CREED FINANCIAL CRIMES COMPLIANCE FIRM
GLOBAL PRIVACY POLICY
Effective Date: 06/23/2025
1 | INTRODUCTION & SCOPE
Creed Financial Crimes Compliance Firm (“Creed,” “we,” “our,” or “us”) is committed to safeguarding the privacy of every individual and entity that interacts with our websites, online portals, mobile applications, social media pages, and any other digital or offline services that link to or reference this Privacy Policy (collectively, the “Services”). This Policy explains in detail what personal information we collect, how we use it, the legal bases for processing, how long we retain it, with whom we share it, and what rights you have under all major privacy regimes in force as of 2025—including, without limitation, the EU & UK GDPR, U.S. state privacy statutes (e.g., CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, FDBR, TIPPA, TDPSA), Canada’s PIPEDA & provincial acts, Brazil’s LGPD, Singapore’s PDPA, Australia’s Privacy Act 1988 (Cth), and other applicable frameworks.
PLEASE READ THIS POLICY CAREFULLY. By accessing or using any of Creed’s Services, you acknowledge that you have read, understood, and agree to the practices described herein. If you do not agree, please refrain from using our Services.
2 | DEFINITIONS
For the purposes of this Policy:
1. “Personal Information (PI)” means any information—alone or in combination—that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to a natural person or, where applicable, a household or legal entity.
2. “Sensitive Personal Information (SPI)” includes, but is not limited to, government-issued identifiers, financial‐account data, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, genetic data, biometric data used for identification, information concerning health, and information concerning sex life or sexual orientation.
3. “Process” / “Processing” encompasses any operation performed on PI, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, erasure, or destruction.
4. “Controller” is the entity that determines the purposes and means of processing PI. Creed typically acts as a Controller when we process PI for our own business purposes.
5. “Processor” (or “Service Provider”) processes PI on behalf of a Controller under written instructions. Creed may act as a Processor when performing services for clients.
6. “Services” refers to all websites (including creedfinancialcrimescompliancefirm.com and its sub-domains), portals, consulting engagements, litigation support, and any other products or offerings that link to this Policy.
3 | CATEGORIES OF PERSONAL INFORMATION WE COLLECT
Depending on your relationship with Creed, the nature of your interactions, and applicable law, we may collect the following categories of PI:
#
Category
Examples
Typical Source(s)
3.1
Identification Data
Full name, title, job role, government ID numbers (masked where required), date of birth
Directly from you; public registries; KYC/AML vendors
3.2
Contact Data
Business or personal postal address, email, telephone, fax, messaging handles
Directly from you; your employer
3.3
Professional Information
Employer, industry, regulatory licenses, compliance certifications, litigation history
You; public filings; third-party data providers
3.4
Financial Information
Bank account details, payment card numbers (tokenized), billing history, investment data
You; financial institutions; payment processors
3.5
Device & Usage Data
IP address, browser type, OS, referral URLs, clickstream, session logs, timestamps
Automated technologies (cookies, pixels, SDKs)
3.6
Geolocation
Approximate location derived from IP; precise location if you enable GPS
Automated technologies; mobile device settings
3.7
Communications
Emails, chat transcripts, call recordings (with notice), feedback forms
Direct interactions
3.8
Compliance & Due-Diligence Data
Sanctions-list checks, adverse media, beneficial-ownership details, risk scores
Government watchlists; data-scraping tools; specialized vendors
3.9
Sensitive Personal Information
ID numbers, biometric templates (facial or voiceprints for access control), health data (only if you provide it voluntarily, e.g., dietary restrictions for events)
You; specialized security systems
3.10
Children’s Data
Creed does not target children under 16 and does not knowingly collect children’s PI. If we learn that we have inadvertently collected such data, we will promptly delete it.
N/A
3 | CATEGORIES OF PERSONAL INFORMATION WE COLLECT
1. Direct Collection – When you complete web forms, sign contracts, attend events, request proposals, subscribe to newsletters, or correspond with us.
2. Automated Collection – Via cookies, web beacons, log files, and similar technologies integrated into our Sites and emails (see Section 10 | Cookies & Similar Technologies).
