v1.5 last updated April 2024
1. Who are we?
Synalogik Innovative Solutions Ltd is a UK based company that has built and designed a cutting-edge software solution called Scout®.
Scout®, a secure cloud-based Software-as-a-Service (SaaS) product, rapidly enables a corporate individual to aggregate huge and disparate data sets into one central place for the purpose of real-time investigative and intelligence-based analysis, saving a lot of time and effort by producing bespoke and detailed reports in one place, aligned to their specific requirements and objectives.
Scout® is designed with multiple functionalities that support corporate individuals in efficiently managing and automating their casework and customer management activities. It includes the ability to make notes, produce and link client profiles, and calculate risk scores, thus enabling them to effectively meet and comply with their legal, regulatory, and fiduciary monitoring and reporting requirements all within one location.
We work with and support both public and private sector organisations through our software as a service solution.
2. Our approach to privacy management
We have various roles, including at Senior Manager level, whom are responsible for ensuring that privacy, data protection, cyber security, and information security measures are proactively undertaken, their effectiveness constantly monitored and regularly evaluated. Appropriate technical and procedural measures are implemented to meet our statutory obligations under data protection legislation and independently certified cyber security standards.
We have implemented appropriate technical and organisational control measures, including protection against unauthorised or unlawful processing, and against accidental loss, destruction, or damage, to safeguard personal data. Furthermore, at the heart of our software and organisation we have implemented a myriad of security controls to ensure the ongoing confidentiality, integrity, availability and resilience of our IT networks, systems, services and data.
We are committed to respecting privacy, compliance with applicable data protection legislation, and maintaining our externally qualified registration to ISO 27001:2013 and NCSC approved certification to Cyber Essentials & Cyber Essentials Plus.
This Privacy Notice aims to set out, in a clear and transparent manner, the type and nature of our activities and to explain how personal information is processed in the usual course of our business, including when you use and access our website.
3. The legal bit
Synalogik is a private limited company, registered in England under number 11601168. Our registered offices are the Shell Store, Canary Drive, Skylon Park, Hereford HR2 6SR.
We are registered with the Information Commissioner’s Office (ICO) under registration number ZA464486.
Our website and innovative software platform (Scout®) are not intended to be used by private individuals or anyone under the age of 18 years of age.
In data protection terms we operate both as a controller and a processor of personal data with the difference set out below.
We are a controller where we process business information for the following purposes, employment, sales, marketing, finance or to fulfil our legal, regulatory and fiduciary obligations as a UK based organisation.
Our customers are the controller for their data that they process through Scout® as they determine the reasons why they collect and process their data, and the purposes that their processing serves.
However, as a processor, we do not physically collect personal data from any individual nor have a direct relationship with them.
4. What is Scout®
Scout®, a secure cloud-based Software-as-a-Service (SaaS) product, enables our customers to bring together (aggregate) different data sets into one central place for investigative and intelligence-based analysis and to automate complex legal, regulatory, and fiduciary monitoring and reporting activities. It is designed with multiple functionalities that enable our customers to efficiently manage and automate their casework and customer management activities, make notes, produce and link client profiles, risk score, and evidentially demonstrate compliance to regulatory standards.
Our customers are provided with their own version of Scout®, with each customer’s version of Scout® distinct and separate from another. This means that it is not possible for one customer to view or access another customer’s account, processing activities, information, or intelligence.
Scout® is designed and built using secure software, with access controlled and use governed by a range of technical, organisational, and procedural security measures. Scout® can be configured by our customers to meet their own specific investigative, reporting and processing requirements. This means that our customers remain in control of their own data at all times.
Our customer’s access to Scout® is restricted to permitted processing ‘use cases’ that our customers’ clearly specify, and we assess, through our due diligence processes prior to granting access. The processing use cases relate to: data validation, anti-money laundering, fraud investigation, prevention and detection; law enforcement and national security measures, debt collection and tracing; prevention and detection of crime; asset reunification; PEPs and sanctions checks; financial vulnerability assessments; or to complying with regulatory obligations such as the licence rules imposed by the Gambling Commission in support of safer and responsible gambling.
It is these use cases that permit and restrict access to a range of public and industry sourced ‘third party’ and ‘open sourced’ data sets.
