Privacy Policy

First AML Privacy Notice

Corporate information of the First AML Group

First AML Limited and its subsidiaries (“First AML”, “we”, “us”, or “our”) provide an end-to-end customer onboarding and identity verification platform to assist regulated firms with compliance under anti-money laundering (AML) and countering financing of terrorism laws (“Applicable Laws”).

Our entities include:

First AML Limited: A New Zealand company (number 6553092) with its registered office at 12 MacKelvie Street, Grey Lynn, Auckland 1021, New Zealand.
First AML Pty Limited: An Australian company (number 643929140) with its registered office at L9, 75 King Street, Sydney, NSW 2000, Australia
First AML UK Limited: A company registered in England and Wales (number 13802565) with its registered office at 64 Great Eastern Street, EC2A 3QR.

For GDPR purposes, when we act as a controller in relation to your Personal Information, First AML UK Limited is our regional representative.

What does First AML do?

We act on behalf of our customers (“Customers”) to verify the identities of their clients (“Clients” or “End Users”) for AML compliance. This involves collecting and processing Personal Information, including sensitive data, to perform Verification Checks.

We process Personal Information in two main capacities:

As a data processor on behalf of a specific Customer (your “Current Provider”), who has engaged us.
As a data controller, during our optional Retrieval Process, we facilitate the sharing of verified information with future Customers (“Future Providers”) upon your consent.

This Notice applies to Personal Information we hold as a data controller (e.g., during Retrieval or from website visitors). For data we process solely as a processor, please direct queries to the relevant Customer.

Note: We comply with the UK GDPR (as amended by the Data (Use and Access) Act 2025), EU GDPR (where applicable), New Zealand Privacy Act 2020 (including the Biometric Processing Privacy Code 2025), and Australian Privacy Act 1988 (as amended by the Privacy and Other Legislation Amendment Act 2024) (collectively, “Data Privacy Laws”).

First AML’s commitment to data privacy

We are committed to protecting your privacy and handling Personal Information transparently and securely. Nothing in this Notice limits your rights under Data Privacy Laws. We regularly review and update this Notice; changes are effective upon publication on our website. This Notice was last updated on 7th November 2025.

1. How can you contact us?

For data we process solely as a processor, please direct queries to the relevant Customer.

If you have questions, concerns, or wish to exercise your rights, contact our Data Protection Officer at:

Email: privacy@firstaml.com
Post: First AML Limited, 12 MacKelvie Street, Grey Lynn, Auckland 1021, New Zealand

We will respond promptly in accordance with applicable Data Privacy Laws.

2. What kinds of personal data do we collect, and how?

“Personal Information” means any information about an identifiable individual, including “Personal Data” under the UK/EU GDPR and “sensitive information” under applicable laws.

We collect Personal Information from:

Clients (End Users): During Verification Checks or Retrieval Process.
Customers, Website Visitors, and Others: Directly or automatically.

Information collected from Clients (End Users)

We may collect the following during Verification Checks (as processor) or Retrieval (as controller):

CATEGORY	EXAMPLES
Profile and contact information	Full name Email Phone number Address and postcode Other unique identifiers
Document checks	Image(s) of the identity document, Information extracted from the identity document (e.g. name, document number, date of birth, nationality, type of document, issuing country, expiration date, information embedded in barcodes, QR codes, security chips and features (which will vary depending on the type of document) Data that may be construed as a scan of face geometry
Biometric checks and Authentication	Video of the User (including background audio recording at Customer’s option) Image of the face in the identity document reference image, Transcribed text from the video clip (if applicable) Scans of face geometry Data that may be construed as a voiceprint
Device/IP information	IP address Device ID Domain server Hardware/software attributes (e.g. operating system, browser type, time zone).
Geolocation information	IP-based location GPS data

Sources of information

We collect information directly from you, from your current service provider (our customer), or from authorised and trusted third parties such as credit reference agencies and document issuers. We do not collect biometric data from public sources.

For certain data sources, including mobile verification, you authorise your mobile carrier to disclose your mobile account details to verify your identity. Those details may include your name, address and device details. You authorise third parties, which may consist of your mobile operator, internet service provider, financial institution, government organisations, and other authoritative data sources, to disclose to First AML and its data processing partners data only to validate your identity and prevent fraud on your account. You also authorise First AML to disclose this data directly to its data processing partners only for the purposes described herein. This data shall only be maintained for the duration of the business relationship.

