Legal

Privacy Policy

Last updated · 21 May 2026

This Privacy Policy explains how personal data is collected, used, stored and protected in connection with the ONYX-SOS website at www.onyx-sos.com, the ONYX-SOS platform, and related enquiries, demonstrations, onboarding, implementation and support services.

For the purposes of this Privacy Policy, the ONYX-SOS website is operated by ONYX Solutions Limited. ONYX Solutions Limited manages website enquiries, demonstrations, implementation support, onboarding support, project coordination, managed compliance support and client communications in relation to ONYX-SOS.

The ONYX-SOS platform is provided by ONYX Technologies Limited. Where ONYX-SOS is used as a platform, the applicable data protection roles and responsibilities may be set out in separate written agreements, platform terms, data processing terms, engagement letters, order forms or statements of work.

References in this Privacy Policy to “ONYX”, “we”, “us” or “our” mean ONYX Solutions Limited in relation to the operation of this website and the services it provides, and where relevant ONYX Technologies Limited in relation to the ONYX-SOS platform.

We are committed to protecting your privacy and handling personal data in accordance with The Data Protection (Bailiwick of Guernsey) Law, 2017.

Who we are

Website operator and client-facing service provider

Entity
ONYX Solutions Limited
Company no.
CMP73826
Registered office
First Floor Premises, Cirrus House, Garenne Park, Rue de la Cache,
St Sampson, Guernsey GY2 4AF

Platform provider

Entity
ONYX Technologies Limited
Company no.
77760
Registered office
First Floor Premises, Cirrus House, Garenne Park, Rue de la Cache,
St Sampson, Guernsey GY2 4AF

ONYX Solutions Limited operates this website and manages enquiries, demonstrations, implementation support, onboarding support, project coordination, managed compliance support and client communications in relation to ONYX-SOS.

The ONYX-SOS platform is provided by ONYX Technologies Limited.

For questions about this Privacy Policy, please contact ONYX Solutions Limited using the details set out in Section 16 below.

Our role under data protection law

Depending on the circumstances, ONYX Solutions Limited and/or ONYX Technologies Limited may act as a controller, joint controller, processor or sub-processor.

In general:

2.1Website enquiries and communications

Where you contact us through the website, by email, by telephone, through a demo request, through a meeting, or through general business communications, ONYX Solutions Limited will usually act as controller of that information.

2.2Demonstrations, proposals and sales communications

Where we process personal data to respond to enquiries, arrange demonstrations, prepare proposals, manage prospective client relationships or send business communications, ONYX Solutions Limited will usually act as controller.

2.3Platform use by clients

Where a client uses ONYX-SOS to manage onboarding, CDD, risk assessment, screening, remediation or ongoing monitoring activity, the client will often be the controller of the personal data uploaded to or processed through the platform. In those circumstances, ONYX Technologies Limited and/or ONYX Solutions Limited may act as processor or sub-processor, depending on the contractual arrangements.

2.4Managed onboarding or compliance support

Where ONYX Solutions Limited is engaged to provide onboarding, remediation, compliance support, project management or managed services, its role will depend on the nature of the services agreed. This may be set out in the relevant engagement letter, statement of work, data processing terms or other written agreement.

2.5Separate agreements

Where separate written terms apply, those terms will take precedence over this Privacy Policy in the event of any inconsistency.

Personal data we may collect

The personal data we collect depends on how you interact with us and how ONYX-SOS is used.

We may collect and process the following categories of personal data.

A.Website and enquiry information

This may include:

  • name;
  • job title;
  • organisation;
  • business email address;
  • business telephone number;
  • enquiry details;
  • demo request details;
  • meeting notes;
  • correspondence;
  • marketing preferences; and
  • information you choose to provide through website forms, email, telephone or meetings.

B.Client and business relationship information

This may include:

  • contact details for client personnel;
  • authorised user details;
  • billing and invoicing contacts;
  • contract and proposal information;
  • service requirements;
  • project notes;
  • meeting records;
  • support requests; and
  • communications relating to implementation, onboarding or support.

