Services and Investigations Privacy Notice

The data controller is DIAMOND INTELLIGENCE LIMITED (Company No. 17136632), registered at Portland House, Belmont Business Park, Durham, England, DH1 1TW. We are registered with the UK Information Commissioner's Office (registration ZC170812).

This notice complements our website Privacy Policy, which covers visitors to https://diamondaii.comand general website enquiries. Where we act as a processor on a client's behalf, that client's own privacy information applies. For data protection enquiries, email info@diamondaii.com.

We process personal data as a controller about:

• prospective and actual clients and their staff, officers and representatives;
• individuals who are the subject of, or named in, an investigation, due diligence or public-record intelligence engagement; and
• other individuals whose personal data we process for our own business purposes (for example suppliers and professional contacts).

Where we act as a processor for a client (the controller), we process personal data on that client's documented instructions under our Data Processing Agreement, and the client is responsible for providing privacy information to the relevant individuals.

Depending on the engagement, we may process:

• contact and relationship data (name, role, organisation, email, telephone, correspondence);
• information supplied by a client for an engagement;
• public-record and open-source information, such as company and charity registers, regulatory registers, sanctions and similar lists, insolvency and court information where lawfully available, land registry information, and publicly available online information;
• information we generate, such as chronologies, evidence references, source-provenance notes, analysis, indicators and confidence assessments.

In limited and expressly scoped circumstances, an engagement may involve special category data (UK GDPR Article 9) or criminal offence data (UK GDPR Article 10). We process such data only where necessary, under an appropriate condition, and in accordance with our Appropriate Policy Document.

We obtain personal data directly from you; from our client; from public records, registers and open sources; and from approved third-party data providers. Some personal data we process about investigation subjects is therefore not obtained directly from the individual concerned.

We rely on the following lawful bases under UK GDPR Article 6:

• Legitimate interests (Article 6(1)(f)): to provide our services and carry out evidence-led analysis, investigations, due diligence and public-record intelligence. Our legitimate interests, and those of our clients, include obtaining decision-grade evidence, assessing risk, and preventing or detecting fraud, dishonesty or other unlawful acts. We carry out a balancing assessment.
• Contract (Article 6(1)(b)): to take steps to enter into, and perform, our contract with a client.
• Legal obligation (Article 6(1)(c)): where we must process personal data to comply with the law.
• Consent (Article 6(1)(a)): where we rely on consent, for example optional marketing. Consent can be withdrawn at any time.

Where we process special category data, we also rely on a condition under Article 9 and Schedule 1 to the Data Protection Act 2018; where we process criminal offence data, on a condition under Article 10 and Schedule 1. The conditions and safeguards are set out in our Appropriate Policy Document.

Where we rely on legitimate interests, we balance those interests against the rights and interests of the individuals concerned. We consider the client's legitimate purpose (for example fraud prevention, due diligence or a dispute), whether the processing is necessary and proportionate, and the likely impact on the individual.

We apply data minimisation, use source-provenance and confidence notes, separate fact from indicator, and restrict access. Individuals may object to processing based on legitimate interests (see Your rights).

Where we obtain personal data from sources other than the individual (for example public records), UK GDPR Article 14 requires us to provide certain information to that individual. We do so unless an exemption applies.

Exemptions we may rely on include where: providing the information proves impossible or would involve a disproportionate effort; providing it would render impossible or seriously impair the achievement of the objectives of the processing (for example where notifying a subject would prejudice the prevention or detection of fraud, dishonesty or other unlawful acts); the personal data must remain confidential subject to an obligation of professional secrecy or legal professional privilege; or another exemption in the UK GDPR or Schedule 2 to the Data Protection Act 2018 applies. We record our reliance on any exemption.

We may share personal data with: the client who commissioned the engagement (including investigation and due-diligence outputs); professional advisers; our processors and sub-processors (for example hosting, secure storage, email and approved AI/API providers); and law enforcement, regulators or courts where this is lawful or required. We may also transfer data to a successor on a sale of our business.

Personal data is stored in the United Kingdom. Some of our providers, or their parent companies, are based outside the UK, so limited processing may involve a transfer of personal data outside the UK. Where that happens, we rely on appropriate safeguards, such as UK adequacy regulations or the UK International Data Transfer Agreement / Addendum to the EU Standard Contractual Clauses.

We keep personal data only as long as necessary, in line with our internal Data Handling Policy and Data Processing Agreement. Indicative periods are: enquiry data where no engagement proceeds — up to 24 months; engagement and contract records — 6 years; project working files — 12 months after completion; final deliverables and evidence logs — 6 years; subject to legal, insurance, professional-defence and accounting requirements. Special category and criminal offence data are retained only as long as necessary, per our Appropriate Policy Document.

Under UK data protection law, you have rights to:

• access your personal data;
• have inaccurate data corrected;
• have data erased in certain circumstances;
• restrict or object to processing (including processing based on legitimate interests);
• data portability where applicable; and
• withdraw consent where we rely on it.

Some rights are qualified, and exemptions may apply — in particular to investigation and evidence material — for example where complying would prejudice the prevention or detection of crime, the establishment, exercise or defence of legal claims, or the rights of others. Where we rely on an exemption we will tell you, unless doing so would itself undermine the exemption.

To exercise your rights, contact info@diamondaii.com. You may also complain to the Information Commissioner's Office (ICO) at ico.org.uk.

We do not make solely automated decisions that produce legal or similarly significant effects about individuals. AI tools may assist our analysis, but final deliverables are reviewed by us before issue.

We may update this notice from time to time. The "Last updated" date at the top of this page will change when we do.