First AML Privacy Policy

First AML Limited and its below stated subsidiaries (“First AML“, “we” and “us“) is the provider of an end-to-end customer onboarding solution. We act on behalf of our customers (“Customers”) to verify the identities of their customers (“Clients”) for the purposes of aiding our Customers’ compliance with anti-money laundering and countering financing of terrorism laws and regulations (“Applicable Laws“).

This privacy policy (“Policy“) sets out how we collect, use, disclose and protect the Personal Information of:

A. Clients (see Section A); and
B. Customers, website visitors, and others (see Section B), 

(together, “you” and “your”)

In this Policy:

  • Personal Information” means any information about an identifiable individual and includes “Personal Data” as defined in the European General Data Protection Regulation 2016/679 (“GDPR”), if applicable; and
  • Service Providers” means the third party service providers we procure services from (also known as “sub-processors”), together with our business and analytics partners.

First AML complies with the GDPR, the New Zealand Privacy Act 2020, and the Australian Privacy Act 1998 (together, the “Data Privacy Laws”); and nothing in this Policy should be interpreted as attempting to limit any of your rights under the relevant Data Privacy Laws.

We may update this Policy from time to time, and any changes will be published directly to our website and will be effective from the date of publication. Please check in occasionally to see what might have changed. This Policy was last updated in March 2022.

Section A: Clients

If you are interacting with us as a Client, we are potentially (depending on your election, or the election of your authorised representative, either at the time of providing your Personal Information to us or subsequently) processing your Personal Information in two distinct capacities:

  1. on our Customer’s behalf, i.e. on behalf of the specific financial institution, law firm, accounting firm, real estate agency, or other service provider you have engaged to provide you with a service and who in turn has engaged us to verify your identity (“Current Provider”); and 
  2. if instructed by you or your authorised representative, on behalf of any future service provider you may engage and who in turn instructs us to verify your identity (“Future Provider”).  

Where we are processing your Personal Information for a Current Provider (see 1 above), we are doing so as a data processor solely at the direction and on behalf of that Current Provider. This Policy does not apply in these situations, and any questions or requests in relation to your Personal Information or the handling thereof must be directed to the relevant Current Provider, who will then instruct us to take the appropriate action, if required. With the exception of the “retrieval process” detailed below, we are otherwise legally prohibited from taking any independent action with respect to such Personal Information. 

Note: By virtue of you visiting our website, parts of Section B (below) may also apply to you. For example, we may collect your device/IP information.

1. Retrieval process

Where you have instructed us to process your Personal Information for the purposes of sharing that information with a Future Provider (see 2 above), we will be acting as a data controller with respect to the transfer of your Personal Information to such Future Provider, and you are authorising us to:

  1. obtain your Personal Information from a Current Provider when a Future Provider engages us to verify your identity; and
  2. provide that information to that authorised Future Provider, provided, however, that we obtain your explicit consent before doing so. We will obtain such consent by directly reaching out to you by email, phone, or text message.

This retrieval process described above (“Retrieval Process”) enables you to share your Personal Information from one source to another, without the need to re-provide the same information each time. 

2. Information we collect and disclose during the retrieval process

When acting as a data controller with respect to your Personal Information during the Retrieval Process, we are querying and collecting from Current Providers, and disclosing to:

  1. Future Providers, 
  2. our own Service Providers; and 
  3. anyone else you expressly authorise, 

the following categories of Personal Information (the “Retrieved Information”):

Category of Personal Information

Profile and contact information

Examples of Personal Information we collect:

  • First and last name
  • Email
  • Phone number
  • Address
  • Unique identifiers
Biometric information
  • Faceprints (and facial mapping and scans of digitised images)
Sensory information
  • Photos, videos or recordings of you and your environment
  • First and last name contained on your identification documents 
  • Postal address contained on your identification documents
Demographic information
  • Age / date of birth contained on your identification documents
  • Nationality indicated on your identification documents
  • Sex indicated on your identification documents

3. How long we retain information

We retain the Retrieved Information for as long as necessary to perform the Retrieval Process or until you withdraw your consent (if during the Retrieval Process).

Immediately after providing your Retrieved Information to a Future Provider (which, at that point, will become a Current Provider) we will cease acting as a data controller of your Retrieved Information and will permanently delete any such data records that we are holding in our capacity as a data controller. For the avoidance of doubt, this deletion will not delete or otherwise affect records of our Customers who will continue to remain controllers in respect of their own activities.

This marks the end of the Retrieval Process and we will not process your Retrieved Information as a data controller again until the next Future Provider engages us to verify your identity and you again provide your consent for us to initiate the Retrieval Process. 

