This Privacy Notice explains how Fenchurch Compliance — a service provided by RegTechPRO Limited (“Fenchurch Compliance”, “we”, “us”, “our”) — collects, uses, stores, and protects your personal data when you use our online compliance platform. We are committed to handling your data lawfully, fairly and transparently, in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Who we are
Fenchurch Compliance is a self-serve compliance platform for small, FCA-regulated firms that have no in-house compliance team. It is a service operated by RegTechPRO Limited, a company registered in England & Wales (company number 10707766).
For personal data relating to your account and your use of our website and platform — such as your name, email address and billing details — RegTechPRO Limited is the data controller, meaning we determine how and why that data is processed. We are registered with the UK Information Commissioner’s Office (ICO) under registration number ZC177446.
Controller and processor. The compliance data your firm enters into its board — for example records about your own staff, customers or third parties — belongs to your firm. For that data your firm is the controller and we act only as a processor, handling it on your documented instructions under our Data Processing Agreement. This Privacy Notice covers the personal data for which we are the controller; the Data Processing Agreement governs the data we process on your behalf.
Our details
RegTechPRO Limited (operating Fenchurch Compliance)
Registered in England & Wales · Company No. 10707766
ICO registration: ZC177446
Information we collect
We collect and process several types of personal data to deliver and improve our service. This includes the following.
Information you provide to us
- Account information — when you register, we collect your name, email address, job title and details of the firm you represent.
- Billing information — when you subscribe, we collect the billing details needed to manage your subscription. Card payments are handled securely by our payment provider, Stripe; we do not store full card numbers.
- Compliance data you enter — the registers, People records, forms, attestations and policies your firm adds to its board. This may include personal data about your staff and other individuals, which we hold as a processor on your firm’s behalf (see Who we are).
- Communications — anything you provide when you contact us, including support requests, feedback and correspondence.
Information we collect automatically
- Usage data — information about how you interact with the platform, including IP address, browser type, operating system, pages visited, features used and links clicked.
- Cookies and similar technologies — a small number of essential and optional cookies used to keep you signed in and to understand how the platform is used. See Cookies for details.
Information from other sources
- Public sources — we may collect information from public registers, including the FCA Financial Services Register, to help verify a firm’s regulatory status or improve the accuracy of our records.
- Our service providers — our payment provider (Stripe) confirms the status of subscription payments so we can manage your billing; we do not receive full card details.
How we use your data
To provide our service
- To create and manage your account and your firm’s board on the Fenchurch Compliance platform.
- To sign you in securely using one-time login codes sent to your email address (we do not use passwords).
- To process subscription payments and manage billing.
- To generate AI compliance reports, drawn only from your firm’s own data.
- To provide customer support and respond to your enquiries.
To improve and secure the platform
- To monitor usage patterns and improve the platform’s functionality.
- To analyse trends and behaviour so we can enhance the user experience.
- To develop new features and services.
- To protect the security, availability and integrity of the platform.
Marketing and communication
- To send newsletters, product updates and promotional content, where you have consented.
- To notify you of changes to the platform, our service or our policies.
- To inform you of regulatory changes that may affect your compliance obligations.
To meet our legal obligations
- To comply with legal and regulatory requirements, including data protection and financial-services rules.
- To prevent, detect and investigate security breaches, fraud or other unlawful activity.
- To respond to lawful requests from regulators or law-enforcement authorities.
Legal basis for processing
Under UK GDPR, we rely on the following legal bases to process your personal data.
- Consent
- Where you have given explicit consent for a specific activity, such as receiving marketing emails. You can withdraw consent at any time.
- Contract
- Where processing is necessary to provide the service you have subscribed to, including creating your account, signing you in and generating your reports.
- Legal obligation
- Where processing is required to comply with the law, such as financial record-keeping and reporting duties.
- Legitimate interests
- Where processing is necessary for our legitimate business interests — such as improving the platform, preventing fraud and keeping the service secure — provided those interests do not override your rights and freedoms.
Sharing your data
We do not sell or rent your personal data. We share it only in the limited circumstances set out below.
Our sub-processors
We use a small number of trusted providers to run the platform on our behalf. Each is bound by a written contract and may process your data only on our instructions and in line with this Privacy Notice.
| Provider | Purpose | Location / transfer |
|---|---|---|
| Cloudflare, Inc. | Hosting, compute, database, file storage and CDN / web application firewall | Data at rest in Cloudflare’s Western Europe (WEUR) region (UK / EU) |
| Stripe Payments Europe, Ltd | Payment processing and subscription billing | EU entity (Ireland); global infrastructure under appropriate safeguards |
| Postmark (ActiveCampaign, LLC) | Sending one-time login codes and notification emails | US — transfers under appropriate safeguards (SCCs / UK IDTA Addendum) |
| Anthropic PBC | AI processing for AI-generated compliance reports | US — under appropriate safeguards; API data is not used to train models |
Our current list of sub-processors is maintained on our Sub-processors page. You can ask to be notified of changes by emailing support@fenchurchcompliance.co.uk.
Legal and regulatory authorities
We may disclose your data to regulators, law-enforcement agencies or other public bodies where required by law, in response to a valid legal request, or to protect our rights and the safety of others.
Business transfers
If we are involved in a merger, acquisition or sale of assets, your data may be transferred as part of that transaction. We will notify you of any such change and ensure your data remains protected under equivalent safeguards.
