Data Privacy Policy

1. About us

This is the privacy notice for Themis International Services Ltd, incorporated in England, with company number 11733141, of 1-2 Paris Garden, London, SE1 8ND.  

Registered address: Castle House, Castle Street, Guildford, GU1 3UW, UK.

We are a risk management firm specialising in financial crime.  We provide the following services:

  • Innovation: Pioneering RegTech tools to manage financial crime risk, including our Anti Financial Crime Risk Rating and Benchmarking Tool and our Themis Financial Crime Search Engine.
  • Intelligence: Preventative steps to avoid damaging links to financial criminals through Enhanced Due Diligence and ESG Reports.
  • Insight: Threat-based research, analysis and training that educates and drives change.
  • Insourcing: MLRO and Compliance Services

Data Protection Officer (DPO): dpo@wearethemis.com

2. About this notice

This notice explains what personal data we collect in connection with the provision of our Services, why we need that data, and how we use it.

We do not share personal data with 3rd parties other than in specific sponsor cases outlined later in this document. This notice should make clear exactly when and to whom data may be transferred.

Our website provides a small number of links to other websites, which are beyond our control. We encourage you to read the privacy statements on the other websites you visit.

We might need to change this privacy notice from time to time. We will publish our privacy notice on our website (available at wearethemis.com) and we will do our best to update you directly if we think the changes might materially affect you. Please do keep an eye on our notice before giving us any personal data.

3. About the data we hold

- Visitors to our website

Our websites include:

Cookies are small data files that websites store on your device. They help websites remember preferences and understand how visitors use different features. Most browsers automatically accept cookies, but you can usually change your browser settings to decline them. This may affect how parts of our website work.

- Necessary cookies

These are required for our website to function – for example, enabling secure login or remembering your cookie preferences. They do not require your consent.

- Analytical cookies

These help us understand how visitors use our site, so we can improve it. We only set these once you select “Accept” via our cookie banner.

- Functionality cookies

These remember your preferences and recognise you when you return, including functionality from third-party services. We only set these once you select “Accept” via our cookie banner.

- Marketing cookies

These record your visit to our site so we can make advertising more relevant to you and measure how effective it is. Where you consent, we share this information with third parties, such as our advertising and social media partners, for this purpose. We only set these once you select “Accept” via our cookie banner.

When you first visit our site, you will see a banner offering “Accept”, “Reject All”, or “Customise”. Non-essential cookies (analytical, functionality, and marketing) are only set on your device if you choose to accept them. You can change your choice at any time using the cookie settings link in our website footer.

- Marketing

Themis collects details from event attendees, event recordings, newsletter subscribers and subscribers of our Products where they have agreed to and accepted our data privacy policy.  

Separately, we also may identify people who are likely to find our events or products useful for their jobs by looking for source business contact details and information about an individual’s job role on publicly available resources and business websites.

Our team will use those business contact details to send event invites and emails about relevant industry news.  

We always include an unsubscribe link at the bottom of any such email which we send, so that you can let us know if you do not wish to receive any further marketing emails.

Our lawful basis for using personal data in this way is that it is necessary to protect our legitimate interest in promoting our business.

- Events

If you sign up to an event:

  • We will collect basic details of all those wishing to attend a Themis digital event such as a webinar or roundtable, or if we host a physical event. This information includes name, job title, organisation and industry.
  • For some sponsors of events, we provide these details, but only with prior approval when registering for the event. We consider the processing to be necessary to protect our legitimate interest in running an effective event. We will not share your details with the venue or other third parties for marketing purposes unless you provide your consent.  

If you are speaking at one of our events:

  • We will use the details you provide us with to contact you in connection with the event and, if relevant, process any payment or facilitate any obligations or rights set out in the agreement between you and us. Such processing will be carried out on the basis that it is necessary to facilitate the contract between you and us. We will only use the retained information to comply with regulatory requirements or in the event of a dispute between us, which processing would be carried out on the basis that it is necessary to protect our legitimate interest of protecting our business.
  • We will publicise the bio that you provide, on the basis that such processing is necessary to achieve our legitimate aim of running a successful event and we will retain both the bio and details relating to the talk you give after the event for our internal records as well as for marketing purposes for future events.

- Subscription services

We will use personal data that we collect from clients (which may include details of our clients’ staff) who have subscribed to receive our Services, in the following ways:

  1. To fulfil the contract: which includes setting you up as a client, providing you with updates relating to our Products and processing your user ID, password and contact details and any payments to be made. Any such use will be on the basis that the processing is necessary to fulfil the contract between you and us.
  2. When you terminate your subscription, we will keep full records about your subscription for two years in case you want to reactivate your account.
  3. We will also retain details of transactions for a period of up to 6 years for our internal records. Any further use of the retained information will only be to comply with regulatory requirements or in the event of a dispute between the recipient and us – which processing would be carried out on the basis that it is necessary to protect our legitimate interest of protecting our business.
  4. We use automated tools to monitor website access using your account details, to identify and manage potential security issues and to keep your account safe. Any such usage data shall be processed to the extent necessary for our legitimate interest of ensuring our Products are secure. We will retain usage data for a period of up to 6 years for our internal records. Any further use of the retained information will only be to comply with regulatory requirements or in the event of a dispute between you and us – which processing would be carried out on the basis that it is necessary to protect our legitimate interest of protecting our business.

- Job applicants

If you contact us directly about a job, we will use the information you provide us with to assess your suitability for the role and progress your application. Data we will require includes contact details, your curriculum vitae, your previous experience, education and answers to questions relevant to the role you have applied for. Our HR team and the hiring manager for the role will have access to this data.

We will only share your data with contracted third parties if it is necessary for the recruitment process and will notify you at the time. We will never sell your data or use it for marketing purposes. If we need to securely process the data in another country, we will let you know before the transfer happens.