Credit Reference Agency, is only one type of data set that may be accessed by some customers. The three main credit reference agencies are Transunion, Experian and Equifax. They each use and share personal data that they receive about you and/or your business activity. You can read each of the Credit Reference Agencies Information Notices by visiting the links provided below:
As a data aggregator (and processor) under contract to our data suppliers, we can provide controlled access to such data sets subject to strict contractual terms and technical security measures designed into Scout®. Contractual obligations imposed by the data supplier, where applicable, flow down to our customers through our own contractual arrangements with them.
For the purposes of clarity, as a processor, we only process customer and/or supplier data on the written instruction from the appropriate party. It is important to note at this stage that we do not have direct or unrestricted access to any customer or supplier data. Our access is strictly prohibited, unless sanctioned by senior management and appropriate customer authorisation. Access is rigorously controlled by appropriate technical, physical, and organisational safeguards that prohibit access to only approved employees where there is a need to do so.
Public data sourced via a Scout® search is often that which can be found by using a standard search engine on the internet or by contacting publicly accessible websites such as Companies House, Land Registry, DVLA or DVSA. Please refer to their websites for information relating to how they collect, use and share personal data.
Although our customers could obtain the same information by engaging directly with each independent data supplier, the benefit that Scout® delivers to our customers, is the integration of various data sources (public and private) into one platform. A single view of multiple sources, including customer data, enables a quicker, smarter, and more efficient and intuitive analysis and assessments to be undertaken.
Customers can upload their datasets into Scout®, and source additional information via the data suppliers, to facilitate and collate responses, create tags, profiles, or reports to support further investigative purposes or to link points of interest. Through Scout® customers can determine risk scores and utilise automated analysis to reveal hidden intelligence that may not immediately be visible from a single set of data alone. All results and generated outcomes are viewed by a customer’s analyst and no automated decision making is applied to the data processed.
All customer data, tags, notes, profiles, case management and customer reports are retained on our customer’s version of Scout®, and subject to our customer’s retention policy, that they have determined as the controller of this information.
Scout® is designed with some clever and secure technology that includes various monitoring functions. These monitoring functions are to support the delivery of our services for example:
Monitoring within Scout® does not include any personal data uploaded to Scout®, or the specific results of any data sourced by our customers.
As part of our security infrastructure, we proactively monitor user access and network activity for any unusual activity that may indicate unlawful or unauthorised access. The monitoring of user access to systems, software, network, or other technologically driven infrastructures is now commonplace for most organisations. It is a requirement to ensure appropriate technical, organisational and procedural measures are in place to satisfy legal and regulatory requirements, for information security certification standards, and to ensure the ongoing resilience of any system, software, or network infrastructure.
Our customers, as the controller, can configure Scout® to meet their own needs, and ultimately determine the data to be searched, the level and proportionality of the search, as well as the level of risk scoring that is to be applied. Our platform simply presents information, creates reports and customer and case management solutions in an innovative way to enable our customers, as the controller, to make informed or investigative decisions based upon the information or intelligence returned.
Essentially our software speeds up the process of data aggregation and analysis for our customers, but it is our customers who determine what data is uploaded into Scout®, what data feeds are accessed, to what degree personal data is processed, and what they want to do with the results.
It is important to reiterate that we do not have direct or unrestricted access to any customer data. Our access is strictly prohibited, unless sanctioned by senior management and appropriate customer authorisation. Access is rigorously controlled by appropriate technical, physical, and organisational safeguards that prohibit access to only approved employees.
We train our customers on the most efficient way to utilise the service and will provide all of the search and analytical tools to enable them to achieve the best out of Scout®, but we process no data without their instruction. When test data is used, we use personal data of individuals who have given consent to the processing or Synthetic (mock) data.
Synalogik, is a secure software service provider, and under data protection terms is simply a processor.
5. Customer data processed using Scout®
When a customer access Scout® they are presented with an acceptable use policy that they must acknowledge before progressing into the system. Customers can use the system for investigating and assessing their own data sets or supplement their data sets with information retrieved from performing a search and drawing on the authorised data sets made available to them. Access to external data feeds is stricted controlled and governed by contractual restrictions. These measures are supported by a range of technical measures designed into Scout® to prevent access to data feeds unless authorised and technically permitted.
When a customer performs a search, Scout® interrogates a predetermined set of external records and returns search results that are presented to our customer via the dashboard in Scout®. The customer may supply some information to support the search or for analysis purposes using the functionalities available in Scout®. This information may include names, address, dates of birth, contact numbers, email addresses, bin numbers, vehicle data, property ownership, purchase price, company directorship, it may also include details of third parties and geographical locations including IP addresses.
Customers working in the crime prevention or detection arena, or national security may provide additional and more sensitive information.