3. Third-Party Sources – Public databases, credit agencies, social media platforms, marketing partners, fraud‐prevention services, sanctions lists, and our professional clients.
3. Third-Party Sources – Public databases, credit agencies, social media platforms, marketing partners, fraud‐prevention services, sanctions lists, and our professional clients.
4. Client Engagements – When Creed acts as a Processor (e.g., AML investigations, SOX audits, litigation support), we may receive PI from the hiring client for explicit, contractually defined purposes.
5 | LEGAL BASES FOR PROCESSING (GDPR / UK GDPR)
When the GDPR or UK GDPR applies, Creed relies on one or more of the following legal bases:
Legal Basis
Typical Scenarios
Contractual Necessity
To enter into or perform a contract with you or your organization (e.g., providing consulting deliverables, managing user accounts).
Legitimate Interests
Fraud detection, network security, marketing to existing clients, improving Services—balanced against your privacy rights.
Legal Obligation
Compliance with AML, sanctions, tax, accounting, subpoena, or court-order requirements.
Consent
Sending certain marketing communications, using non-essential cookies, processing SPI where required by law. You may withdraw consent at any time.
Vital Interests
Rare circumstances involving potential harm to individuals (e.g., anti-terrorist due diligence).
For jurisdictions that require contractual clauses for cross-border transfers (e.g., Standard Contractual Clauses, UK Addendum, or Data Transfer Agreements), Creed implements such mechanisms where appropriate.
6 | PURPOSES FOR WHICH WE USE PERSONAL INFORMATION
1. Provision of Services – To perform compliance audits, litigation support, risk assessments, and advisory mandates requested by clients.
2. Account Management & Billing – Processing payments, managing subscriptions, and maintaining client relationship records.
3. Due Diligence & Screening – Conducting KYC, AML, sanctions, and adverse media checks in accordance with laws and industry standards.
4. Fraud & Security Monitoring – Detecting, investigating, and preventing fraud, money laundering, cyber-threats, and other illicit activity.
5. Regulatory Compliance – Meeting obligations under banking, financial-services, securities, anti-corruption, data-protection, and consumer-protection laws.
6. Marketing & Business Development – Sending newsletters, event invitations, white papers, and surveys to professionals who have opted-in or have an existing client relationship.
7. Analytics & Service Improvement – Assessing performance of our Sites, debugging issues, understanding user behavior, and enhancing product features.
8. Litigation & Enforcement – Exercising or defending legal claims, responding to subpoenas, enforcing contracts, and protecting Creed, our clients, and the public.
9. Recruiting & HR – Processing job applications, verifying references, onboarding employees, and administering benefits.
10. Corporate Transactions – In the event of a merger, acquisition, reorganization, or sale of assets, PI may be transferred as part of the transaction subject to confidentiality safeguards.
7 | DISCLOSURE OF PERSONAL INFORMATION
Creed discloses PI only as necessary for legitimate purposes, with appropriate contractual and technical safeguards. Recipients may include:
Recipient Type
Purpose & Safeguards
Affiliated Entities
Internal administration and consolidated reporting under intra-group data-sharing agreements containing GDPR-compliant model clauses.
Service Providers & Processors
Cloud hosting, analytics, payment processing, email distribution, background screening; bound by confidentiality and data-processing agreements.
Professional Advisors
Auditors, lawyers, accountants, insurers—solely for advisory or claim-management purposes, under confidentiality obligations.
Regulators & Law-Enforcement
Where required by applicable law or pursuant to valid legal process (court orders, subpoenas, FINCEN requests).
Business Partners
Joint marketing initiatives, event co-hosting, or integrated service offerings—with opt-out options for marketing communications.
Clients (when Creed Is Processor)
Investigation findings, compliance reports, and related deliverables, pursuant to the master services agreement.
Successors in Interest
Part of corporate restructuring, merger, or asset sale, provided that any new owner will continue to honor this Policy or equivalent protections.
