Website Business Interactions Privacy Notice -

Version	1.1
Last Updated	April 2026
Document Owner	Shufti Pro Limited (Data Protection Team / DPO)

1.Scope and Who This Notice Is For

This Website Business Interactions Privacy Noticepplies when you interact with Shufti's public websites and business contact channels, including when you browse our site, accept/reject cookies, submit forms, request a demo, contact our teams, or interact with our marketing content.
This notice does not cover identity verification or AML screening carried out through Shufti for a Client's end-users. That is covered in the Services Privacy Notice (Services Privacy Notice ) and also in the Client's own privacy notice.

2.Controller Identity and Contact Details (UK GDPR / GDPR)

Controller: Shufti Pro Limited ("Shufti", "we", "us", "our"). Office 408 Coppergate House, 10 Whites Row, London E1 7NF, GB.

Privacy contact: [email protected] (Data Protection Team).

DPO: [email protected]. The DPO operates independently and reports to the highest level of management in accordance with Article 38 UK GDPR.

Representative (EU/EEA): Nikolett Horvath — [email protected]

3.What Personal Data We Collect

Information you provide to us

Name, business email, phone number, company details and the content of your request (e.g. demo request / support enquiry), where you submit forms or contact us.
Chat content where you use our site chat/communication tools (e.g. Intercom cookies are listed in our cookie inventory).

Information we collect automatically

Cookie identifiers, device/browser information, IP address and basic usage analytics (see Sections 9–12 and the Cookie Table). Non-essential cookies (including analytics and marketing cookies) are collected only after valid consent has been obtained.

Information we obtain from third-party platforms

If you contact us through third-party platforms (e.g. LinkedIn, Twitter/X, or other professional or social networks), we may collect your name, job title, company name and business email address, where you have made this information available in the context of business outreach. Data obtained from such platforms is limited to information relevant to a legitimate business purpose. Such data is processed in accordance with the applicable lawful basis set out in Section 4 and subject to transparency obligations under UK GDPR Articles 13 and 14. We do not obtain or use personal data from third-party platforms for purposes unrelated to the business interaction that gave rise to the data sharing.

4.Why We Use Your Data (Purposes and Lawful Bases)

Consent-based processing and legitimate interest-based processing are kept strictly separate. No non-essential cookies (including analytics and marketing cookies) are set on your device before valid consent is obtained in accordance with PECR requirements.

Purpose	Data Categories	Lawful Basis	PECR Consent?	Notes
Operate and secure website (bot protection, session continuity, form security)	IP address; device/browser; strictly necessary cookies; form tokens	Legitimate interests (running a secure, functional website). Strictly necessary cookies do not require consent under PECR.	No — strictly necessary cookies only. No non-essential cookies are set until valid PECR consent is obtained.	Strictly necessary cookies are limited to those technically required for the website to function. No analytics or marketing cookies fall within this category.
Website analytics and improvement	Analytics cookies; usage data; IP; device ID	Consent (Article 6(1)(a) UK GDPR). Analytics cookies are non-essential and require prior valid consent under PECR before being set.	Yes — consent required before deployment.	No analytics cookies (including Google Analytics, Leadfeeder, Mouseflow) are deployed prior to the user providing valid, freely given, specific, informed and unambiguous consent via our cookie consent tool.
Respond to enquiries and demo requests	Contact details; message content; organisation details	Legitimate interests (responding to business enquiries) and/or steps prior to contract.	N/A — no device storage.	You can choose what to submit. See Section 12.
Customer support via website contact routes	Support messages; identifiers	Legitimate interests / contract (depending on relationship stage).	N/A	—
Direct marketing (newsletters, product updates, event invitations)	Contact details; marketing preferences; cookie ad identifiers (where consented)	Consent where required under PECR (individual subscribers). Legitimate interests for B2B marketing to corporate subscribers where a clear opt-out is provided, subject to PECR soft opt-in rules where applicable.	Yes — consent required for marketing cookies and for direct marketing to individual subscribers. Legitimate interests may apply to corporate subscribers subject to opt-out.	All marketing communications include a clear, accessible opt-out mechanism. Marketing cookie identifiers are not used unless separately consented to. See Section 5A.
Events / webinars	Registration details; engagement markers	Legitimate interests / contract (event registration).	N/A	—
Handle legal requests, enforce rights, defend claims	Identity and contact details; logs; communications	Legal obligation; legitimate interests; legal claims.	N/A	—