Depending on the data supplier being used a wide range of intelligence may be returned from a customer search. This may include information from the industry suppliers, credit reference agencies, the public domain, governmental websites including sanctions lists, information concerning adverse publicity, bankruptcies as well as financial information such as credit application, CCJ’s, IVAs. Information may also be returned from open sources such as those retrieved via an internet search.
The data supplier will ensure that any personal data accessed via Scout® has been lawfully obtained and permitted for the applicable use case.
Where the information comes from governmental sources the lawful basis will usually be to fulfil a public function, comply with a legal obligation or is produced in the substantial public interest.
Some personal data is classified as special category, or sensitive, and includes information about sexuality or orientation, religion and ethnicity, health conditions, political opinions or actual or alleged criminal activity or records. Some data sources will reveal this type of information about individuals.
Customer information processed via Scout® will only be processed according to their written instructions and it is they, as controller, who determines that the processing remains lawful at all times, including the applicable lawful basis for the data that they are processing via Scout®.
When we operate as a controller we do not collect, store, or process information obtained from our customers or their searches. We are contractually restricted from accessing any external data feeds for our own internal purposes and have implemented appropriate technical and organisational measures to prevent such activities from occurring.
6. What information do we, as controller, collect or process about you?
6.1 Website visitors and general enquiries
We collect information from you when you interact with us, such as when you use or website or make an enquiry with us via our website.
By visiting our website, we may be able to see your IP address, approximate geographical location, and the pages that you visit. Your information shall remain anonymous unless you share your contact details with us.
6.2 Business information
To market, promote, and raise awareness of our organisation’s services, we research and process corporate and public sector information, which will include your contact details, the name of the organisation you work for and your role or job title. The processing of such information is limited to only the information necessary to build or maintain a business relationship with you.
For sales and marketing purposes we do, on occasion, engage external companies to assist us in data enhancement, for example to add a missing telephone number or email address.
Marketing and sales calls by our sales team may be recorded for quality and monitoring purposes.
We also process data obtained through general business practice for the effective and efficient management of the organisation and to give effect to our business, contractual, legal, and regulatory obligations such as financial accounting and internal reporting purposes.
We never sell, exchange, or otherwise share any personal data obtained from business relationships, concerning visitors to our website, of our customers or authorised users of our technology.
6.3 Lawful basis for processing
As a controller we are obligated to have an appropriate lawful basis identified, as set out in data protection legislation, for each processing activity that we undertake.
When you visit our website, we shall rely on consent to process non-essential cookies. This is managed via our ‘cookie banner’ which is displayed when you visit our website.
To manage any enquires you make of us and for processing our general business information, we shall rely on legitimate interests or contractual obligations depending on the nature of our relationship.
We will only rely on “legitimate interest” to process personal data (or those of a third party) if our interests do not override your fundamental rights and freedoms.
We will only use your personal information for the purpose(s) for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose(s). We may process your personal information without your knowledge or consent, but only where this is required or permitted by law.
Where we operate as a processor, our basis for processing customer data is the written instruction provided by the customer.
7. Who information is disclosed to or shared with?
7.1 Personal data processed using Scout®
Customer information is only disclosed with those third-party data suppliers whom the customer is permitted to access and has requested for a given search. The information is disclosed with the provider for the purpose of identifying information to be returned and presented back to our customer in Scout®. A copy of the information is held within the customer’s version of Scout®, subject to the customer’s defined retention period. At all times our customer remains responsible for, and in control of, any personal data processed.
In the course of delivering our services to our customers we may be required to disclose or provide data to the police or other law enforcement agency. This would only occur where we had a legal obligation to do so, for example, under a police force warrant or court order, and subject to our Data Protection Officer’s (DPO) advice.
7.2 Website visitors and general enquiries
Information that we collect from you when you interact with our website is only disclosed with our web-host supplier who hosts and look after our website on our behalf. As a processor, they are appointed subject to appropriate contractual terms, including confidentiality, and are not further permitted to process any such information for their own internal purposes, save for legal obligations, without our appropriate written authorisation.
7.3 Business information
We rely on third-party processors (suppliers) to support our service delivery, such as our cloud-based CRM provider and similar type of corporate databases and software solutions (e.g. human resources, payment of invoices etc).
Our third-party processors only process your personal data under our strict instruction, subject to contractual safeguards, and after we have performed appropriate due diligence on them. Our third-party processors are prohibited from using any disclosed or shared information for their own purposes.