C.ONYX-SOS platform user information

This may include:

  • user names;
  • business contact details;
  • login credentials or authentication identifiers;
  • role permissions;
  • user access records;
  • activity logs;
  • audit trail records;
  • configuration preferences;
  • support tickets; and
  • technical usage information.

D.Customer due diligence and onboarding information

Where ONYX-SOS is used for onboarding, CDD, risk assessment, remediation or ongoing monitoring, the platform may process information such as:

  • customer names;
  • addresses;
  • dates of birth;
  • nationality and residence information;
  • identity document information;
  • copies of identity documents;
  • proof of address documents;
  • company or entity information;
  • ownership and control information;
  • beneficial ownership information;
  • directorship, trustee, partner or authorised signatory details;
  • source of funds or source of wealth information;
  • risk assessment information;
  • screening results;
  • politically exposed person or sanctions screening information;
  • adverse media results;
  • client classification information;
  • onboarding status;
  • remediation records;
  • approval records;
  • reviewer notes;
  • MLRO or senior management sign-off records; and
  • audit trail information.

E.Technical and website information

When you use our website or platform, we may collect technical information such as:

  • IP address;
  • browser type and version;
  • device type;
  • operating system;
  • approximate location;
  • referral source;
  • pages visited;
  • date and time of access;
  • cookies and similar technology data;
  • security logs;
  • diagnostic logs; and
  • usage analytics.

Further information about cookies is available in our Cookie Policy.

F.Event and marketing information

Where you attend an ONYX event, webinar, meeting or demonstration, we may process:

  • attendance details;
  • dietary or accessibility requirements, where relevant;
  • photographs or video footage, where appropriate;
  • feedback; and
  • marketing preferences.

How we collect personal data

We may collect personal data:

  • directly from you;
  • from your employer or organisation;
  • from our clients;
  • through the ONYX-SOS website;
  • through demo request forms;
  • through email, telephone, meetings or video calls;
  • through the ONYX-SOS platform;
  • through documents uploaded to ONYX-SOS;
  • through third-party ID&V, screening, data enrichment or integration providers;
  • from publicly available sources;
  • from professional advisers or business partners; and
  • through cookies and similar technologies.

Why we use personal data

We may use personal data for the following purposes.

A.Website, enquiry and demo management

We use personal data to:

  • respond to enquiries;
  • arrange demonstrations;
  • provide information about ONYX-SOS;
  • manage website communications;
  • maintain business contact records;
  • follow up on requests; and
  • improve our website and user experience.

B.Client relationship and service delivery

We use personal data to:

  • prepare proposals;
  • enter into and manage contracts;
  • provide implementation support;
  • provide onboarding support;
  • provide project coordination;
  • provide managed compliance support;
  • configure and support ONYX-SOS;
  • manage client communications;
  • provide customer service;
  • handle billing and administration; and
  • manage our business relationship with clients.

C.Platform operation and support

We use personal data to:

  • create and manage user accounts;
  • authenticate users;
  • apply user permissions;
  • provide access to ONYX-SOS;
  • maintain audit trails;
  • monitor platform security;
  • troubleshoot technical issues;
  • provide support;
  • maintain backups;
  • improve platform functionality; and
  • protect the platform from misuse or unauthorised access.

D.Onboarding, CDD, risk assessment and compliance workflow support

Where ONYX-SOS is used by or for a client, personal data may be processed to support:

  • customer onboarding;
  • CDD and enhanced due diligence workflows;
  • identity verification;
  • document collection;
  • ownership and control analysis;
  • risk assessment;
  • screening;
  • approval workflows;
  • remediation;
  • ongoing monitoring;
  • audit and reporting;
  • regulatory record keeping; and
  • evidence capture.