5.Who We Share Data With (Recipients)

Our website vendors, cloud service providers and other service providers (e.g. analytics, chat, forms, bot management), as listed in our Cookie Policy. All third-party vendors who process personal data on our behalf are subject to data processing agreements (DPAs) incorporating appropriate data protection obligations, as required under Article 28 UK GDPR. Transfers to advertising or analytics partners are subject to valid PECR consent and, where data is transferred internationally, to appropriate safeguards as described in Section 6.
Other companies within the Shufti group. In some circumstances, Shufti Pro Limited and its group companies may act as joint controllers of your personal data. Group companies include:
- Shufti Pro Limited (UK)
- Shufti AB (Sweden)
- Shufti Pro Limited (Cyprus)
- Shufti LLC (Delaware)
- Shufti Digital ID Verification Services Limited (Dubai)
- Shufti PTE Limited (Singapore)
Professional advisers and insurers where reasonably necessary, subject to confidentiality obligations.
Authorities or counterparties where required for legal compliance, fraud prevention, or protection of rights.

5A.Direct Marketing — PECR and UK GDPR Rules

Shufti conducts direct marketing activities in compliance with the Privacy and Electronic Communications Regulations 2003 (PECR) and UK GDPR. The following rules apply:

Individual Subscribers

Where you are an individual subscriber (including sole traders and individuals whose contact details are used as personal data), Shufti will only send direct marketing communications where you have provided prior, freely given, specific, informed and unambiguous consent. Consent will be obtained through a clear affirmative action (e.g. an opt-in tick box). Consent will not be inferred from pre-ticked boxes, silence or inactivity.

Corporate Subscribers

Where you represent a corporate or business entity, Shufti may rely on legitimate interests as the lawful basis, including the PECR "soft opt-in" rule where applicable. Such communications will always include a clear, accessible and easy-to-use opt-out mechanism.

All Marketing Communications

All direct marketing communications will identify Shufti as the sender and include a clear, prominent and functional opt-out or unsubscribe mechanism.
Opt-out requests will be honoured promptly and in any event within 10 working days of receipt.
Marketing cookie identifiers and advertising technology (including Facebook Pixel, LinkedIn Insight Tag, Bing/Microsoft advertising cookies) are not activated until the user has provided valid PECR consent via the cookie consent management tool.
Shufti maintains suppression lists to ensure that individuals who have opted out are not re-contacted unless fresh consent has been obtained.

6.International Transfers

Your data may be processed or accessed internationally depending on vendor locations and Shufti's operations. All international transfers of personal data are recorded in Shufti's transfer register. Where a Transfer Impact Assessment (TIA) / Transfer Risk Assessment (TRA) is required to assess whether the law and practice in the destination country allows the safeguards to be effective, such assessment is conducted and documented prior to the transfer taking place. This is consistent with the approach taken across all Shufti privacy notices, including Services Privacy Notice .

When transferring from the EEA, we may rely on:

EU adequacy decisions.
EU SCCs (Commission Implementing Decision 2021/914).
EU–US Data Privacy Framework where the US recipient is certified.

When transferring from the UK, we may rely on:

UK adequacy regulations.
UK international transfer tools (e.g. UK IDTA or UK Addendum to the EU SCCs).
The UK Extension to the EU-US Data Privacy Framework / UK-US data bridge where the US recipient is properly certified.

Where appropriate, we apply supplementary measures consistent with EDPB or ICO recommendations. You may request further information regarding applicable transfer mechanisms by contacting [email protected].

7.Retention (Purpose-Specific Schedule)

The periods below represent maximum limits, not default durations. Retention periods are justified by the specific purpose for which data is held and are reviewed periodically. Where data is no longer required for its original purpose, it is deleted or anonymised.

Cookie records and consent preferences: cookie consent records are retained for 1 year to evidence consent. Individual cookie durations are set out in the Cookie Inventory in Section 15. Analytics and marketing cookie data is deleted upon expiry of the applicable cookie duration or upon consent withdrawal, whichever is sooner.
Enquiries and demo requests: up to 7 years after last contact, based on legitimate interests in defending against or pursuing legal claims. This period is reviewed periodically.
Support tickets via website: up to 7 years after closure.
Marketing list entries: retained until you unsubscribe or withdraw consent. Upon opt-out, contact details are moved to a suppression list retained only for the purpose of preventing re-contact.
Legal holds: retained for the duration of a dispute or legal claim. Data subject to a legal hold is reviewed at conclusion and deleted promptly once no longer required.