On occasion we may have to provide personal data to our professional advisors, such as our accountants, legal advisors and official auditors. You can be assured that this will only take place when necessary for the smooth management of the business and subject to appropriate technical and organisational controls, including confidentiality. It is highly unlikely that we will need to share data from external parties, for example data supplied from a customer, or retrieved from a data Supplier.
We carry out our own internal IT support, but in the rare event that external IT support was required, we may need to grant them access to some or all of your personal data. As with any other third-party service provide, they would be contractually required by us to maintain appropriate security measures, including confidentiality, so as to protect all personal data to which they have access.
We would not grant access to external support workers without written confirmation that their data security requirements are of an appropriate standard to carry out the tasks which we wish them to do.
8. Data Security
Our system uses secure and externally assured cloud-based technology, meaning that rather than being stored on physical servers at our offices, your data is securely stored in encrypted format and processed in a secure environment “on the cloud”.
We have implemented an array of appropriate cyber related safeguards (both technical and procedural) and organisational control measures (including a recurring mandatory information security and data protection awareness training regime) to ensure appropriate security, including protection against unauthorised or unlawful processing, and against accidental loss, destruction, or damage. Furthermore, we have implemented appropriate security controls to ensure the ongoing confidentiality, integrity, availability and resilience of our systems and services.
The strength of our environment is regularly “penetration tested” by an external CREST certified third-party, and we have made all reasonable endeavours to comply with recommendations of those tests to ensure that our data, IT systems, networks and Scout software products are maintained securely.
Furthermore, we are certified to appropriate and highly recognisable industry standards including NCSC approved and IASME accredited to both: Cyber Essentials and Cyber Essentials Plus. We are externally registered to: ISO 27001:2013 by Citation ISO Certification and regularly undertake internal audits to support external surveillance & recertification audits. This provides assurance that our governance, risk & compliance measures are adhered to, and registration maintained.
We have stringent incident management procedures in place to deal with any known or suspected data breaches.
9. Retention of your information
How long your information will be retained for in Scout® is determined by the customer and their own clearly pre-defined retention periods. This functionality is configurable in Scout® to give effect to our client’s own retention requirements, as controller.
Where the client’s retention period has expired and/or where the client specifically requests that their information is securely removed from Scout®, we make our best endeavours to do so in a timely manner.
In our commercial and employment relationships we usually retain the information for 7 years after the relationship has ended.
For details relating to our website cookies please refer to our Cookie Policy.
10. Cookies
Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of our website and to compile statistical reports on website activity.
We use cookies to monitor and manage those using our website and Scout®. The Scout® cookies are sessional cookies and are used:
Sessional cookies expire at the end of each session (e.g. once the browser session is closed) and do not contain any personal information.
On visiting our website, you will be presented with a cookie banner and an option to accept or decline our cookies. You can also set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser.
For further information visit www.aboutcookies.org or www.allaboutcookies.org.
11. Your rights
The Data Protection Act 2018 and UK GDPR affords individuals whose personal data is processed certain rights, and these are listed below for your convenience.
Please note we may have to verify your identity before we can proceed, and any rights request will be processed in accordance with data protection laws and regulatory guidance issued by the Information Commissioner’s Office (ICO).
You have the following rights and how we manage them will depend on whether we operate as a controller or processor. Where we operate as a controller of your information, we will directly manage your request. Where we operate as a processor of your information, your request will simply be forwarded to the appropriate controller or data supplier for processing in accordance with data protection laws.
In certain situations, the above rights may not apply for the purposes stipulated within data protection legislation. For example, if you entered a contract with us, and we need to notify you about an alteration by way of a service communication. Even if you asked us previously not to communicate with you, we retain the right to do so, but in this case, we would not send you any further direct marketing communications.
12. Contact details
If you have any questions, queries or are unhappy with how we have, or may have, processed your personal information, please do not hesitate to contact us using the details provided below:
Title: The Data Protection Officer (DPO)
Address: Shell Store, Canary Drive, Skylon Park, Hereford HR2 6SR
Email: compliance@synalogik.com
If you are unhappy with how we have processed your information, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), their contact details are below.
We respectfully ask you to try and resolve your compliant with us in the first instance and the ICO may want to see that you have taken steps to do so.
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire, SK9 5AF
Helpline: 0303 123 1113 (local rate) or +44 1625 545 745
https://ico.org.uk/concerns/
Changes to our Privacy Notice
We keep our privacy notice under regular review. We will place any updates on this web page and endeavour to identify the date of the last update under the title at the top of this page.