Back to Legal & Trust Centre
Public document Public

GDPR Statement

Document OwnerFriam Limited
Document ReferenceFRM-POL-002
Version1.1
Effective Date17 June 2026
ClassificationPublic
Review CycleAnnual

1. Our commitment

Friam Limited (“we”, “us”, “our”) is the company behind AgentGuard, Ready Vet Staff (VetGuard), HotelGuard, FirmGuard, CareGuard and the EveryGuard family of UK compliance products. We are fully committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This statement outlines our approach to data protection and your rights as a data subject.

2. Data controller information

Data controller: Friam Limited
Company number: 14219476 (England and Wales)
Registered address: 164–170 High Street, Crowthorne, England, RG45 7AT
ICO registration: ZC088528
Contact email: legal@everyguard.uk

3. Categories of personal data we process

For our customers and their team

  • Identity and contact data (name, role, email, telephone, postal address)
  • Agency information (trading name, registered office, company number, VAT number, ICO reference)
  • Money-laundering nominated officer (MLRO) details
  • Director or partner names that appear on signed compliance documents
  • Team-member training records (name, email, mobile, role, completion dates, certificates)
  • Subscription and billing data (handled by Stripe)

For your customers (when you run a CDD check on them)

When you instruct us to verify a customer’s identity, you are the data controller and we are your data processor. The categories below apply on that basis:

  • Identity data (name, date of birth, nationality, address)
  • Images of the identity document(s) provided — for example a passport photo page, or a driving licence (front and back) — together with the data extracted from them, and (for passport NFC reads) the machine-readable-zone fields, the chip data-group hashes, and the passive-authentication result. These document images are retained as part of the CDD record for the MLR 2017 retention period
  • Facial / biometric data — a liveness selfie compared against the document and chip photo to confirm the holder. This face-matching is processing of special-category biometric data under Article 9
  • Sanctions / PEP screening matches and corroborating attributes from public lists — treated as criminal-offence-related data under Article 10
  • The decision and reasoning recorded by you or your team, and the audit pack evidencing the check (retained five years per MLR 2017)

For visitors to our marketing site

  • IP address, user-agent, page visited, session-scoped pageview record
  • UTM source / medium / campaign parameters where present

4. Lawful bases for processing

We rely on the following lawful bases under Article 6 of UK GDPR:

Purpose Lawful basis
Running compliance scans and hosting your Trust page Contract performance
Drafting your compliance documents and recording adoption signatures Contract performance
Delivering AML training to your team and recording certificates Contract performance & legal obligation (MLR 2017 reg. 24)
Cold outreach to public AML-register entries Legitimate interests
Customer due-diligence checks performed on your behalf Processing on behalf of the data controller (you), under a Data Processing Agreement
Biometric (face-match) and sanctions / PEP (criminal-offence-related) data within a CDD check Processing on your behalf under our DPA; the Article 9 / 10 condition is substantial public interest — preventing money laundering (Sch 1, DPA 2018) — tied to your MLR 2017 obligations
Audit-pack retention Legal obligation (MLR 2017 record-keeping rules)
Sub-processor monitoring and security logging Legitimate interests
Marketing communications beyond initial outreach Consent (with opt-out always available)

5. Your data subject rights

Under UK GDPR, you have the following rights:

5.1 Right of access (Article 15)

You can request a copy of the personal data we hold about you. We will provide this within one month, free of charge (unless requests are manifestly unfounded or excessive).

5.2 Right to rectification (Article 16)

You can request correction of inaccurate personal data or completion of incomplete data.

5.3 Right to erasure (Article 17)

You can request deletion of your personal data. Where MLR 2017 or UK tax law requires us to retain a record (for example, a signed AML policy snapshot, a customer CDD audit pack, or a financial transaction record), we cannot delete it until that retention period expires — this is a legal obligation, not a choice.

5.4 Right to restriction (Article 18)

You can request restriction of processing while we verify accuracy or consider your objection.

5.5 Right to data portability (Article 20)

You can request your data in a structured, commonly used, machine-readable format where processing is based on consent or contract and carried out by automated means.

5.6 Right to object (Article 21)

You can object to processing based on legitimate interests — including our cold outreach. We will stop unless we demonstrate compelling legitimate grounds. To opt out of cold outreach, click the unsubscribe link in any email we send, or email us.

5.7 Rights related to automated decision-making (Article 22)

Our AI-assisted compliance scoring, our agency-type classifier, and our sanctions / PEP screening produce findings, but they do not make fully automated decisions with legal or similarly significant effects. The agent — or, in the customer-CDD case, the MLRO — is always the decision-maker. You can request information about the logic involved in any automated processing.

6. How to exercise your rights

To exercise any of your rights, please contact us:

  • Email: legal@everyguard.uk
  • Post: Data Protection, Friam Limited, 164–170 High Street, Crowthorne, RG45 7AT

We may need to verify your identity before processing your request. We will respond within one month, though this may be extended by two months for complex requests (we will inform you if this is the case).

7. Sub-processors and international transfers

The sub-processors we use are listed in the Privacy Policy (§7.1). All sub-processors are bound by data processing agreements. Two flows occur outside the UK: optional facial-liveness / face-match processing in AWS Ireland (eu-west-1, EU), and our AI sub-processor Anthropic in the United States (including, as a fallback, reading a CDD document image when automated extraction fails). We rely on the UK’s adequacy finding for the EU, and the UK International Data Transfer Addendum to the EU Standard Contractual Clauses for the US.

8. Data security

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256)
  • Regular testing and evaluation of security measures
  • Procedures for managing data breaches
  • Magic-link auth for trainee accounts (no passwords stored)
  • Access controls limiting data access to authorised personnel

9. Data breach notification

In the event of a personal data breach, we will:

  • Notify the ICO within 72 hours where required (where the breach is likely to result in a risk to rights and freedoms)
  • Notify affected individuals without undue delay where there is a high risk to their rights and freedoms
  • Document all breaches regardless of notification requirements

For breaches affecting customer-CDD data we process on your behalf, we will notify you (the controller) without undue delay so you can meet your own notification obligations.

10. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in high risk to individuals, including our sanctions / PEP screening and our biometric customer-verify flow.

11. Children’s data

Our services are designed for individuals aged 18 and over. Customer due-diligence checks performed by our customers may legitimately involve subjects of any age, on the legal basis of the customer’s own MLR 2017 obligation.

12. Supervisory authority

If you are not satisfied with how we handle your data or your data subject request, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk

13. Updates to this statement

We review this GDPR Statement regularly and will update it as necessary. Material changes will be communicated via our website. We encourage you to review this statement periodically.

Friam Limited
Company No. 14219476 · VAT No. GB419765755
164–170 High Street, Crowthorne, England, RG45 7AT
Questions? Contact us

This document is subject to change. Always refer to the current version.

Contains public sector information licensed under the Open Government Licence v3.0. Friam Limited is registered with the Information Commissioner’s Office (ICO · ZC088528).