We do not sell PI for monetary consideration. Where U.S. state laws treat certain sharing for advertising or analytics as a “sale” or “share,” Creed offers opt-out rights in accordance with Section 13.
8 | INTERNATIONAL DATA TRANSFERS
Creed operates globally, and PI may be stored and processed in any country where we or our vendors operate. We implement appropriate safeguards, such as:
• Standard Contractual Clauses (SCCs) approved by the European Commission;
• UK International Data Transfer Addendum;
• Binding Corporate Rules (BCRs) where applicable ;
• Data-Privacy Framework (DPF) certifications (for U.S. transfers, if finalized) ;
• Supplementary technical and organizational measures (encryption, pseudonymization, zero-trust access controls).
9 | DATA RETENTION & DESTRUCTION
Creed retains PI only for as long as necessary to fulfill the purpose(s) for which it was collected, comply with legal and regulatory obligations, resolve disputes, enforce agreements, and maintain appropriate business records. Retention periods are determined by :
1. Statutory and regulatory requirements (e.g., AML record-keeping mandates up to 5–10 years).
2. Applicable statutes of limitation for litigation or investigations.
3. Contractual commitments with clients.
4. Best-practice guidelines issued by supervisory authorities.
Upon expiry of the relevant period, PI is securely erased, anonymized, or archived in an irreversible, non-retrievable form.
10 | COOKIES & SIMILAR TECHNOLOGIES
Creed uses first-party and third-party cookies, pixels, tags, and local-storage objects to:
• Remember preferences (language, region, login sessions) ;
• Analyze traffic (Google Analytics 4 with IP anonymization) ;
• Enhance security (Csrf tokens, authentication cookies) ;
• Facilitate marketing (LinkedIn Insight Tag, HubSpot tracking) .
Essential cookies are necessary for site functionality and cannot be disabled. Non-essential cookies are set only after obtaining your consent via our banner or preference center.
11 | DATA SECURITY11 | DATA SECURITY
Creed employs a defense-in-depth framework, including:
• ISO 27001-aligned Information Security Management System (ISMS);
• AES-256 encryption at rest; TLS 1.3 encryption in transit;
• Multi-factor authentication (MFA) and role-based access control (RBAC);
• Network segmentation, zero-trust architecture, and intrusion-detection systems;
• Vendor-risk assessments and penetration testing ;
• Incident-response plan with 24/7 monitoring and breach-notification procedures compliant with GDPR Art. 33–34, CCPA § 1798.82, and other regimes.
No system is 100 % secure; however, Creed continuously evaluates and enhances safeguards to mitigate emerging threats.
12 | YOUR PRIVACY RIGHTSv
Jurisdiction
Key Rights
EU / UK GDPR
Access, rectification, erasure, restriction, data portability, objection, automated-decision review, lodge complaint with supervisory authority.
California (CCPA/CPRA)
Right to know, correct, delete, opt-out of sale/share, limit use of SPI, non-discrimination.
Virginia / Colorado / Connecticut / Utah / Florida / Tennessee / Texas
Access, correct, delete, data portability, opt-out of targeted advertising, sale, profiling (varies by state).
Canada (PIPEDA & provincial acts)
Access, correction, withdrawal of consent, lodge complaint with Privacy Commissioner.
Brazil (LGPD)
Confirm existence, access, correct, anonymize, delete, portability, information on sharing, revoke consent.
Australia (Privacy Act)
Access, correction, complaint to OAIC.
To exercise any of these rights free of charge (subject to reasonable limits), please submit a verifiable request via:
• Postal Mail: Data Protection Officer, Creed Financial Crimes Compliance Firm, We will confirm receipt within the timeframe mandated by applicable law (e.g., 10 business days under CPRA) and respond substantively within statutory deadlines (e.g., 30–45 days). Where we act as a Processor, please contact the relevant Controller (our client) directly.
