At InScope we are committed to protecting the privacy of individuals and we understand the importance to you of your personal data and of your right to privacy.
This Privacy Notice explains how InScope will comply with applicable data protection law, this includes the General Data Protection Regulation (‘EU) 2016/679 (GDPR), The Data Protection Act, (Chapter 586 of the Laws of Malta) and subsidiary legislation thereto and any other applicable law relating to privacy and electronic communications as may be amended from time to time. InScope-AML refers to the following company as Controller of your Personal Data: InScope Limited, a company incorporated under the laws of Malta, having company registration number C 82598 and address at 50, Triq Giorgio Preca, San Gwann, SGN 3510, Malta.
This document applies to all personal information held by InScope-AML as the controllers of your personal data and goes into detail on how we process your data, why we process it, with whom this data may be shared, in what situations we may share this data and all the measures we are taking to ensure that your data is safe and secure.
The terms of this policy apply in the instances indicated in section 6 of this policy.
Any information that our Clients process to provide their services. Clients are solely responsible for ensuring compliance with all applicable laws and regulations with respect to their customers, including notifying their customers of their personal information collection, use, and disclosure under their own terms of service and privacy policies. In these cases InScope acts as a processor in terms of our agreement with our Clients and hence this Privacy Policy does not apply.
If we are engaged as your processor, kindly refer to the Data Processing Agreement in place with your company with regards to the processing carried out in a processing capacity.
Any third-party services, applications or integrations that may be accessible through our website or services. These third parties operate independently from InScope and have their own privacy practices. InScope shall not be responsible or liable for the way such third parties process your personal data.
Links which you may find on our website. On our website, you may also find links to other websites which are not managed or owned by InScope-AML. InScope-AML is not responsible for any such websites and this privacy policy shall not apply in this regard. The businesses operating these websites, may or may not have their own privacy policy and in this regard, InScope-AML is no way responsible for the way such companies manage the processing of your personal data.
The data controller as defined under the Regulation (EU) 2016/679 which is generally referred to as the General Data Protection Regulation (hereinafter referred to as “GDPR”), is InScope-AML as defined above.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) or “GDPR” is a European regulation intended to protect Personal Data of individuals. We collect various kinds of Personal Data from you and it is thus very important that your Personal Data is managed in terms of this regulation. Personal Data is very important for us and thus we strive to ensure the highest level of its protection.
Personal Data is personal information about an individual, like you. We collect such information about our customers for relationship management, statistical reasons and for marketing purposes and also on our employees or potential employees when they apply for a position with us. We may also collect some personal information from other individuals who are not our customers, for marketing purposes, subject to their consent. As InScope-AML, we also process Personal Data of the customers of our clients when they engage us to provide services to them.
Personal Data may also be of a general nature and of a special nature. Generic Personal Data refers to data such as names, surnames, contact details and similar data which can be used to identify a person. Special categories of Personal Data relate to more confidential kind of Personal Data such as health data. Information regarding the different kinds of Personal Data we collect can be found in section 6 of this document.
Certain more sensitive kind of Personal Data is defined under law as Special Categories of Personal Data, which relates to:
We generally do not process such Personal Data. However, when we provide our services to our Clients, the customer data of our clients will need to be processed by InScope-AML so that InScope-AML can provide its service. However such processing shall always be in line with the relevant legal requirements. In any case, we will always specify the purpose where such Personal Data shall be used and on what legal basis. We will also only use such Personal Data for the purposes that such Personal Data would have been collected and not for any other purposes.
When you provide your Personal Data to a third party, you are passing such data to either a controller or a processor.
A Controller of your Personal Data is an individual or a company who has the power to determine the exact uses of the Personal Data you have supplied to him. On the other hand, a Processor is a third party who is processing and thus utilising your Personal Data on behalf of a controller.
