Privacy Policy
Last updated: 17 April 2026
This Privacy Policy explains how First Mile Labs Ltd ("we", "us", "our") collects, uses, discloses, and protects personal data when you use our website and platform services (the "Services").
We are committed to handling your data transparently, securely, and in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (EU GDPR).
1. Who We Are
Company name: First Mile Labs Ltd
Registered in: England & Wales
Contact: contact@firstmilelabs.com
For the purposes of data protection law, we are the data controller of personal data collected via our website and Services. Where we process personal data on behalf of our bank and financial-institution clients, we act as a data processor under their instructions.
2. Personal Data We Collect
We may collect and process the following categories of personal data:
a. Information you provide to us
- Name and work email address
- Job title and institution name
- Corporate KYC application data: company name, registration number, incorporation details, registered address
- Beneficial owner information: name, ownership percentage, nationality, date of birth
- Director and officer information: name, role, nationality
- Identity documents submitted for verification (passport, national ID, driving licence)
- Business activity details: industry sector, annual revenue, source of funds
- Any information submitted via forms, support requests, or communications with us
b. Information collected automatically
When you visit our website or use our Services, we may collect:
- IP address
- Browser type and version
- Device and operating system information
- Pages visited, features used, and session duration
- Date and time of access
- Referral source
This data is collected using cookies and analytics tools (see section 8).
c. Information received from third parties
- Company registration data from public company registries
- Sanctions and politically exposed persons (PEP) data from OpenSanctions
- Identity verification results from Didit (biometric and document verification)
3. How We Use Your Personal Data
We use personal data for the following purposes and legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing and operating the Services | Contract performance |
| Sending magic link authentication emails | Contract performance |
| Processing corporate KYC/KYB applications submitted by applicants | Legitimate interests of our financial institution clients (compliance obligations) |
| Screening individuals and companies against sanctions and PEP lists | Compliance with legal obligations; legitimate interests |
| Verifying identity documents via Didit IDV | Consent (applicants); legitimate interests |
| AI-powered document classification and data extraction | Legitimate interests |
| Verifying company registration data against public registries | Legitimate interests; legal obligation |
| Communicating with you about your application or account | Contract performance; legitimate interests |
| Improving and developing our Services | Legitimate interests |
| Analytics and usage tracking via PostHog | Consent (via cookie banner) |
| Complying with legal obligations | Legal obligation |
4. How We Share Your Personal Data
We do not sell your personal data. We may share it with the following categories of recipients:
a. Service providers (data processors)
| Provider | Purpose | Location |
|---|---|---|
| Anthropic (Claude) | AI document classification and data extraction | USA |
| OpenSanctions | Sanctions and PEP screening | Germany |
| Didit | Identity document verification and biometrics | Spain / EU |
| Resend | Transactional email delivery (magic links, notifications) | USA |
| PostHog | Product analytics and usage tracking | USA / EU |
| Replit / hosting provider | Infrastructure and hosting | USA |
| Neon / PostgreSQL | Secure database hosting | USA / EU |
All processors are bound by data processing agreements and required to implement appropriate security measures.
b. Public registries
When we look up a company against a public registry, we query publicly available data. No personal data about you is transmitted to these registries in the process.
c. Legal and regulatory disclosures
We may disclose personal data to law enforcement, regulators, or courts where required by law or where necessary to protect our legal rights or the safety of individuals.
d. Business transfers
If First Mile Labs Ltd is involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify affected individuals before any such transfer results in a change to this Privacy Policy.
5. International Data Transfers
Some of our service providers are based outside the UK and EEA (for example, Anthropic and Resend in the USA). Where we transfer personal data internationally, we ensure appropriate safeguards are in place, including:
- UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs)
- Transfers to countries with a UK adequacy decision
- Binding Corporate Rules where applicable
6. Data Retention
We retain personal data only for as long as necessary for the purposes described in this policy:
| Data Type | Retention Period |
|---|---|
| Authentication session tokens | 8 hours (sessionStorage); single-use magic link tokens expire after 15 minutes |
| KYC application form data | Duration of the client relationship + 7 years (to meet AML record-keeping obligations) |
| Uploaded identity documents and extracted data | Duration of the client relationship + 7 years |
| Screening results and analyst decisions | Duration of the client relationship + 7 years |
| Website analytics data (PostHog) | 12 months |
| Email communications and support records | 3 years |
After the applicable retention period, data is securely deleted or anonymised. Where data is processed on behalf of a financial institution client, the client's own data retention policies apply to the underlying data.
7. Your Rights
Under UK GDPR and EU GDPR, you have the following rights in relation to your personal data. You can exercise these rights by contacting us at contact@firstmilelabs.com.
- Right of access — to obtain a copy of your personal data we hold
- Right to rectification — to correct inaccurate or incomplete data
- Right to erasure ("right to be forgotten") — to request deletion of your data, subject to legal retention obligations
- Right to restriction of processing — to limit how we use your data in certain circumstances
- Right to data portability — to receive your data in a structured, machine-readable format
- Right to object — to object to processing based on legitimate interests or for direct marketing
- Rights related to automated decision-making — to request human review of any solely automated decisions that significantly affect you
Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of prior processing.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or, if you are in the EU, with your local supervisory authority.
8. Cookies and Analytics
We use cookies and similar technologies to operate our website and understand how it is used. You can manage your cookie preferences via the cookie banner shown on your first visit.
a. Essential cookies
These are necessary for the website to function and cannot be switched off. They include session management and security cookies. No consent is required for these.
b. Analytics cookies (PostHog)
With your consent, we use PostHog to collect anonymised usage data. This helps us understand which features are used, identify bugs, and improve the platform. PostHog may process data outside the UK; appropriate safeguards are in place. You can opt out via the cookie banner or by visiting posthog.com/privacy.
For more detail, see our Cookie Policy.
9. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration. These measures include:
- TLS encryption in transit for all data
- Encrypted storage at rest
- Magic link authentication — no passwords stored
- Role-based access control (analyst / customer roles)
- Single-use, time-limited authentication tokens (15-minute expiry)
- Session storage (not localStorage) to limit session persistence
- Audit logging of analyst decisions and case actions
No method of transmission over the internet or electronic storage is 100% secure. In the event of a personal data breach, we will notify affected individuals and the ICO in accordance with our legal obligations.
10. Children's Data
Our Services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Services. We will indicate the date of the most recent update at the top of this page. For material changes, we will provide more prominent notice (for example, by email to registered users).
Your continued use of our Services after the effective date of any changes constitutes your acceptance of the updated policy.
12. Contact Us
If you have any questions about this Privacy Policy, wish to exercise your data rights, or wish to raise a concern, please contact us:
First Mile Labs Ltd
Email: contact@firstmilelabs.com
We will respond to all requests within one month, in accordance with our obligations under UK GDPR.