E.Legal, regulatory and business administration

We may use personal data to:

  • comply with legal and regulatory obligations;
  • respond to lawful requests from regulators, law enforcement, courts or public authorities;
  • manage complaints or disputes;
  • protect our legal rights;
  • maintain business records;
  • carry out internal governance;
  • manage insurance, audit and professional advice; and
  • prevent fraud, misuse or security incidents.

F.Marketing and communications

We may use business contact information to:

  • send service updates;
  • send event invitations;
  • send newsletters or thought leadership;
  • provide information about ONYX-SOS or related ONYX services; and
  • manage marketing preferences.

You can opt out of marketing communications at any time.

Legal bases for processing

Where we act as controller, we rely on one or more of the following legal bases under The Data Protection (Bailiwick of Guernsey) Law, 2017:

  • consent, where you have given consent for a specific purpose;
  • contract, where processing is necessary to enter into or perform a contract;
  • legal obligation, where processing is necessary to comply with legal or regulatory obligations;
  • legitimate interests, where processing is necessary for our legitimate business interests or those of a third party, provided your rights and interests do not override those interests;
  • public functions, where relevant and applicable; and
  • vital interests, where processing is necessary to protect someone’s vital interests.

Where we act as processor or sub-processor, we process personal data on behalf of the relevant controller and in accordance with the applicable contract or processing instructions.

Special category data and sensitive information

ONYX-SOS may process information that is sensitive or higher risk, particularly where it is used for onboarding, CDD, enhanced due diligence, screening, remediation or ongoing monitoring.

This may include information relating to:

  • identity documents;
  • nationality or residence;
  • politically exposed person status;
  • sanctions or screening results;
  • adverse media;
  • source of funds or source of wealth;
  • criminal offence information, where lawfully processed; and
  • other information relevant to financial crime, AML/CFT/CPF, onboarding or compliance processes.

Where we process special category data, criminal offence data or other sensitive information, we will do so only where permitted by law and subject to appropriate safeguards.

Where a client uploads or provides such information through ONYX-SOS, the client is responsible for ensuring that it has a lawful basis and any necessary notices, consents or permissions for that processing.

AI-assisted processing, automation and risk scoring

ONYX-SOS may use automation, rules-based workflows, scoring models, AI-assisted tools or technology-assisted processes to support onboarding, CDD, screening, risk assessment, remediation, monitoring, audit and reporting workflows.

These tools are intended to support structured decision-making and evidence capture. They do not replace professional judgement, MLRO oversight, senior management responsibility, board responsibility or a client’s own regulatory obligations.

Where automated or technology-assisted outputs are generated, they should be reviewed by an appropriately skilled person before being relied upon.

We do not intend ONYX-SOS to make solely automated decisions that produce legal or similarly significant effects on individuals without appropriate human involvement, unless this has been expressly agreed, is lawful, and appropriate safeguards are in place.

Sharing personal data

We may share personal data where necessary and lawful with:

  • ONYX Technologies Limited;
  • ONYX Solutions Limited;
  • clients and authorised client users;
  • website hosting providers;
  • platform hosting providers;
  • IT support providers;
  • cybersecurity providers;
  • Microsoft 365 and other business software providers;
  • ID&V providers;
  • screening providers;
  • data enrichment providers;
  • workflow, integration or automation providers;
  • AI tool providers, where applicable;
  • professional advisers, including lawyers, accountants, auditors and insurers;
  • consultants, contractors and implementation partners;
  • regulators, law enforcement bodies, courts, public authorities or governmental bodies where required or permitted by law; and
  • any other third party where necessary to provide services, protect our rights, comply with legal obligations or with your consent.

We require service providers and processors to protect personal data and to process it only in accordance with appropriate contractual obligations.

We do not sell personal data to third parties.

International transfers

Some of our service providers may process personal data outside Guernsey, the United Kingdom or the European Economic Area.

Where personal data is transferred internationally, we will take steps to ensure that appropriate safeguards are in place, where required by applicable data protection law.

