Request a demo

Privacy Policy

(v1.6 last updated March 2025)

1.Who are we?

Synalogik Innovative Solutions Ltd is a UK based company that has built and designed a cutting-edge software solution called Scout®.

Scout®, a secure cloud-based Software-as-a-Service (SaaS) product, rapidly enables a corporate individual (Clients) to aggregate huge and disparate data sets into one central place for the purpose of real-time investigative and intelligence-based analysis; through to case and customer management, monitoring and reporting. Scout® saves Client’s a lot of time and effort by producing bespoke and detailed reports in one place, aligned and configured to their specific requirements and objectives.

Scout® is designed with multiple functionalities that support Clients in efficiently managing and automating their casework and customer management activities. It includes the ability to make notes, produce and link client profiles, calculate risk scores, to monitoring and reporting of activities, thus enabling them to effectively meet and comply with their legal, regulatory, and fiduciary monitoring and reporting requirements all within one location.

We work with and support both public and private sector organisations through our software as a service solution.

2. Our approach to privacy management

We have various roles, including at Senior Manager level, whom are responsible for ensuring that privacy, data protection, cyber security, and information security measures are proactively undertaken, and their effectiveness constantly monitored and regularly evaluated. Appropriate technical and procedural measures are implemented to meet our statutory obligations under data protection legislation and independently certified cyber security standards.

We have implemented appropriate technical and organisational control measures, including protection against unauthorised or unlawful processing, and against accidental loss, destruction, or damage, to safeguard personal data that is accessed or processed via our Scout® platform. Furthermore, at the heart of our software and organisation we have implemented a myriad of security controls to ensure the ongoing confidentiality, integrity, availability and resilience of our IT networks, systems, services and data.

We are committed to respecting privacy, compliance with applicable data protection legislation, and maintaining our externally qualified registration to ISO 2700, and NCSC approved certification to Cyber Essentials & Cyber Essentials Plus.

This Privacy Notice aims to set out, in a clear and transparent manner, the type and nature of our activities and to explain how personal information is processed in the usual course of our business, including when you use and access our website.

3. The legal bit

Synalogik is a private limited company, registered in England under number 11601168. Our registered offices are 4th Floor, St James House, St James Square, Cheltenham GL50 3PR and our trading (operating) address is Midlands Centre for Cyber Security, Hursey Road, Rotherwas, Hereford Hr2,6FP. To contact Synalogik in the first instance please email compliance@synalogik.com

We are registered with the Information Commissioner’s Office (ICO) under registration number ZA464486.

Our website and innovative software platform (Scout®) are not intended to be used by private individuals or anyone under the age of 18 years of age.

In data protection terms we operate both as a controller and a processor of personal data with the difference set out below.

  • Controller: In simplified terms a controller ‘determines the purposes and means processing’. In essence determining the ‘why and how’ personal data is processed.

We are a controller where we process business information for the following purposes, employment, sales, marketing, finance or to fulfil our legal, regulatory and fiduciary obligations as a UK based organisation.

We are also a controller for some of the publicly available data sets that we host and make available to Clients via Scout®. We are a controller of these data sets as we collect, maintain and structure the data for access via Scout®. We are therefore determining the purposes and means of processing this data.

Our customers are the controller for their data that they process through Scout® as they determine the reasons why they collect and process their data, and the purposes that their processing via Scout® serves.

  • Processor: In simplified terms a processor ‘processes personal data on behalf of the controller’. In essence, we are only processing our customer personal data because we are instructed, under contract, to do so by our customers.

We are also a processor for some of the data feeds accessible via Scout®, as access to those data feeds, and what purposes those data feeds can be processed for, are governed by strict contractual terms imposed upon us by the appropriate provider.

However, as a processor, we do not physically collect personal data from any individual nor have a direct relationship with them.

  • Personal Data: It may also help at this stage to highlight that the term ‘Personal Data’ also has a specific meaning. In data protection terms it means ‘any information relating to an identified or identifiable living individual’.

4. What is Scout®

Scout®, a secure cloud-based Software-as-a-Service (SaaS) product, enables our Clients to bring together (aggregate) different data sets into one central place for investigative and intelligence-based analysis and to automate complex legal, regulatory, and fiduciary monitoring and reporting activities. It is designed with multiple functionalities that enable our Clients to efficiently manage and automate their casework and customer management activities, make notes, produce and link client profiles, risk score, and evidentially demonstrate compliance to regulatory standards.