Data retention
We keep your personal data only for as long as necessary for the purposes for which it was collected, including to meet legal, accounting and reporting requirements.
- Account information
- Kept for the life of your account, plus 6 years after closure to meet legal obligations (such as record-keeping and potential claims).
- Billing data
- Kept for as long as needed to process payments and meet tax, audit and financial-reporting requirements (typically 6 years).
- Compliance data on your board
- Kept while your firm’s board is active. Records are stored as dated, append-only snapshots so earlier versions remain recoverable. When your account closes, this data is made available for export and then deleted in line with our Data Processing Agreement.
- Communications
- Kept for a reasonable period to respond to your enquiries, provide support and maintain a record of our interactions.
- Usage data
- Retained in anonymised or aggregated form for analytics. Identifiable usage data is deleted or anonymised within 2 years.
When we no longer need your data for these purposes, we securely delete or anonymise it in line with our retention schedule.
Data security
We take the security of your personal data seriously and apply appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure or destruction.
- Encryption: TLS 1.2 or higher for data in transit, and encryption at rest across our infrastructure.
- Tenant isolation: every record is scoped to your firm’s board, and the server enforces that a session can only read or write data belonging to that board.
- Passwordless authentication: we sign you in with one-time email codes rather than passwords; session tokens are stored only as a hash, and requests for and verification of codes are rate-limited.
- Data residency: primary data is held at rest in Cloudflare’s Western Europe (WEUR) region.
- Append-only snapshots: compliance records are stored as dated, append-only submissions, so nothing is silently overwritten and prior versions remain recoverable.
- Backups and recovery: our database supports point-in-time recovery (roughly the last 30 days).
- AI safety: the AI reads only your firm’s own data to produce reports, and the underlying API data is not used to train models.
Shared responsibility. Our platform runs on certified cloud infrastructure (Cloudflare, which holds ISO 27001, SOC 2 Type II and PCI DSS). Cloudflare secures that infrastructure; we secure the application layer built on top of it. Fenchurch Compliance does not yet hold a standalone ISO 27001 or SOC 2 audit of its own application, and we are happy to complete a security questionnaire or support an application penetration test on request.
While we use commercially reasonable measures to protect your data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to maintaining high standards of data protection.
Your rights
Under UK GDPR and the Data Protection Act 2018, you have the following rights over your personal data.
- Right of access — request a copy of the personal data we hold about you and information about how we process it.
- Right to rectification — ask us to correct inaccurate or incomplete data.
- Right to erasure — ask us to delete your data in certain circumstances, such as where it is no longer needed or you withdraw consent.
- Right to restrict processing — ask us to limit how we use your data in certain situations, for example while we verify its accuracy.
- Right to data portability — ask for your data in a structured, commonly used, machine-readable format to transfer to another provider.
- Right to object — object to processing based on legitimate interests, or to direct marketing. We will stop unless we have compelling legitimate grounds.
- Right to withdraw consent — where processing is based on consent, withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.
- Rights around automated decision-making — not to be subject to decisions based solely on automated processing that have a significant effect on you. We do not currently carry out such processing.
To exercise any of these rights, email us at support@fenchurchcompliance.co.uk. We will respond within one month, though we may extend this by up to two further months for complex requests, and will tell you if we do.
International data transfers
Your data is stored and primarily processed within the United Kingdom / European Economic Area, in Cloudflare’s Western Europe (WEUR) region. However, some of our providers process limited data outside the UK or the EEA — in particular our email provider (Postmark) and our AI provider (Anthropic), both based in the United States.
When we transfer personal data outside the UK / EEA, we ensure appropriate safeguards are in place, including:
- the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses;
- transfers to countries covered by a UK or EU adequacy decision; and
- other appropriate safeguards permitted under UK GDPR.
You can request more information about the safeguards we use by emailing support@fenchurchcompliance.co.uk.
Cookies
We use a small number of cookies and similar technologies to keep the platform working and to understand how it is used.
Types of cookies we use
- Essential cookies: required for the platform to function, including keeping you signed in via your session token and protecting security.
- Functional cookies: remember your preferences and settings.
- Analytics cookies: help us understand how the platform is used so we can improve it.
- Marketing cookies: used only where you have given consent.
Managing cookies
You can manage optional cookies through our cookie banner and through your browser settings. Disabling certain cookies may affect how the platform works. For more detail, see our Cookie Policy.
Changes to this notice
We may update this Privacy Notice from time to time to reflect changes in our data-processing practices, legal requirements or how the service operates.
We will notify you of any significant change by email or through a notice on the platform. The “Last updated” date at the top of this notice shows when it was last revised.
We encourage you to review this notice periodically. Your continued use of the platform after any change constitutes acceptance of the updated notice.
Contact & complaints
If you have any questions, concerns or requests about this Privacy Notice or how we handle your data, please get in touch. We are committed to addressing your concerns and explaining clearly how we process your data.
Get in touch
RegTechPRO Limited (operating Fenchurch Compliance)
Registered in England & Wales · Company No. 10707766
ICO registration: ZC177446
Complaints to the ICO. If you are unhappy with how we have handled your data, you have the right to complain to the UK Information Commissioner’s Office (ICO). Website: ico.org.uk · Helpline: 0303 123 1113 · Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. We would, however, appreciate the chance to address your concerns first.