8.Security (Technical and Organisational Measures)

We use technical and organisational measures appropriate to the risk. Shufti's Data Protection & Security Policy describes encryption and access controls, DPIAs, sub-processor evaluation and standards (ISO 27001, SOC 2) used to evaluate infrastructure and operations.
We maintain records of processing activities (ROPA) and documentation consistent with UK GDPR/GDPR expectations.

9.Your Rights (UK GDPR / GDPR)

Requests should be submitted to [email protected]. We will respond within one calendar month of receipt of a valid request (or within three months for complex requests, with notification of the extension within one month).

Information — privacy information must be provided at the time of collection.
Access — get a copy of your data.
Rectification — correct inaccurate data.
Erasure — delete data in certain cases.
Restriction — limit how we use data in certain cases.
Data portability — receive data in a usable format, in certain cases.
Object — object to processing based on legitimate interests or direct marketing.
Withdraw consent — where we rely on consent, including cookie consent. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Cookie consent withdrawal: You can withdraw consent to non-essential cookies at any time by accessing our cookie management tool on our website, or by clearing cookies from your browser settings. Withdrawing cookie consent will result in non-essential cookies being removed and not re-set until fresh consent is given.
Right not to be subject to solely automated decisions with legal or similarly significant effects (where Article 22-type rules apply).
Right to complain to a regulator (see Section 11).

10.How to Exercise Your Rights

Email: [email protected]. Privacy requests can be sent to this address; Shufti will respond and may verify your identity for security reasons. Please use this Data Subject Rights Request form to exercise your rights.
We may ask for information to confirm your identity before responding (to protect you and prevent fraud).

11.Complaints and Supervisory Authorities

You can submit your complaints to us via [email protected] or [email protected]. We encourage you to raise concerns with us in the first instance so that we can seek to resolve them promptly and fairly. Complaint form link attached.
UK supervisory authority: Information Commissioner's Office (ICO). Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; phone 0303 123 1113.
EEA supervisory authorities: Each EEA country has its own data protection authority; contact details are listed by the EDPB at edpb.europa.eu/about-edpb/about-edpb/members_en.

12.Whether You Must Provide Data

You are not legally required to provide marketing or enquiry data. However, if you do not provide information needed to respond to your request (e.g. email address), we may not be able to reply or provide a demo.

13.Shuftiduct-to-Processing Map

This table maps Shufti products to typical processing activities, data categories, lawful bases and retention.

Product / Area	Main Processing Activity	Typical Data Categories	Role	Lawful Basis (Typical)	Retention
Website, marketing & enquiry handling	Site analytics, cookie tracking, contact forms, chat, demo requests	Online identifiers (cookies), IP; contact details; enquiry content	Shufti = controller	Consent for non-essential cookies (analytics and marketing); legitimate interests for strictly necessary site operations; consent for direct marketing to individual subscribers; legitimate interests for B2B corporate subscriber marketing with opt-out.	Enquiries: 7 years (reviewed); marketing until unsubscribe/consent withdrawal; analytics cookies per cookie table; consent records: 1 year.

14.Children's Data

Our Services are not directed to children under the age of sixteen (16) and we will never knowingly collect personal or other information from anyone we know is under such age.

15.Cookie Policy

Only strictly necessary cookies are set without prior consent. No analytics or marketing cookie falls within the 'strictly necessary' category. All analytics, marketing, advertising and non-essential functional cookies are clearly identified as requiring PECR consent and are not deployed until valid consent is obtained.

Shufti does not use website interaction data for purposes unrelated to the operation of the website, such as training AI or machine learning models, biometric analysis, or profiling for purposes beyond those described in this notice, unless such use is separately disclosed to users, supported by an appropriate lawful basis, and subject to a Data Protection Impact Assessment where required.

Removing cookies from your device

You can delete all cookies that are already on your device by clearing the browsing history of your browser. Be aware that you may also lose some saved information (e.g. saved login details, site preferences).

Managing site-specific cookies

You can manage your cookie preferences at any time using our cookie consent management tool, accessible via the cookie banner or the "Manage Cookies" link on our website. You may withdraw or adjust your consent for non-essential cookie categories at any time.