Our Clients are provided with their own version of Scout®, with each Client’s version of Scout® distinct and separate from another. This means that it is not possible for one customer to view or access another customer’s account, processing activities, information, or intelligence.

Scout® is designed and built using secure software, with access controlled and use governed by a range of technical, organisational, and procedural security measures. Scout® can be configured by our Clients to meet their own specific investigative, reporting and processing requirements. This means that our Clients remain in control of their own data at all times.

Our Client’s access to Scout® is restricted to permitted processing ‘use cases’ that our customers’ clearly specify, and we assess, through our due diligence processes prior to granting access. The processing use cases relate to: data validation, anti-money laundering, fraud investigation, prevention and detection; law enforcement and national security measures, debt collection and tracing; prevention and detection of crime; asset reunification; PEPs and sanctions checks; financial vulnerability assessments; or to complying with regulatory obligations such as the licence rules imposed by the Gambling Commission in support of safer and responsible gambling.

It is these use cases that permit and restrict access to a range of public and industry sourced ‘third party’ and ‘open sourced’ data sets.

Credit Reference Agency, is only one type of data set that may be accessed by some customers. The three main credit reference agencies are Transunion, Experian and Equifax. They each use and share personal data that they receive about you and/or your business activity. You can read each of the Credit Reference Agencies Information Notices by visiting the links provided below:

As a data aggregator (and processor) under contract to our data suppliers, we can provide controlled access to such data sets subject to strict contractual terms and technical security measures designed into Scout®. Contractual obligations imposed by the data supplier, where applicable, flow down to our Clients through our own contractual arrangements with them.

For the purposes of clarity, as a processor, we only process customer and/or supplier data on the written instruction from the appropriate party. It is important to note at this stage that we do not have direct or unrestricted access to any Client or supplier data. Our access is strictly prohibited, unless sanctioned by senior management and appropriate Client authorisation. Access is rigorously controlled by appropriate technical, physical, and organisational safeguards that prohibit access to only approved employees where there is a need to do so.

Public data sourced via a Scout® search is often that which can be found by using a standard search engine on the internet or by contacting publicly accessible websites such as Companies House, FCA, Land Registry, DVLA or DVSA. Please refer to their websites for information relating to how they collect, use and share personal data.

Although our Clients could obtain the same information by engaging directly with each independent data supplier or publicly available source, the benefit that Scout® delivers to our Clients, is the integration of various data sources (public and private) into one platform. A single view of multiple sources, including Client data, enables a quicker, smarter, and more efficient and intuitive analysis and assessments to be undertaken.

Clients can upload their datasets into Scout®, and source additional information via the data suppliers, to facilitate and collate responses, create tags, profiles, or reports to support further investigative purposes or to link points of interest. Through Scout® Clients can determine risk scores and utilise automated analysis to reveal hidden intelligence that may not immediately be visible from a single set of data alone. All results and generated outcomes, such as monitoring and reporting, are viewed by a Client’s analyst, and no automated decision making is applied to the data processed.

All Client data, tags, notes, profiles, case management and customer reports are retained on our Client’s version of Scout®, and subject to our Client’s retention policy, that they have determined as the controller of this information.

Scout® is designed with some clever and secure technology that includes various monitoring functions. These monitoring functions are to support the delivery of our services (Service Monitoring) for example:

  • to support with customer billing and reconciliation of our supplier invoices,
  • to assist with recovery and customer support from monitoring error codes,
  • to monitoring volume and fair use rates,
  • to alert us to excessive use or a misconfigured data feed and the return of excessive amounts of data.
  • to alert us to problems, for example, when the system may not be working efficiently

Service Monitoring within Scout® does not include any personal data uploaded to Scout®, or the specific results of any data sourced by our customers.

As part of our security infrastructure, we proactively monitor user access and network activity for any unusual activity that may indicate unlawful or unauthorised access. The monitoring of user access to systems, software, network, or other technologically driven infrastructures is now commonplace for most organisations. It is a requirement to ensure appropriate technical, organisational and procedural measures are in place to satisfy legal and regulatory requirements, for information security certification standards, and to ensure the ongoing resilience of any system, software, or network infrastructure.