This section shall outline the various ways we collect Personal Data from you from different situations. In this regard, all Personal Data collected must have a proper legal ground justifying collection and such is stated in each situation were Personal Data is Collected. Finally, the retention period for each set of Personal Data Collected is also listed herein.
| Description | Data Collected | Legal Basis | Retention Period |
|---|---|---|---|
| When you browse this website, we may collect data through some tracking cookies as explained in the cookie section of this Policy. Otherwise, we do not collect Personal Data unless you voluntarily and knowingly provide it to us, for example by signing up to our mailing list. | Kindly refer to cookie section. | Consent, when dealing with non-essential cookies. | Kindly refer to cookie section. |
| Description | Data Collected | Legal Basis | Retention Period |
|---|---|---|---|
| When contacting us through our website, we would need some personal data to be able to reply to your query. |
|
Consent | 1 year unless the party is engaged. |
| Description | Data Collected | Legal Basis | Retention Period |
|---|---|---|---|
| When you engage us to provide services, we would require significant amounts of personal data. |
|
|
5 years from when we stop providing you with our services. |
| Description | Data Collected | Legal Basis | Retention Period |
|---|---|---|---|
| When we engage with you for the provision of goods and services to us, we collect personal data |
|
|
5 years from when we stop providing you with our services. |
| Description | Data Collected | Legal Basis | Retention Period |
|---|---|---|---|
| Should you contact our customer care or social media teams, we shall collect some Personal Data to be able to process your request. |
|
To protect our legitimate interest | 3 months |
| Description | Data Collected | Legal Basis | Retention Period |
|---|---|---|---|
| When you apply for a position with us, we would need to process your Personal Data to be able to verify your suitability for the role you have applied to. |
|
|
4 months minimum. One year of consent is obtained. |
| Description | Data Collected | Legal Basis | Retention Period |
|---|---|---|---|
| When you visit our premises, we collect CCTV data for security purposes. | CCTV Footage | To protect our legitimate interest | 7 days |
In addition to the required information sharing described above, we may use third-party tools or proprietary screening and verification tools or data providers (e.g. sanction lists, biometric verification, identity databases, data centers) . These parties are contractually prohibited from using Personal Data for any purpose other than for the purpose specified in their respective contracts. We do provide non-personally identifiable information to certain service providers for their use on an aggregated basis for the purpose of performing their contractual obligations to us. We do not permit the sale of Personal Data to third parties for any use unrelated to our operations or use of Personal Data by third party for their own purposes.
Below is a list of sub processors:
| Name of Processor | Address | Task to be performed and Personal Data to be Processed | Location of Processing |
|---|---|---|---|
| Cleverbit Software | 50,Triq Giorgio Preca San Gwann SGN3510 Malta |
Installations, maintenance and support services. Data to be processed as outlined in the Data Access Annex point 4. | Malta |
| Amazon Web Services EMEA SARL | 38 avenue John F. Kennedy L-1855 Luxembourg |
Searches against sanctions, PEP and adverse media provided via services hosted on Amazon AWS. | Germany, Ireland |
| Microsoft | Microsoft Ireland Operations, Ltd. Attn: Data Protection One Microsoft Place South County Business Park Leopardstown Dublin 18, D18 P521, Ireland |
Office 365 subscription (email, document management system) | EU |
| Acuris Risk Intelligence Ltd | Queen Street Place London EC4R 1BE |
Searches against AML/KYC database of PEPs, Sanctions and Adverse Media | Ireland |
| Freshdesk | Freshworks GmbH Neue Grünstraße 17, 10179 Berlin |
Helpdesk software used by our support team. | EU |
| Veriff | Niine tn 11, 10414 Tallinn, Estonia | ID document and selfie verification. | EEA |
| Google Ireland Limited | Gordon House, Barrow Street, Dublin 4, Ireland | Searches using Google's services as part of our AI Searches adverse media feature. | EU |
| OpenAI Ireland Ltd. | 1st Floor, The Liffey Trust Centre 117-126, Sheriff Street, Upper, Dublin 1, D01 YC43, Ireland | Processing of search results in order to determine suitability to classify them as requiring human review as part of our AI Searches adverse media feature. | EU |
| Bright Data Ltd. | 4 Hamahshev St., Netanya 4250714, Israel | Web searches as part of our AI searches adverse media feature. | Israel * |
| Vercel Inc | 440 N Barranca Avenue #4133 Covina, CA 91723 United States |
Hosting of front-end code in relation to Zero Forms. | EU |
* Israel is an adequate jurisdiction, so no additional clauses or safeguards are required. For further information please visit the EU commission of adequate countries documentation
Our Website uses cookies to ensure its proper functioning and to enhance your user experience. Cookies are files that are stored on your device when you access the Website. We only make limited use of cookies. For more detailed information, including the types of cookies we use and how we manage them, please refer to our cookie policy.