Blocking cookies

You can set most modern browsers to prevent any cookies being placed on your device. To find out more, visit aboutcookies.org or allaboutcookies.org.

Opt-out of Google Analytics

To opt out of being tracked by Google Analytics across all websites, visit tools.google.com/dlpage/gaoptout.

'Do Not Track' Preference

To enable the 'Do Not Track' option in your browser, follow the instructions provided by your browser (Firefox, Internet Explorer, Microsoft Edge, Chrome, Safari, Opera).

Cookie Inventory (Website)

The table below identifies all cookies used on Shufti's website, their category, duration, and whether PECR consent is required. Cookies categorised as 'Analytics (Consent Required)' or 'Marketing (Consent Required)' are not set on your device until you have provided valid consent through our cookie consent management tool.

Cookie	Type	Duration	Vendor	Description	Consent Required?
cookieyes-consent	Strictly Necessary	1 year	CookieYes	Records user's GDPR cookie consent choices. Required for consent management.	No — essential for consent management.
cookielawinfo-checkbox-necessary	Strictly Necessary	1 year	CookieLaw	Records consent for 'Necessary' cookies.	No — consent record cookie.
cookielawinfo-checkbox-functional	Strictly Necessary	1 year	CookieLaw	Records consent for 'Functional' cookies.	No — consent record cookie.
cookielawinfo-checkbox-performance	Strictly Necessary	1 year	CookieLaw	Records consent for 'Performance' cookies.	No — consent record cookie.
cookielawinfo-checkbox-analytics	Strictly Necessary	1 year	CookieLaw	Records consent for 'Analytics' cookies.	No — consent record cookie.
cookielawinfo-checkbox-advertisement	Strictly Necessary	1 year	CookieLaw	Records consent for 'Advertisement' cookies.	No — consent record cookie.
cookielawinfo-checkbox-marketing	Strictly Necessary	1 year	CookieLaw	Records consent for 'Marketing' cookies.	No — consent record cookie.
cookielawinfo-checkbox-others	Strictly Necessary	1 year	CookieLaw	Records consent for 'Other' cookies.	No — consent record cookie.
cf7_token	Strictly Necessary	20 min	WordPress	Required for WordPress contact form submission.	No — technically necessary for form function.
__cf_bm	Strictly Necessary	1 hour	Cloudflare	Supports Bot Management; distinguishes legitimate users from bots.	No — strictly necessary for site security.
rc::a	Strictly Necessary	Never	Google	reCAPTCHA: identifies bots to protect against spam and abuse.	No — strictly necessary for form security.
rc::c	Strictly Necessary	Session	Google	reCAPTCHA: identifies bots during session.	No — strictly necessary for security.
_cfuvid	Strictly Necessary	Session	Cloudflare/Calendly	Tracks users across sessions for session consistency and load balancing.	No — strictly necessary for session continuity.
__hssrc	Strictly Necessary	Session	HubSpot	Set to 1 to indicate the user has restarted the browser; used for session detection.	No — session detection only.
_ga	Analytics (Consent Required)	~1 year	Google Analytics	Calculates visitor, session and campaign data for analytics purposes.	Yes — PECR consent required.
_gid	Analytics (Consent Required)	1 day	Google Analytics	Stores information on how visitors use the website.	Yes — PECR consent required.
_gat_gtag_UA_*	Analytics (Consent Required)	1 minute	Google Analytics	Stores a unique user ID to throttle request rate.	Yes — PECR consent required.
_gcl_au	Analytics (Consent Required)	3 months	Google Tag Manager	Experiments with advertisement efficiency and analytics.	Yes — PECR consent required.
_ga_*	Analytics (Consent Required)	~1 year	Google Analytics	Stores and counts page views.	Yes — PECR consent required.
_gat_UA-*	Analytics (Consent Required)	1 minute	Google Analytics	User behaviour tracking.	Yes — PECR consent required.
_fbp	Analytics (Consent Required)	3 months	Facebook	Used by Facebook to deliver and measure advertisements after visiting the website.	Yes — PECR consent required.
MSPTC	Analytics (Consent Required)	~1 year	Microsoft/Bing	Microsoft/Bing analytics cookie for site usage measurement.	Yes — PECR consent required.
_lfa_test_cookie_stored	Analytics (Consent Required)	<1 min	Leadfeeder	Leadfeeder test cookie to check cookie storage availability.	Yes — PECR consent required.
_lfa	Analytics (Consent Required)	1 year	Leadfeeder	Identifies IP addresses of visiting devices for business visitor identification.	Yes — PECR consent required.