Our Clients, as the controller, can configure Scout® to meet their own needs, and ultimately determine the data to be searched, the level and proportionality of the search, as well as the level of risk scoring that is to be applied. Scout® simply presents information, creates reports, and customer and case management solutions in an innovative way to enable our Clients, as the controller, to make informed or investigative decisions based upon the information or intelligence returned.

Essentially our software speeds up the process of data aggregation and analysis for our Clients, but it is our Clients who determine what data is uploaded into Scout®, what data feeds are accessed, to what degree personal data is processed, the purpose of the processing activity, and what they want to do with the results.

It is important to reiterate that we do not have direct or unrestricted access to any Client data. Our access is strictly prohibited, unless sanctioned by senior management and appropriate Client authorisation. Access is rigorously controlled by appropriate technical, physical, and organisational safeguards that prohibit access to only approved employees.

We train our Clients on the most efficient way to utilise the service and will provide all of the search and analytical tools to enable them to achieve the best out of Scout®, but we process no data without their instruction. When test data is used, we use personal data of individuals who have given consent to the processing or synthetic (mock) data.

Synalogik, is a secure software service provider, and under data protection terms predominantly operates as a processor.

5. Customer data processed using Scout®

When a Client accesses Scout® they are presented with an acceptable use policy that they must acknowledge, on every occasion, before progressing into the system. Clients can use the system for investigating and assessing their own data sets, or to supplement their data sets with information retrieved from performing a search and drawing on the authorised data sets made available to them.

Access to external data feeds is strictly controlled and governed by contractual restrictions. These measures are supported by a range of technical measures designed into Scout® to prevent access to data feeds unless authorised and technically permitted.

When a Client performs a search, Scout® interrogates a predetermined set of external records and returns search results that are presented to our Client via the dashboard in Scout®. The customer may supply some information to support the search, or for analysis purposes using the functionalities available in Scout®. This information may include names, address, dates of birth, contact numbers, email addresses, bin numbers, vehicle data, property ownership, purchase price, company directorship, it may also include details of third parties and geographical locations including IP addresses.

Clients working in the crime prevention or detection arena, or national security may provide additional and more sensitive information.

Depending on the data supplier being used a wide range of intelligence may be returned from a customer search. This may include information from the industry suppliers, credit reference agencies, the public domain, governmental websites including sanctions lists, information concerning adverse publicity, bankruptcies as well as financial information such as credit application, CCJ’s, IVAs. Information may also be returned from open sources such as those retrieved via an internet search.

The data supplier will ensure that any personal data accessed via Scout® has been lawfully obtained and permitted for the applicable use case.

Where the information comes from governmental sources the lawful basis will usually be to fulfil a public function, comply with a legal obligation or is produced in the substantial public interest.

Some personal data is classified as special category, or sensitive, and includes information about sexuality or orientation, religion and ethnicity, health conditions, political opinions or actual or alleged criminal activity or records. Some data sources may reveal this type of information about individuals.

Client information processed via Scout® will only be processed according to their written instructions and it is they, as controller, who determines that the processing remains lawful at all times, including the applicable lawful basis for the data that they are processing via Scout®.

 

When we operate as a controller we do not collect, store, or process information obtained from our Clients or their searches. We are contractually restricted from accessing any external data feeds for our own internal purposes, and have implemented appropriate technical and organisational measures to prevent such activities from occurring.

6.What information do we, as controller, collect or process about you?

6.1 Website visitors and general enquiries

We collect information from you when you interact with us, such as when you use or website or make an enquiry with us via our website.

By visiting our website, we may be able to see your IP address, approximate geographical location, and the pages that you visit. Your information shall remain anonymous unless you share your contact details with us.

6.2 Business information

To market, promote, and raise awareness of our organisation’s services, we research and process corporate and public sector information, which will include your contact details, the name of the organisation you work for and your role or job title. The processing of such information is limited to only the information necessary to build or maintain a business relationship with you.

For sales and marketing purposes we do, on occasion, engage external companies to assist us in data enhancement, for example to add a missing telephone number or email address, or to obtain appropriate contact details to create interest or further an enquiry.

Marketing and sales calls by our sales team may be recorded for quality and monitoring purposes.

We also process data obtained through general business practice for the effective and efficient management of the organisation and to give effect to our business, contractual, legal, and regulatory obligations such as financial accounting and internal reporting purposes.

We never sell, exchange, or otherwise share any personal data obtained from business relationships, concerning visitors to our website, of our Clients or authorised users of our technology.