If your application is not successful, unless you ask us to retain your data for other opportunities in the future, we will store your details for six months to help with any questions, before securely deleting or anonymising the data.

If your application is successful, we will need to complete employment checks for legal reasons, to verify your right to work in the country and to verify your previous employment references.

We will only process such data to the extent required to achieve our legitimate interest of maintaining a workforce for our business.

A copy of our Data Retention Policy, which sets out the periods for which we hold personal data, is available from the DPO on request at dpo@wearethemis.com.

4. Our security procedures

Security of personal data is very important to us. Our business operates a Cyber Security Essentials Plus certification, which is externally audited, and we are working towards the ISO 27001 International Security Standard. We use a wide range of organisational, technical, physical and operational controls, which are assessed for effectiveness on a regular basis.

5. Will we disclose personal data to anyone else?

We will only disclose any personal data that we hold to our employees, affiliated companies and third parties who are contracted to help us provide our Services (some of whom may be based outside the UK or EEA). Any such third parties will be acting as processors on our behalf and will be contractually bound only to use the data in accordance with our instructions and to implement adequate security measures.

Where personal data is transferred outside the UK or European Economic Area (EEA), we ensure that appropriate safeguards are in place. We rely on the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) as approved transfer mechanisms under UK GDPR to protect your data when it is sent to countries that do not have an equivalent level of data protection to the UK.

We may share personal data with third parties (which will also be acting as controllers in respect of that personal data) in the following circumstances:

If we are under a legal duty to do so or if it is required to enforce or apply our contracts or to protect the operation of our website, or the rights, property or safety of us or others.

If we sell, transfer or merge parts of our business or our assets. If a change happens to our business, then the new owners will only be entitled to use personal data in accordance with the provisions set out in this privacy notice.

6. Rights of data subjects

Individuals have certain rights under the applicable data protection legislation in respect of the personal data which we hold relating to them. This includes:

  1. Right to be informed: the right to be informed about what personal data we collect and store about you and how it is used.
  2. Right of access: the right to request a copy of the personal data held.
  3. Right of rectification: the right to require us to correct any personal data held about you which is inaccurate or incomplete.
  4. Right to be forgotten: in certain circumstances, the right to have the personal data held about you erased from our records.
  5. Right to restriction of processing: the right to request us to restrict the processing carried out in respect of personal data relating to you. You might want to do this, for instance, if you think the data held by us is inaccurate and you would like to restrict processing until the data has been reviewed and updated if necessary.
  6. Right of portability: in certain circumstances, the right to have the personal data held by us about you transferred to another organisation, to the extent it was provided in a structured, commonly used and machine-readable format.
  7. Right to object: the right to object where processing is carried out, including for direct marketing purposes.
  8. Right not to be subject to automated decision-making: the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects or other similarly significant effects on you. Please see Section 7 below for further information about our use of automated processing.

7. Automated processing and profiling (Article 22 UK GDPR)

As part of the financial crime risk management services we provide, Themis may use automated processing — including algorithmic screening and risk-scoring tools — to assist in the identification of financial crime risks such as money laundering, sanctions violations, fraud, and terrorist financing (AML/CFT screening).

Where such automated tools are used in connection with our clients’ due diligence obligations, the processing may include:

  • Screening names and entities against sanctions lists, politically exposed persons (PEP) databases, and adverse media sources.
  • Generating risk scores or risk ratings for individuals or entities based on data held in our systems.
  • Flagging matches or alerts for further human review.

In all cases where automated screening generates an output that may have a legal or similarly significant effect on an individual (for example, a sanctions match), that output will be subject to human review before any decision is made or communicated. We do not make legally or significantly consequential decisions based solely on automated means without human oversight.

If you believe you have been adversely affected by an automated processing decision, you have the right under Article 22 UK GDPR to:

  • Request human review of the decision.
  • Express your point of view.
  • Contest the decision.

To exercise these rights, please contact our Data Protection Officer at dpo@wearethemis.com.

8. Complaints of queries

If you wish to exercise any of your rights set out in section 6 above, or if you have any questions about this notice or how we handle your personal data, please contact our Data Protection Officer (DPO):

Email: dpo@wearethemis.com

When we receive a request, we will try to verify your identity and the request, before responding to you within one calendar month.

Given the nature of the Services we provide, in certain situations, we may be able to rely on certain exemptions under the General Data Protection Regulation and the Data Protection Act 2018. These exemptions may enable us to resist the disclosure of information, erasure requests and rectification requests in certain circumstances, and exempt us from some notification obligations.

We will confirm to you in writing to acknowledge receipt of any request we receive relating to your rights as a Data Subject, and we will let you know if we have complied with your request. If, having carried out an assessment, we believe we have an overriding reason for resisting your request, we will let you know why we have reached that conclusion.

We will retain details of your request for two years, for quality assurance purposes, and may retain requests relating to marketing preferences or restricted use for a longer period to ensure that we can comply with your request and to help if you have any further questions about the matter. Any such processing will be limited to the extent strictly necessary to achieve our legitimate interest of providing a robust and secure data management procedure.

Please let us know if you are not happy about how we are handling your data. We will do our best to resolve the matter, but if you have further concerns, it is your right to make a complaint to the UK Information Commissioner’s Office at https://www.ico.org.uk.

9. Policy Implementaion, review and monitoring

Responsibility for the implementation of this policy lies with the Data Protection Officer and Themis Senior Management Team. They are responsible for making the company aware of the policy, and for its review.  

This policy will be reviewed every year and at points of significant change to the business such as the leasing of office premises or the addition of a new team location.  

Version 2.0  |  June 2026  |  Updated following DPO Review

Last Reviewed: June 2026

Have a Question? Get in Touch