Privacy Notice | Identity-Check

Last updated: 5 November 2025

This policy explains how Actarus Services Ltd (“we”, “us”) processes your personal data when you visit www.identity-check.co.uk or use our Companies House identity verification service as an Authorised Corporate Service Provider (ACSP).

1) Who we are

Legal entity: Actarus Services Ltd (company no. 07666197)
Registered office: 316 Wimbledon Central, 21-33 Worple Road, London, SW19 4BJ
Trading names/sites: identity-check.co.uk; actarus.co.uk
ACSP agent number: AP006197
AML supervisory body: The Association of International Accountants (AIA), reg. no. 411740
ICO registration number: ZA859424
Contact: accounts@actarus.co.uk · 07810 018 274
We appoint a Data Protection Lead reachable at the email above. We do not currently appoint a statutory Data Protection Officer.

2) Scope

This policy applies to visitors to our sites and to people using our ACSP identity verification service to obtain a Companies House personal code (e.g., directors and Persons with Significant Control). We do not offer services to children.

3) The data we collect

A. Using our identity verification service

Identity information: name, previous names, date of birth, nationality, address history, contact details.
Identity documents: passport/ID card, driving licence, residence permit (numbers, issue/expiry dates, MRZ data, and images you provide).
Selfie / liveness image: provided by you for a manual face match against your document image. We do not create biometric templates or use automated biometric identification.
Proofs: proof of address (e.g., utility bill) or other evidence required by Companies House/AML rules.
Service metadata: submission timestamps, reviewer notes, decision outcome, Companies House personal code reference once issued.
Device / fraud prevention data: IP address, user agent, time zone, screen size and similar technical data for security and fraud prevention.

B. Payments

Card processing is handled by third-party processors (e.g., Stripe). We do not store full card numbers. We receive limited payment metadata for reconciliation and fraud prevention.

C. Contact & site use

We process enquiries you send us and essential cookies required for site security and sessions (see Cookies).

4) Why we process your data (lawful bases)

Legal obligation — to verify identities and keep AML/KYC records (Companies Act 2006, Economic Crime and Corporate Transparency Act 2023, and the Money Laundering Regulations 2017).
Performance of a contract — to provide the identity verification service you request and to take payment.
Legitimate interests — to prevent fraud/abuse, maintain records, improve services, and defend legal claims (we balance these interests against your rights).
Consent — only where required (e.g., for non-essential cookies or optional communications).

Special category data: We do not intentionally process special category data. If an ID document reveals such data incidentally, we treat it with heightened care. We do not perform automated biometric identification or profiling with legal or similarly significant effects.

5) How we use your data

To check your documents and identity, perform AML/KYC checks, and help obtain a Companies House personal code.
To communicate with you about your submission and outcome.
To take payment and provide receipts/invoices.
To comply with legal requirements and prevent fraud.
To maintain internal records, quality assurance and audits.

We do not sell your personal data and we do not use your data for third-party advertising.

6) Sharing your data

Companies House — to complete identity verification and issue a personal code or evidence that verification occurred.
Payment processors — e.g., Stripe (card processing).
Email/communications providers — e.g., names.co.uk (email hosting).
Hosting & IT providers — secure cloud hosting, storage, backup, logging, and security monitoring.
Professional advisers & auditors — where necessary.
Law enforcement/regulators — where required by law.

All third parties are under data processing contracts with appropriate protection terms, including safeguards for international transfers where applicable.

7) International transfers

Where providers process data outside the UK/EEA, we use recognised safeguards under UK data protection law (such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses) and assess destination risks. Details are available on request.

8) How long we keep your data (retention)

We keep personal data only as long as necessary for the purposes set out above and to meet legal obligations.

AML/KYC core retention: We retain AML/KYC records for 7 years from the date the checks are completed or from the end of our business relationship (whichever is later), in line with current Companies House expectations for ACSP record-keeping. In limited cases we may retain for longer where permitted or required by law (e.g., to establish, exercise, or defend legal claims), but never longer than necessary.

Minimisation of raw images (defence-in-depth): We delete raw ID document images and selfies within 60 days of the verification pass/fail decision, while retaining non-sensitive verification metadata and audit logs for the statutory record-keeping period.

Retention schedule:

Data category

Purpose

Retention period

Verification data (ID document images, selfie/liveness, proof of address)

Meet Companies House verification and AML requirements; defend legal claims

Raw images deleted within 60 days of decision; verification metadata & audit logs kept 7 years

Reviewer notes & decision outcome

Audit, quality assurance, defence of claims

7 years

Account/order details, invoices, payment metadata

Contract, tax and accounting

6 years from end of financial year

Device/fraud prevention data & security logs

Security, abuse prevention

Up to 12 months unless required longer for investigation

Customer support communications

Service quality, dispute handling

2 years from last interaction (longer if needed for compliance/disputes)

Marketing preferences (if opted-in)

Consent management

Until you opt out; a suppression record is kept thereafter

9) Deletion timeframes (SLA)

Standard deletion: within 30 days of expiry of the retention period or validated request.
Backups/archives: overwritten within 90 days due to technical cycles.
Downstream processors: we instruct processors to delete within 30 days of our instruction and obtain confirmation.
We may refuse or delay deletion where we must retain data to comply with law (e.g., record-keeping) or to establish, exercise, or defend legal claims.

10) Security

TLS encryption in transit and encryption at rest for stored files.
Role-based access controls; staff training and confidentiality commitments.
Audit logs for access to identity documents.
Regular patching and vulnerability management.
Time-limited, secure uploads (we discourage sending ID documents by email).

No system is perfectly secure. If we suspect a personal data breach that risks your rights and freedoms, we will notify you and the ICO where required.

11) Your rights

You have rights under UK GDPR to access, rectify, erase (in certain cases), restrict processing, object to processing based on legitimate interests, and data portability (where applicable). Where we rely on consent, you may withdraw it at any time. To exercise your rights, email accounts@actarus.co.uk. We may need to verify your identity. You can also complain to the Information Commissioner’s Office (ICO): ico.org.uk or 0303 123 1113.

12) Cookies

We use a minimal set of essential cookies required for site operation (e.g., session, CSRF protection, Stripe checkout). We do not use analytics or advertising cookies. See our Cookie Policy for details.

13) Automated decision-making

We do not carry out automated decision-making that produces legal or similarly significant effects. Any liveness/face-match checks are reviewed by a human.

14) Sub-processors

We use carefully selected service providers who process personal data on our behalf. We have data processing agreements with each provider and assess international transfer safeguards.

We will update this list before adding or replacing a sub-processor and, where required, provide a way to object on reasonable data-protection grounds.

Sub-processor

Service

Data processed

Location of processing: London (UK)

Transfer safeguard

Stripe Payments UK, Ltd.

Payment processing

Name, email, billing address, payment metadata (no full card numbers stored by us)

UK/EU/US

UK Addendum to SCCs / IDTA (as applicable)

Namesco Limited (names.co.uk)

Email hosting

Contact details: accounts@actarus.co.uk

UK/EU

Local drive

Encrypted storage of verification files

ID images, selfies, proofs, audit logs

Region, UK (London)

Not applicable if in UK/EEA; otherwise UK Addendum / IDTA

Time-limited uploads

ID images, proofs

Support ticketing

Contact details, support messages

15) Changes to this policy

The latest version is shown on this page with the effective date above. If changes are material, we will notify you by email or via the website.

16) Contact

Actarus Services Ltd
accounts@actarus.co.uk
316 Wimbledon Central, 21-33 Worple Road, London, SW19 4BJ

Annex A — Data map & retention schedule (summary)