13 | U.S. STATE OPT-OUT MECHANISMS
Creed does not sell PI for money. When we engage in cross-context behavioral advertising or share PI with analytics providers, you may opt-out by:
1. Clicking the “Do Not Sell or Share My Personal Information” link in the website footer ;
2. Enabling a recognized opt-out preference signal (e.g., Global Privacy Control (GPC)) in your browser—Creed honors GPC for California users ;
3. Adjusting cookie settings to disable marketing and analytics cookies.
14 | AUTOMATED DECISION-MAKING & PROFILING
Creed does not use fully automated decision-making that produces legal or similarly significant effects without human involvement. Risk-scoring tools used in AML and sanctions due diligence provide advisory outputs reviewed by qualified analysts before any adverse action is taken.
15 | CHILDREN’S PRIVACY
Our Services are not directed to children under the age of 16 (or lower age of consent under local law). We do not knowingly collect PI from children. Parents or guardians who believe their child has provided PI without consent should contact us immediately to request deletion.
16 | THIRD-PARTY WEBSITES & SOCIAL MEDIA PLUG-INS
The Services may contain links to external sites, social media widgets, or embedded content (e.g., YouTube, LinkedIn posts). Creed is not responsible for the privacy practices or content of such third-party platforms. We encourage you to review their privacy statements before interacting or sharing PI.
17 | REGULATORY DISCLOSURES
1. California Shine the Light – Creed does not share PI for third-party direct-marketing purposes.
2. Nevada SB 220 – Creed does not sell covered information; nonetheless, Nevada residents may submit opt-out requests via privacy@creedfinancialcrimesfirm.com.
3. U.S. Fair Credit Reporting Act (FCRA) – Creed is not a consumer-reporting agency but follows FCRA requirements when handling background-check data.
4. HIPAA / GLBA – Although Creed is not a “covered entity,” we adopt HIPAA/GLBA-like safeguards when processing client data that contains Protected Health Information (PHI) or Non-Public Personal Information (NPI).
18 | NOTICE FOR APPLICANTS, EMPLOYEES & CONTRACTORS
If you apply for a job at Creed or are engaged as an employee/contractor, we process additional PI (e.g., professional references, background check data, compensation, tax identifiers) as described in the Employee & Applicant Privacy Notice supplied at the point of collection. This Policy supplements, but does not override, that notice.
19 | CHANGES TO THIS POLICY
We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or technology. Material changes will be announced by:
1. Posting the revised Policy with a new “Effective Date” at the top; and
2. Providing an in-site banner or, where legally required, direct notice and/or consent.
Your continued use of the Services after the Effective Date signifies acceptance of the revised Policy.v
20 | HOW TO CONTACT US
Data Protection Officer (DPO)
Creed Financial Crimes Compliance Firm
If you are an EEA resident and believe we have not adequately resolved your concern, you may lodge a complaint with your local supervisory authority. UK residents may contact the Information Commissioner’s Office (ICO); EU residents may contact the authority in their member state. For non-EU jurisdictions, please consult your national data-protection regulator.
21 | ANNEX A – COOKIE CATEGORIES & LIFESPANS (Summary)
Category
Purpose
Example Provider
Typical Expiry
Strictly Necessary
Session management, security
Creed (first-party)
Session
Preferences
Language, region
Creed (first-party)
1 year
Analytics
Site usage statistics
Google Analytics 4
2 years
Marketing
Remarketing & AB testing
LinkedIn, HubSpot
90 days
22 | ANNEX B – U.S. STATE PRIVACY NOTICE SUPPLEMENT (CPRA, VCDPA, etc.)
This Annex provides state-specific disclosures required under U.S. privacy laws, including:
1. Categories of PI collected and disclosed in the last 12 months (mirroring Section 3), with indication of business or commercial purpose (§1798.140 CPRA).
2. Sensitive Personal Information processed and right to limit its use (California only).
3. Metrics on consumer requests received, complied with, or denied over the previous calendar year (§1798.130 CPRA).
4. Appeals Process for Virginia, Colorado, and Connecticut residents (submit an appeal to info@creedfinancialcrimescompliancefirm.com final response within 45 days).
23 | ACKNOWLEDGMENTv
By accessing, browsing, or otherwise using Creed’s Services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy, and you consent to the collection, use, and disclosure of your Personal Information as set out above.