4. Opting out of the retrieval process

The Retrieval Process has been developed for your convenience and for the convenience of the service providers you engage. If you wish, you can opt out of this process at any time by emailing us at

Section B: Customers, website visitors and others

Note: this Section B only applies to Personal Information that we hold as a data controller (for example, information relating to your use of our website). To exercise your rights with respect to Personal Information that we hold as a data processor on behalf of our Customers (for example, your identity verification information described in Section A above), please get in touch directly with the relevant Customer. If you have difficulty identifying or getting in touch with a Customer, let us know and we will try to assist you.

If you are interacting with us as an employee of a Customer, website visitor or otherwise, this section sets out how we process your Personal Information as a data controller. For GDPR purposes, when we act as a controller in relation to your Personal Information, First AML UK Limited (company number 13802565) is our regional representative.

1. Personal Information we collect

We only collect Personal Information you choose to give us. However, if you are an employee of a Customer, we may require you to provide us with certain Personal Information in order to provide you with secure access to our services. 

1.1 Information Collected Directly

We may collect directly from you, and disclose to our Service Providers and anyone else you expressly authorise, the following categories of Personal Information:

Category of Personal Information

Profile and contact information

Examples of Personal Information we collect:

  • First and last name
  • Email
  • Phone number
  • Address
  • Unique identifiers
Professional or employment-related  information
  • Job title
  • Job history
Other identifying information that you voluntarily choose to provide
  • Identification documents such as a passport or driver’s license
  • Other identifying information in emails, letters or documents you provide us
Audio, electronic, visual, thermal, olfactory, or similar information
  • Feedback, enquiries, preferences and opinions that you provide us
  • Content of the messages, emails or other communications that you provide us
  • Survey information

1.2 Information Collected Automatically

We may also collect the following categories of Personal Information automatically when you visit our website or use our services, and we may disclose this information to our Service Providers and anyone else you expressly authorise:

Category of Personal Information

Device/IP information

Examples of Personal Information we collect:

  • IP address
  • Device ID
  • Domain server
  • Type of device / operating system / browser 
Web analytics
  • Web page interactions
  • Referring webpage
  • Non-identifiable request IDs
  • Statistics associated with the interaction between device or browser and our website
Geolocation information
  • IP-address-based location information
  • GPS data

1.3 Cookies

We use cookies and similar technologies to help us learn about our website visitors and customer base for the purposes of improving our services and the way in which we offer those services. 

Cookies are small pieces of data – usually text files – placed on your computer or similar device when you access our websites. We may supplement the information we collect from you with information received from third parties, including third parties that have placed their own cookies on your devices. 

We use “session” cookies to keep you logged in while you use our services, to better understand how you interact with our services, and to monitor aggregate usage information. We use “persistent” cookies to recognise you when you use our website or services, and to remember your preferences. We may also use web beacons, tags, and scripts on our website and services to help us understand how our website and services are used, what other websites our visitors have visited, and when an email is being opened and acted upon so that we can improve our services. 

We also use Google Analytics, a web analytics service provided by Google, Inc. (“Google“), to help analyse how people use our services, compile reports and improve the quality and relevance of our services. The information generated by Google Analytics is transmitted to, and stored by, Google and is subject to Google’s privacy policies. To learn more about Google’s partner services and how to opt out of analytics tracking by Google, click here.

1.4 Third parties

We may collect from our Customers, Service Providers, and from public sources, and disclose to our Service Providers and anyone else you expressly authorise, the following categories of Personal Information:

Category of Personal Information


Examples of Personal Information we collect:

  • First and last name
  • Email
  • Phone number
  • Address
  • Unique identifiers
Professional or employment-related information
  • Job title
  • Job history

2. What we do with your Personal Information

2.1 How we use it

We will only process your Personal Information if we have a legal basis for doing so. The legal basis on which we rely depends on the Personal Information concerned and the specific context in which it was collected. Generally, we rely on the following legal bases:

  • Contractual Necessity: We process your Personal Information as a matter of “contractual necessity”, meaning that we need to process the data to perform a contract with you, such as to provide you with our services. When we process Personal Information due to contractual necessity, failure to provide your Personal Information may result in us being unable to provide our services to you.
  • Legitimate Interest: We may process your Personal Information when we believe it furthers our legitimate interest or that of third parties, and such interest is not overridden by your fundamental data protection rights. 

Examples of legitimate interests include:

  • Providing, customising and improving our websites and services.
  • Corresponding with you.
  • Promoting our services.
  • Conducting analysis, market research and business development.
  • Maintaining the security of our services.
  • To comply with our legal obligations, respond to claims, and to resolve disputes.

We may have other legitimate interests and, if applicable, we will make clear to you at the relevant time what those legitimate interests are.