6.3 Lawful basis for processing

As a controller we are obligated to have an appropriate lawful basis identified, as set out in data protection legislation, for each processing activity that we undertake.

When you visit our website, we shall rely on consent to process non-essential cookies. This is managed via our ‘cookie banner’ which is displayed when you visit our website. Any personal data obtained via our cookies will be processed according to your consent (non-essential cookies) or under legitimate interest (essential cookies).

To manage any enquires you make of us and for processing our general business information, we shall rely on legitimate interests or contractual obligations depending on the nature of our relationship. 

We will only rely on “legitimate interest” to process personal data (or those of a third party) if our interests do not override your fundamental rights and freedoms.

We will only use your personal information for the purpose(s) for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose(s). We may process your personal information without your knowledge or consent, but only where this is required or permitted by law.

Where we operate as a controller for some publicly obtained datasets, as described above, we rely on legitimate interest and/or public interest (public protection such as protection against financial loss, malpractice, improper conduct, dishonesty etc) to process and make such information available to our Clients. To reiterate, this information is already easily accessible online and via online registers (e.g. Companies House register), made public by the appropriate legislative provisions.

Where we operate as a processor, our basis for processing customer data is under the written instruction provided by the Client.

7. Who information is disclosed to or shared with?

7.1 Personal data processed using Scout®

Client information is only disclosed with those third-party data suppliers whom the Client is permitted to access and has requested for a given search. The information is disclosed with the provider for the purpose of identifying information to be returned and presented back to our Client in Scout®. A copy of the information is held within the Client’s version of Scout®, subject to the Client’s retention period. At all times our Client remains responsible for, and in control of, any personal data processed.

In the course of delivering our services to our Clients we may be required to disclose or provide data to the police or other law enforcement agency. This would only occur where we had a legal obligation to do so, for example, under a police force warrant or court order, and subject to our Data Protection Officer’s (DPO) advice.

7.2 Website visitors and general enquiries

Information that we collect from you when you interact with our website is only disclosed with our web-host supplier who hosts and look after our website on our behalf. As a processor, they are appointed subject to appropriate contractual terms, including confidentiality, and are not further permitted to process any such information for their own internal purposes, save for legal obligations, without our appropriate written authorisation.

7.3 Business information

We rely on third-party processors (suppliers) to support our service delivery, such as our cloud-based CRM provider, and similar type of corporate databases and software solutions (e.g. human resources, payment of invoices etc).

Our third-party processors only process your personal data under our strict instruction, subject to contractual safeguards, and after we have performed appropriate due diligence on them. Our third-party processors are prohibited from using any disclosed or shared information for their own purposes.

On occasion we may have to provide personal data to our professional advisors, such as our accountants, legal advisors and official auditors. You can be assured that this will only take place when necessary for the smooth management of the business and subject to appropriate technical and organisational controls, including confidentiality. It is highly unlikely that we will need to share data from external parties, for example data supplied from a Client, or retrieved from a data Supplier.

We carry out our own internal IT support, but in the rare event that external IT support was required, we may need to grant them access to some or all of your personal data. As with any other third-party service provide, they would be contractually required by us to maintain appropriate security measures, including confidentiality, so as to protect all personal data to which they have access.

We would not grant access to external support workers without written confirmation that their data security requirements are of an appropriate standard to carry out the required tasks.

8. Data Security

Our system uses secure and externally assured cloud-based technology, meaning that rather than being stored on physical servers at our offices, your data is securely stored in encrypted format and processed in a secure environment “on the cloud”.

We have implemented an array of appropriate cyber related safeguards (both technical and procedural) and organisational control measures (including a recurring mandatory information security and data protection awareness training) to ensure appropriate security, including protection against unauthorised or unlawful processing, and against accidental loss, destruction, or damage.  Furthermore, we have implemented appropriate security controls to ensure the ongoing confidentiality, integrity, availability and resilience of our systems and services.

The strength of our environment is regularly “penetration tested” by an external CREST certified third-party, and we have made all reasonable endeavours to comply with recommendations of those tests to ensure that our data, IT systems, networks and Scout software products are maintained and secure.

Furthermore, we are certified to appropriate and highly recognisable industry standards including NCSC approved and IASME accredited to both: Cyber Essentials and Cyber Essentials Plus.  We are externally registered to: ISO 27001 by Citation ISO Certification and regularly undertake internal audits to support external surveillance & recertification audits.  This provides assurance that our governance, risk & compliance measures are adhered to, and registration maintained.

