-processors

We rely on the following sub-processors. A full live list is maintained inside the customer portal.

Supabase (PostgreSQL hosting + Auth) — EU region.
Vercel (web hosting, CDN) — EU + global edge.
Railway (background workers) — EU region.
Upstash (Redis for rate limiting) — EU region.
Stripe (payments and subscriptions) — global, PCI DSS Level 1.
OpenSanctions, FastForex, frankfurter.dev and similar feed providers — only request payloads necessary to fulfil a screen / lookup are shared.

5. International transfers

Customer content is stored in the EU by default. Transfers to non-adequate jurisdictions (e.g. the US) for Stripe, certain sanctions feeds, or your own white-label tenants are made under the UK IDTA / EU SCCs as appropriate. We do not store screening results outside the EU without your written consent.

6. Retention

Account data: for the life of the account + 6 years (UK accounting requirement).
Screening logs: 5 years (UK MLR 2017 recommendation).
Demo lead data: 12 months from the last interaction.
Server logs: 90 days, then aggregated.
Backups: 35 days rolling.

7. Your rights

Under UK GDPR you have the right to access, rectification, erasure, restriction, portability, and objection. You can also withdraw consent at any time. To exercise any of these, contact us via the form on /contact. You may also complain to the UK Information Commissioner's Office at ico.org.uk.

8. Security

All data in transit is encrypted (TLS 1.2+). Data at rest is encrypted at the storage layer. Authentication uses Supabase Auth with SHA-256 hashed API keys, embed-token domain allowlists, and tenant isolation enforced via Postgres row-level security. We do not store payment card data — Stripe handles all card processing as a PCI DSS Level 1 provider.

9. Children

The Services are not directed to anyone under 18. We do not knowingly collect personal data from children.

10. Changes to this policy

We will post material changes here at least 14 days before they take effect. For active customers, we also notify the workspace admin via email when a material change is made.

11. Contact

Data Protection enquiries: please use the form on our contact page. The data controller is 1EOR Global UK, registered in England and Wales.

1. Data we collect

1.1 You provide it

Account data: name, work email, company name, billing address, role, password (hashed).

Live demo lead data: name, work email, phone number, company name, country.

Customer content submitted into our screening, monitoring, or PEP-search tools.

Support correspondence: any message you send us via email, ticket, or call transcript.

1.2 Collected automatically

Service logs: IP address, user-agent, timestamp, URL, HTTP status, response time, request size.

Telemetry: feature usage, error reports (server-side only — no client cookies).

Stripe billing metadata if you subscribe to a paid plan (we do not see card numbers).

1.3 What we don't collect

2. Lawful basis (UK GDPR / GDPR)

Contract — to operate the Services for paying customers and trial users.

Legitimate interest — for fraud prevention, service security, billing reconciliation, prospect outreach where you have engaged with us.

Legal obligation — for AML record retention (5 yrs in the UK), tax records, and lawful disclosure requests.

Consent — for any non-essential outbound marketing (email, calls).

4. Sub-processors

We rely on the following sub-processors. A full live list is maintained inside the customer portal.

Supabase (PostgreSQL hosting + Auth) — EU region.

Vercel (web hosting, CDN) — EU + global edge.

Railway (background workers) — EU region.

Upstash (Redis for rate limiting) — EU region.

Stripe (payments and subscriptions) — global, PCI DSS Level 1.

OpenSanctions, FastForex, frankfurter.dev and similar feed providers — only request payloads necessary to fulfil a screen / lookup are shared.

5. International transfers

8. Security