Information collected from Customers, Website Visitors, and Others

We may collect directly from you, and disclose to our Service Providers and anyone else you expressly authorise, the following categories of Personal Information:

CATEGORY	EXAMPLES
Profile and contact information	Full name, email, phone number, address, unique identifiers, and job title.
Other identifying information	Identification documents, content in emails/letters, feedback, enquiries, and survey information.
Audio/Electronic/Visual Information	Content of messages/emails/communications.
Web Analytics	Web page interactions, referring webpage, non-identifiable request IDs, and usage statistics.

Sources: Directly from you (e.g., forms, communications), automatically (e.g., cookies, Google Analytics), or from Customers/third parties/public sources.

We use cookies (session and persistent), web beacons, and similar technologies to improve services. For Google Analytics, please refer to Google's privacy policies and opt-out here.

3. What do we use personal data for?

We collect and use personal data and information for:

Verification Checks: To verify identities for AML and counter-terrorism compliance on behalf of Customers.
Retrieval Process: To obtain and share verified information with Future Providers upon consent.
Service Improvement: Customising services, conducting analysis, and market research.
Communications: Corresponding with you, promoting services.
Security and Compliance: Maintaining security, complying with legal obligations, and resolving disputes.
Biometrics: Solely for identity verification and identity fraud prevention. We do not use it for any form of profiling or analysis beyond that purpose.

4. What are our legal grounds for handling your personal data?

We process only where we have a legal basis:

Contractual Necessity: To provide services or perform contracts (e.g., Verification Checks).
Legitimate Interests: For purposes like service improvement, security, and AML compliance (not overridden by your rights).
Consent: For the Retrieval Process, biometrics, or marketing (withdrawable anytime).
Legal Obligation: To comply with Applicable Laws or regulatory requests.

For special category data, we rely on explicit consent or substantial public interest under UK/EU GDPR, or comply with heightened requirements under NZ/AU laws. Should you decline to provide consent for our handling of your personal data, we may be unable to complete the relevant verification or onboarding process. In such cases, this may affect your ability to proceed with the Customer or access certain services that rely on identity verification. The Customer may instead require an in person verification or other such means, that is available at their discretion.

5. Who do we share your personal data with?

Service Providers: Third-party processors (e.g., sub-processors listed on our website).
Customers: During Verification (as processor) or Retrieval (to Future Providers with consent).
Authorities: If required by law (e.g., regulatory or law enforcement).
Others: As authorised by you.

We do not sell Personal Information. Sharing complies with Data Privacy Laws, including safeguards for transfers.

6. Where in the world is the personal data sent and stored?

First AML utilises the following AWS regions for delivering its service:

APAC: primary region: ap-southeast-2 (Sydney) with ap-southeast-4 (Melbourne) for disaster recovery scenarios.
EU: primary region eu-west-1 (Ireland) and eu-central-1 (Frankfurt) for disaster recovery scenarios

We may transfer personal and biometric information to service providers and partners located around the world, including (but not limited to) New Zealand, Australia, the United Kingdom, the European Union, and other countries where our trusted providers or we operate.

We ensure these transfers are protected through adequacy decisions, standard contractual clauses, or other comparable safeguards under the UK/EU GDPR and equivalent New Zealand/Australian requirements.

Biometric information may be processed by our sub-processors in jurisdictions with comparable privacy protections, such as Australia, Singapore, the United Kingdom or the European Union. You can view our current sub-processors and data locations here.

For more information, please contact privacy@firstaml.com.

7. How long is my personal data retained?

We retain data for as long as required by law and/or at the instruction of our customers to whom we hold the data on their behalf.

We review retention periodically. For indirect collection, we notify you where practicable.

8. Do we make automatic decisions about you or profile you using your personal data?

We may use automated processing for identity verification (e.g., biometric matching), but we do not make solely automated decisions with legal effects. Profiling may occur for service improvement purposes, but you have the right to object.

We ensure safeguards are in place for any automated decision-making.