We have stringent incident management procedures in place to deal with any known or suspected data breaches or security incidents.

9. Retention of your information

How long your information will be retained for in Scout® is determined by the Client and their own retention periods.  This functionality is configurable in Scout® to give effect to our Client’s own retention requirements, as controller.

Where the Client’s retention period has expired and/or where the Client specifically requests that their information is securely removed from Scout®, we make our best endeavours to do so in a timely manner.

In our commercial and employment relationships we usually retain the information for 7 years after the relationship has ended.

For details relating to our website cookies please refer to our Cookie Policy.

10. Cookies

Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of our website and to compile statistical reports on website activity.

We use cookies to monitor and manage those using our website and Scout®. The Scout® cookies are sessional cookies and are used:

  • to ensure secure user access and
  • to ensure screen positions/formats are preserved as users navigate the system.

Sessional cookies expire at the end of each session (e.g. once the browser session is closed) and do not contain any personal information.

On visiting our website, you will be presented with a cookie banner and an option to accept or decline our cookies. You can also set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser.

For further information visit www.aboutcookies.org or www.allaboutcookies.org.

11. Your rights

The UK GDPR and Data Protection Act 2018 affords individuals whose personal data is processed certain rights, and these are listed below for your convenience.

Please note we may have to verify your identity before we can proceed, and any rights request will be processed in accordance with data protection laws and regulatory guidance issued by the Information Commissioner’s Office (ICO).

You have the following rights and how we manage them will depend on whether we operate as a controller or processor.  Where we operate as a controller of your information, we will directly manage your request. Where we operate as a processor of your information, your request will simply be forwarded to the appropriate controller or data supplier for processing in accordance with data protection laws.

  • Right to access: This is a right to a copy of the personal information we hold about you by making a Data Subject Access Request (DSAR). You can do this by using the contact details at the end of this document.
  • Right of rectification: This is a right to amend or update your personal information and ensure we maintain accurate and up to date records and or data about you.
  • Right to erasure: This is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
  • Right to restrict processing: This is a right to ‘block’ or suppress the processing of your personal data. Processing of your personal information may be restricted in the event it is no longer essential to support the use of services provided to you and is no longer needed for any contractual, legal or financial reasons. In those cases, Synalogik is permitted to store the personal data, but not further process it. We may retain just enough information about you to ensure that any restriction is respected in the future.
  • Right to Data portability: This right allows individuals to obtain and or reuse their personal data for their own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. This right does not apply to Synalogik, customer or supplier data.
  • Right to object: This is a right to object to the processing of your personal information based on consent, our legitimate interests, a task in the public interest or exercise of official authority including direct marketing or profiling activities, and processing for purposes of scientific and or historical research and statistics.
  • Right to be made aware of any automated decision-making: This right relates to being transparent about processing activities involving automated decisions (that made without any human involvement), and/or profiling of your personal information by Synalogik. Scout® undertakes an automated process to score risks and match datasets, but automated decisions are not made on you which will affect you in a legal way.
  • Right to stop direct marketing: This is an absolute right to ask us to stop sending you direct mail or marketing emails. For some processing you will have given permission to process your information, and in these cases, you can withdraw your consent at any time however, any records already captured may need to be kept, in full or part, for legal reasons.

In certain situations, the above rights may not apply for the purposes stipulated within data protection legislation. For example, if you entered a contract with us, and we need to notify you about an alteration by way of a service communication. Even if you asked us previously not to communicate with you, we retain the right to do so, but in this case, we would not send you any further direct marketing communications.

12. Contact details

If you have any questions, queries or are unhappy with how we have, or may have, processed your personal information, please do not hesitate to contact us using the details provided below:

Title: The Data Protection Officer (DPO)

Email: compliance@synalogik.com

If you are unhappy with how we have processed your information, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), their contact details are below.

We respectfully ask you to try and resolve your compliant with us in the first instance and the ICO may want to see that you have taken steps to do so.

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire, SK9 5AF
Helpline: 0303 123 1113 (local rate) or +44 1625 545 745
https://ico.org.uk/concerns/

Changes to our Privacy Notice

We keep our privacy notice under regular review. We will place any updates on this web page and endeavour to identify the date of the last update under the title at the top of this page.