Privacy Policy

Effective 12 May 2020

Scope and purpose

Elucidate GmbH is committed to protecting and respecting privacy. Elucidate GmbH collects and processes personal data relating to visitors to and, and in relation to the services we provide. The data we process differs depending on the different interactions with us, as detailed below.

This policy includes information on Elucidate, how we collect and use information, how we keep it safe, how long we keep this information, who has access to this information and the right of access to the data.

Who we are

When we talk about “Elucidate”, or “us” or “we” in this notice, we are talking about Elucidate GmbH, located in Berlin, Germany (Amtsgericht Charlottenburg HRB 196707B).

Data Protection Officer

Our Data Protection Officer oversees how we collect, use, share and protect information gathered to ensure all required rights are fulfilled. Our Data Protection Officer can be contacted at

How we collect information and how we use it about you

The information we collect varies in line with the use cases below:

  • Visitors to - data regarding site usage, obtained through cookies which includes IP addresses and browser versions used;
  • Candidates for jobs with Elucidate - this includes personal contact information and data regarding the applicant’s suitability for the role;
  • Data provided to us for the express purpose of using the Elucidate FinCrime Index (“EFI”) platform - this data is provided as part of an underlying contractual agreement;
  • Business contacts - this includes contact information or any publicly available data regarding position in a company.

How we keep information safe

The information we have collected is stored in a GDPR compliant data processing facility in Frankfurt am Main, Germany. This facility holds the following certifications ISO 27001, ISO 27017, ISO 27018, SOC1, SOC2, SOC 3, FIPS 140-2, PCi, CSA STAR. All data stored in our databases is encrypted using 256-bit Advanced Encryption Standard (AES-256).

For how long do we retain information

  • Visitors to - until the cookie expiration date;
  • Candidates for jobs with Elucidate - for unsuccessful candidates, we will remove the information after 6 months. Successful candidates’ information becomes subject to our employee privacy policy;
  • Data provided to us for the express purpose of using the Elucidate FinCrime Index platform - Information is retained subject to the conditions outlined in the contract;
  • Business contacts - email marketing has unsubscribe functionalities. Information in our CRM is categorised by activity and inactive data is removed after a period of 5 years, or unless specifically requested by an individual ( ;

Meeting our legal and regulatory obligations

To use the information lawfully, we rely on:

  • Performance of a contract;
  • Legal obligation;
  • Protecting legitimate interests of all parties;
  • Explicit consent, where required.

To meet our regulatory and legal obligations, we collect some personal information and delete it once we no longer require it. We may also gather information from public sources to help us provide our services through the EFI platform.

Information recipients

Information which has been gathered is available to selected parties as detailed below:

  • Visitors to - website analytics tools provided in our secure cloud infrastructure and our employee marketing team;
  • Candidates for jobs with Elucidate - we store this information in an externally provided HR system, to which only selected Elucidate employees have access to determine candidate suitability;
  • Data provided to us for the express purpose of using the EFI platform - data is encrypted and only selected Elucidate employees have access, on an as-needed basis. We use an external provider, Auth0, to provide secure authentication and authorisation for EFI users. In addition, our media searches are provided by EventRegistry, who receive only names from us for the purpose of providing us with a media search facility;
  • Business contacts - our externally provided CRM application is accessible only by Elucidate employees, specifically sales, marketing, and client engagement team.

International transfers of data

With one exception, we do not transfer data outside the European Economic Area (EEA).

The only exception relates to one of our sub-processors which adheres to GDPR for data relating to European citizens but is located in the US.

Our data processing centre and our backup data centre are located in Frankfurt am Main in Germany. We have configured the data centres to store data within the EU only.

A full list of sub-processors and locations in use is available from

Access rights

Upon request by the appropriate party, we can correct, erase, or grant access to the personal data we hold, or (where processing is based on consent) withdraw consent to our processing of this personal data. One can exercise these rights by email to

If there is a concern regarding the proper handling of personal data, a complaint can be made to our data protection regulator, the German Information Commissioner’s Office (

Updates to this notice

We will make changes to this notice upon annual review or as required due to changes, particularly when we change how we use your information or the sub-processors we engage. We will always publish an up-to-date version of this notice on our website at