_gd_session	Analytics (Consent Required)	4 hours	Leadfeeder/GetData	Collects visit data: total visits, average time spent, pages loaded.	Yes — PECR consent required.
_gd_visitor	Analytics (Consent Required)	~1 year	Leadfeeder/GetData	Collects visit data for analytics and targeted advertising.	Yes — PECR consent required.
mf_user	Analytics (Consent Required)	3 months	Mouseflow	Identifies whether a visitor is new or returning; supports session recording and heatmaps.	Yes — PECR consent required.
mf_4e47f3a5-...	Analytics (Consent Required)	Session	Mouseflow	Mouseflow session identifier for session recording.	Yes — PECR consent required.
__hstc	Analytics (Consent Required)	6 months	HubSpot	Main HubSpot tracking cookie; contains domain, timestamps and session number.	Yes — PECR consent required.
hubspotutk	Analytics (Consent Required)	6 months	HubSpot	Tracks visitors and is passed on form submission for contact deduplication.	Yes — PECR consent required.
__hssc	Analytics (Consent Required)	1 hour	HubSpot	Tracks sessions and determines session number increments for analytics.	Yes — PECR consent required.
MUID	Marketing (Consent Required)	~1 year	Microsoft/Bing	Recognises unique web browsers for advertising and retargeting.	Yes — PECR consent required.
bcookie	Marketing (Consent Required)	1 year	LinkedIn	Set by LinkedIn share buttons and ad tags to recognise browser IDs for advertising.	Yes — PECR consent required.
test_cookie	Marketing (Consent Required)	15 min	Google DoubleClick	Tests whether the user's browser supports cookies for advertising purposes.	Yes — PECR consent required.
_uetvid	Marketing (Consent Required)	Persistent	Microsoft/Bing Ads	Engages with users who have previously visited the website for retargeting.	Yes — PECR consent required.
_uetsid	Marketing (Consent Required)	Session	Microsoft/Bing Ads	Engages with users who have previously visited the website for session-based retargeting.	Yes — PECR consent required.
li_gc	Functional (Consent Required)	6 months	LinkedIn	Stores visitor consent to LinkedIn non-essential cookies.	Yes — PECR consent required.
lidc	Functional	1 day	LinkedIn	Facilitates data centre selection for LinkedIn services.	Routing only; consent required if analytics/marketing.
intercom-id-*	Functional (Consent Required)	~9 months	Intercom	Allows visitors to see prior conversations on Intercom-enabled websites.	Yes — PECR consent required.
intercom-session-*	Functional (Consent Required)	7 days	Intercom	Allows visitors to access prior conversations during a session.	Yes — PECR consent required (where non-essential).
intercom-device-id-*	Functional (Consent Required)	~9 months	Intercom	Tracks device identity for conversation continuity across visits.	Yes — not strictly necessary.
messagesUtk	Functional (Consent Required)	6 months	HubSpot	Recognises visitors chatting via HubSpot chatflows tool.	Yes — PECR consent required.

16.Prohibited Uses of Website Interaction Data

Shufti does not use website interaction data (including data collected via cookies, analytics tools, session recording, or behavioural tracking technologies) for purposes unrelated to the operation, improvement, security, or marketing of Shufti's website and services, as described in this notice.

In particular, Shufti confirms that website interaction data is not used for:

Training, fine-tuning, or developing artificial intelligence or machine learning models, unless separately and specifically disclosed to website users in advance, supported by an appropriate lawful basis, and subject to a Data Protection Impact Assessment;
Biometric analysis or identification of individuals through behavioural or device data;
Creating profiles of individuals for purposes unrelated to the business interactions described in this notice;
Selling, renting or otherwise commercialising personal data collected through the website to third parties for their own marketing or profiling purposes.

If Shufti were to introduce any processing of website interaction data for purposes beyond those set out in this notice, a separate disclosure would be provided, an appropriate lawful basis would be identified, and user consent would be obtained where required.

17.Changes to This Notice

We may update this notice from time to time to reflect changes in law, regulatory guidance, or our internal practices. We will publish updated versions and update the "Last updated" date. Where changes are material, we will take reasonable steps to bring them to your attention.

Website & Business Interactions