These safeguards may include:

  • adequacy arrangements;
  • standard contractual clauses;
  • data processing agreements;
  • contractual safeguards;
  • transfer risk assessments; or
  • other lawful transfer mechanisms.

Data security

We take appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse, alteration, disclosure or destruction.

These measures may include, where appropriate:

  • access controls;
  • user permissions;
  • authentication controls;
  • encryption;
  • secure hosting arrangements;
  • audit trails;
  • logging and monitoring;
  • confidentiality obligations;
  • staff training;
  • backup procedures;
  • incident response processes; and
  • contractual controls with service providers.

No website, platform, email system or technology service can be guaranteed to be completely secure. You are responsible for ensuring that your own users, devices, systems and credentials are kept secure.

Data retention

We retain personal data only for as long as reasonably necessary for the purposes for which it was collected, including to satisfy legal, regulatory, accounting, reporting, contractual, operational or compliance requirements.

Retention periods may vary depending on:

  • the type of personal data;
  • the purpose of processing;
  • contractual requirements;
  • client instructions;
  • regulatory record-keeping obligations;
  • legal limitation periods;
  • dispute or complaint handling requirements; and
  • business administration needs.

Where ONYX-SOS is used by a client, retention of platform data may be governed by the relevant contract, data processing terms, client instructions or agreed retention settings.

When personal data is no longer required, we will delete, anonymise or securely retain it where we have a lawful reason to do so.

Cookies

We may use cookies and similar technologies on the ONYX-SOS website to maintain core functionality, improve performance, understand general usage patterns and support website features.

Where required by law, we will ask for your consent before using non-essential cookies.

For further information, please see our Cookie Policy.

Marketing communications

We may send you marketing communications where you have consented to receive them or where we are otherwise permitted to do so.

You can opt out of marketing communications at any time by:

  • clicking the unsubscribe link in any marketing email; or
  • contacting us using the details in Section 16.

Even if you opt out of marketing communications, we may still send you service-related, contractual or administrative communications where necessary.

Your rights

Subject to certain conditions and exemptions under applicable law, you may have the following rights in relation to your personal data:

  • the right to be informed about how your personal data is used;
  • the right of access to your personal data;
  • the right to rectification of inaccurate or incomplete personal data;
  • the right to erasure in certain circumstances;
  • the right to restriction of processing in certain circumstances;
  • the right to object to processing in certain circumstances;
  • the right to data portability in certain circumstances;
  • the right not to be subject to solely automated decisions producing legal or similarly significant effects, subject to applicable exceptions;
  • the right to withdraw consent where processing is based on consent; and
  • the right to complain to the Office of the Data Protection Authority for the Bailiwick of Guernsey.

To exercise your rights, please contact us using the details in Section 16.

Where we process personal data on behalf of a client as processor or sub-processor, we may need to refer your request to the relevant client/controller.

Contact us

If you have any questions about this Privacy Policy, how we process personal data, or how to exercise your rights, please contact:

ONYX Solutions Limited
Registered office
First Floor Premises, Cirrus House, Garenne Park, Rue de la Cache,
St Sampson, Guernsey GY2 4AF
Company no.
CMP73826
Email
enquiries@onyxsolutions.gg
Telephone
+44 (0)1481 764688

Where your query relates specifically to the ONYX-SOS platform provided by ONYX Technologies Limited, your query may be referred to ONYX Technologies Limited as appropriate.

Complaints

You may complain to us if you are unhappy with how we have handled your personal data.

You also have the right to complain to the Office of the Data Protection Authority for the Bailiwick of Guernsey.

Office of the Data Protection Authority
Address
Block A, Lefebvre Court, Lefebvre Street,
St Peter Port, Guernsey GY1 2JP
Telephone
01481 742074
Email
info@odpa.gg

Changes to this Privacy Policy

We may update this Privacy Policy from time to time.

The most recent version will be available on this website and will apply from the stated “Last updated” date.

Where changes are material, we may take additional steps to notify you.

← Back to home