You have certain rights under law to your Personal Data.
Kindly note however the if you exercise this right, it will hinder our ability to provide you with the required services, since we may need your Personal Data to be able to provide you with our services.
In making your request in relation to the above, please note that:
You have the right to lodge a complaint to the data protection authority of your habitual residence if you believe that we have not complied with the requirements of the law.
In order to protect your Personal Data, we will require that you prove your identity to us in relation to your request to access your Personal Data, which may consist of a copy of a government-issued identification, your signature and correspondence address so we can check them against our records and satisfy ourselves as to your identity. The above information is required to create an audit trail of how the request has been handled. Where a request is made, any correspondence or application may be kept and added to your Personal Data.
We shall strive to send your data only to other EU countries or other countries which ensure proper protection for your data. When transferring your data to countries which are not deemed as such, proper measures in terms of the law shall be applied to ensure the protection of your Personal Data. In cases where such measures cannot be achieved, Personal Data shall only be sent to these countries if necessary, to perform our services and also subject to any of the required measures imposed under GDPR. Some of the recipients referred to above are located in or process Personal Data outside of your country. The level of data protection in another country may not be equivalent to that in your country. However, we only transfer your Personal Data to countries where the EU Commission has decided that they have an adequate level of data protection or we take measures to ensure that all recipients provide an adequate level of data protection. We do this for example by entering into appropriate data transfer agreements based on Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council).
We shall take all the necessary measures as required by law to ensure proper security and protection to your Personal Data. Such measures may include encryption, use of firewalls, anti-virus software and specialized security software, access restrictions and limitations, strict enforcement of policies and any other measures that we may enforce from time to time. Our measures shall strive to ensure that:
Despite our best efforts however, we cannot provide a 100% guarantee in relation to our system security.
In the event of a Data Breach following your Personal Data, we shall always abide by the law and inform you and the competent authorities as required.
This data privacy statement was last updated on the 24th October 2025 in line with the last EU legislation to meet the GDPR requirements. In the future, we may need to make additional changes. All additional changes will be included in the latest data privacy statement published on this website, so that you will always understand our current practices with respect to the information we gather, how we might use that information and disclosures of that information to third parties. You can tell when this privacy statement was last updated by looking at the date at the top of the statement. Any changes to our statement will become effective upon posting of the revised statement on this site. We will seek your express consent to any changes to how we use or disclose your Personal Data if requested by law but otherwise use of this site or our services following such changes constitutes your acceptance of the revised statement then in effect.
Kindly note that our website contains hyperlinks to other websites. Please note that InScope-AML is not responsible for the content of these other websites or their respective adherence to data protection laws and rules. InScope-AML does not provide any quality controls to such websites and shall accept no responsibility for their performance, security, accuracy, content or privacy in relation to your personal data.
If you wish to make any inquiry regarding your personal data, wish to have any of your data corrected or request access to your personal data, you may contact us on the below details. Please note that we may charge a fee or refuse requests which are manifestly repetitive or excessive.
Any request must be in writing and must also include your name, address and a description of the information or correction required. We may also ask for other identification documentation. Such information is essential so that we can identify you properly.
Email: dpo@inscope-aml.com
Name: Dr Annalisa Debono
Address: 50, Triq Giorgio Preca, San Gwann, SGN 3510, Malta