  • Consent: In some cases, we process Personal Information based on the consent you expressly provide at the time of collection. When we process Personal Information based on your consent, it will be expressly indicated to you at the point and time of collection.
  • Legal Obligation: From time to time we may also need to process Personal Information to comply with a legal obligation, if it is necessary to protect your vital interests or that of other data subjects, or if it is necessary for a task carried out in the public interest.

2.2 When we share it

We will not generally share your Personal Information with third parties (other than those of our Customers with which you have an established relationship and our Service Providers). However, we may share your Personal Information to a statutory or regulatory authority, or a law enforcement agency, if required by law. We may also share your Personal Information to any other person authorised by you.

We will not sell your Personal Information within the meaning of applicable Data Privacy Laws. 

3. Accessing, correcting, erasing and your other rights

In addition to your other rights set out elsewhere in this Policy, you may contact us at any time to access your Personal Information and to request:

  • Rectification or supplementation, if you believe that any of the Personal Information we are holding about you is incorrect or incomplete.
  • Erasure of your Personal Information, either in full or in part. 
  • Withdrawal of consent, where our processing of your Personal Information is based on your consent (as indicated at the time of collection).
  • More information about the Personal Information we hold about you and to request a copy of your Personal Information, or transmission to another controller where technically feasible.
  • Restriction on our further use or disclosure of your Personal Information, for either some or all purposes.
  • Opt-out of marketing and other communications, by using the “unsubscribe” links on our emails or by contacting us at

Before you exercise these rights, we will need to verify your identity (or the identity of the person making the request on your behalf). We will then process your request as soon as possible and in accordance with applicable Data Privacy Laws. We will only ever withhold information, or fail to action a correction request, where necessary and legally permitted; in which case we will provide you with written notice, together with an explanation.

4. Data retention

We will retain your Personal Information:

  1. for as long as necessary to achieve the purposes for which it was collected; or
  2. in some cases, where we have an ongoing legitimate need to do so (for example, to comply with legal, tax or accounting obligations, or to resolve disputes), for longer than is necessary to achieve the purpose for which it was obtained.

When we no longer have an ongoing legitimate need to process Personal Information, we will either delete or anonymise it. If deletion or anonymisation is not immediately possible (for example, because the Personal Information has been stored in backup archives), we will securely store the Personal Information and isolate it from any further processing until deletion or anonymisation is possible.

5. Security and storage

We use appropriate physical, technical, organisational and administrative security measures to protect the Personal Information we hold from unauthorized access, use and disclosure. The servers on which we store Customer data (which may include Personal Information) are operated by Amazon Web Services and are located in Dublin, Ireland (for Customers located in the European Economic Area, United Kingdom or Switzerland) and in Sydney, Australia (for Customers located in other countries); and reside in data centres that are SOC 1, SOC 2 and ISO 270001 certified. The data centres have round-the-clock security, automatic fire detection and suppression, redundant power supply systems, and strict controls for physical access.

Data held on our servers cannot be seen by anyone who has not entered into a contract with First AML which includes confidentiality obligations. Data is encrypted when it is sent to and from our servers, as well as when it is at rest. To protect data in transit, 256-bit SSL/TLS encryption is used. At rest, data is protected using 256-bit AES encryption. Although we work to protect the security of the Personal Information we hold, please be aware that no method of transmitting data over the internet or storing data is completely secure.

6. International data transfers

When we share data, it may be transferred to, and processed in, countries other than the country you live in. These countries may have data protection laws that are different to what you’re used to. Rest assured, we have appropriate safeguards in place to ensure that your Personal Information remains protected in accordance with this Policy and all applicable Data Privacy Laws. 

If you are located in the European Economic Area, United Kingdom or Switzerland, these safeguards include transferring your information to a country that the European Commission or UK authorities (as applicable) have determined provides an adequate level of protection for personal information, or by implementing standard contractual clauses with our customers, third party service providers and partners. Please refer to our sub-processors page for a list of our Service Providers and their locations. For further information, please contact us at  

7. Contact information

If you have any questions, concerns or would like to make a complaint about any of our data handling practices, or if you would like a copy of this Policy in an alternative format, please contact us at We will promptly investigate any concerns or complaints and will respond to you as soon as practically possible, by email, setting out the outcome of our investigation and the steps we will take in response. 

We also encourage you to seek further information about your rights from (and, where you think it necessary, complain directly to) the relevant privacy authority:

First AML Entities:

  • First AML Limited is a New Zealand company (number 6553092) with its registered office at 317 New North Road, Kingsland, Auckland 1010, New Zealand. 
  • First AML Pty Limited is an Australia company (number 643929140) with its registered office at 45 Clarence Street, Sydney, New South Wales, Australia.
  • First AML UK Limited is a company registered in England and Wales (number 13802565) with its registered office at Level 2, 91-93 Great Eastern St, N1 3LH, London, United Kingdom