9. What rights do you have in relation to the personal data we hold about you?

You have rights under Data Privacy Laws. For Personal Information we hold as a data controller (e.g., during the Retrieval Process or from website visits), these rights are exercisable via privacy@firstaml.com.

For Personal Information we hold as a processor on behalf of a Customer (e.g., during Verification Checks), please contact the relevant Customer, who will instruct us if action is required. We respond within statutory timelines (e.g., 1 month under UK/EU GDPR) where applicable.

RIGHT	DESCRIPTION
Access	Request confirmation and a copy of your data.
Rectification	Correct inaccurate or incomplete data.
Erasure (“Right to be Forgotten”)	Delete data where no compelling reason to retain (e.g., consent withdrawn; balanced against AML obligations).
Restriction	Restrict processing in certain cases (e.g., accuracy disputes).
Objection	Object to processing based on legitimate interests or marketing.
Portability	Receive data in portable format or transfer to another controller.
Withdraw Consent	Where processing relies on consent (does not affect prior lawfulness).
Not Subject to Automated Decisions	Request human review if applicable.

Rights may vary by jurisdiction. For processor-held data, contact the Customer.

10. Security

We use appropriate physical, technical, organisational, and administrative measures to protect Personal Information from unauthorised access, use, and disclosure. Key safeguards include measures such as:

Encryption: All data is encrypted in transit using TLS 1.2+ and at rest using AES-256.
Infrastructure: Data is hosted on Amazon Web Services (AWS) servers, which hold SOC1, SOC2 and ISO 27001 certifications, featuring 24/7 security, automatic fire detection/suppression, redundant power systems, and strict physical access controls.
Access Controls: Access is granted on a least-privilege basis, with multi-factor authentication (MFA), quarterly reviews, and full auditing/logging of all production access.
Monitoring and Vulnerability Management: We employ 24/7 monitoring for anomalous behaviour, continuous vulnerability scanning, and quarterly independent penetration testing.
Certifications and Compliance: We maintain ISO 27001:2022 certification and comply with relevant Data Privacy Laws, with additional details available in our Trust Centre.

Although we align with industry standards to secure your data, no method of transmission or storage is completely secure. For more information, visit our Security page: https://www.firstaml.com/about/help/security.

11. How do we process your biometric information?

Biometrics are collected only for identity verification/fraud prevention, as sensitive/special category data.

Collection: With explicit consent or legal basis. You may opt out of biometric verification and complete identity verification manually instead.
Use/Disclosure: Solely for stated purposes; shared only with authorised parties. We do not use biometric information for any form of monitoring, profiling, categorisation, or emotional analysis.
Security: Enhanced safeguards
Rights: Access, correction, deletion; DPIA conducted

12. Credit reference agencies

As a part of verification processes for the purpose of complying with the relevant Anti-Money Laundering and Counter-terrorism laws, we may need to disclose your full name, residential address and date of birth to a service provider, who may provide such information to a credit reference agency for the purpose of providing an assessment of whether this identification information matches (in whole or in part) personal information held by the credit reference agency.

Further document verification services may be conducted, involving the verification of personal details against the document issuer or official record holder. The credit reference agency may compare your details with personal information held by the agency (including the names, residential address and dates of birth of other individuals) for the purpose of making this assessment.

Records of the verification request will be maintained by First AML and the credit reference agency and retained for a period of 7 years from the date of the request. You can request access to your records.

You have the right to let us know by email at privacy@firstaml.com if you do not want us to disclose your personal information to a credit reporting agency for this purpose and opt for an alternate means of verifying your identity.

See Equifax's Credit Reference Agency Information Notice (CRAIN): https://www.equifax.co.uk/privacy-hub/crain.

13. Who can you complain to if you are unhappy about the use of your personal data?

For data we process solely as a processor, please direct complaints to the relevant Customer.

For the data we process as Controller, please first contact First AML

If unsatisfied, you can contact:

UK: Information Commissioner's Office (ico.org.uk/make-a-complaint).
NZ: Privacy Commissioner (privacy.org.nz/your-rights/making-a-complaint).
AU: Office of the Australian Information Commissioner (oaic.gov.au/privacy/privacy-complaints).

14. Changes to this Privacy Notice

We update as needed. Check our website; continued use implies acceptance.