Label Technologies Group of entities Privacy Policy

This Privacy Policy describes how Label Technologies Group of entities ("Label", "we", "us", or "our") collects, uses, and protects personal information in connection with our regulatory reporting platform, accessible at https://fatcacrs.labeltech.io.

Our platform is a business-to-business (B2B) service that enables financial institutions, service providers, and other regulated entities ("Customers") to fulfil their FATCA and CRS regulatory reporting obligations.

This policy is effective as of 20 December 2022.

Last updated: 8 January 2026

Categories of Personal Data We Handle

We handle two distinct categories of personal data, each with different purposes and legal bases:

1. Platform User Data (Authorised Personnel)

When authorised personnel from our Customers access the platform, we collect minimal personal data required to provide secure access to our services:

  • Name and email address: Obtained implicitly through enterprise Single Sign-On (SSO) authentication via the Customer's identity provider (e.g., Google Workspace, Microsoft Entra ID, or other SAML/OIDC providers configured by the Customer).

We do not request or collect any additional personal information from platform users beyond what is provided by the authentication process.

2. Customer-Submitted Data (Regulatory Reporting Data)

In the course of providing our regulatory reporting services, Customers upload data concerning their own clients, account holders, and beneficial owners ("Data Subjects"). This data typically includes personal information required for FATCA and CRS compliance.

This data is submitted by authorised Customer personnel and processed by us strictly in accordance with Customer instructions and applicable Data Processing Agreements (DPAs). We do not determine the purposes or means of processing this data—the Customer does.

Our Role Under GDPR

The General Data Protection Regulation (GDPR) distinguishes between Data Controllers (who determine the purposes and means of processing) and Data Processors (who process data on behalf of Controllers).

We are a Data Controller for:

  • Platform User Data: The minimal personal data (name, email) of authorised personnel who access our platform. We use this data solely to provide secure access, maintain audit logs, and communicate about service-related matters.

We are a Data Processor for:

  • Customer-Submitted Data: All personal data uploaded by Customers for regulatory reporting purposes. In this capacity, we process data exclusively as necessary to provide the regulatory reporting service, as defined by the platform's functionality and our Data Processing Agreements.

When acting as a Processor, we do not use Customer-Submitted Data for any purpose other than providing the regulatory reporting services requested by the Customer. We do not analyse, profile, sell, or otherwise exploit this data for our own purposes under any circumstances.

How We Use Personal Data

Platform User Data

We use platform user data solely for the following purposes:

  • Authenticating and authorising access to the platform
  • Maintaining security and audit logs
  • Providing technical support when requested
  • Communicating essential service-related information
  • Complying with legal obligations

Customer-Submitted Data

We process Customer-Submitted Data strictly for the purpose of providing regulatory reporting services as instructed by the Customer. This includes:

  • Validating and processing data for FATCA and CRS report generation
  • Generating regulatory reports in required formats
  • Storing data securely for the duration specified by Customer
  • Providing the Customer with access to their data and reports through the platform

Data Minimisation

We adhere to the principle of data minimisation. We do not collect, request, or retain any personal data beyond what is strictly necessary to provide our services:

  • We do not collect additional personal data from platform users beyond what is provided through enterprise SSO.
  • We do not extract, copy, or use Customer-Submitted Data for any purpose other than fulfilling the Customer's regulatory reporting requirements.
  • We do not engage in marketing, profiling, or any form of commercial exploitation of the data we process.

Automatically Collected Data

Log Data

When you access our platform, our servers automatically log standard technical data provided by your web browser, including:

  • IP address
  • Browser type and version
  • Pages accessed and time of access
  • Referring URL

This data is used for security monitoring, troubleshooting, and maintaining platform integrity. It is retained for a limited period and is not combined with other data sources for profiling purposes.

Error Reporting

If you encounter errors while using the platform, we may automatically collect technical data about the error and the circumstances surrounding its occurrence. This data is used solely for diagnosing and resolving technical issues.

Security of Personal Data

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and audits
  • Employee training on data protection

While we employ industry-standard security practices, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

Data Retention

Platform User Data

We retain platform user data for as long as the user's account remains active or as necessary to provide services to the Customer. If a user's access is revoked or the Customer relationship ends, we will delete or anonymise user data within a reasonable period, unless retention is required for legal or compliance purposes.

Customer-Submitted Data

Retention of Customer-Submitted Data is governed by our agreements with each Customer and applicable regulatory requirements. Customers may instruct us to delete their data in accordance with their data retention policies, subject to any legal retention obligations.

Disclosure of Personal Data to Third Parties

We may disclose personal data to:

  • Affiliated entities within the Label Technologies Group, subject to equivalent data protection standards
  • Third-party service providers who assist in operating our platform (see below), bound by contractual obligations to protect data
  • Legal authorities when required by law or to respond to valid legal processes
  • Professional advisors (legal, audit) under confidentiality obligations

We do not sell personal data to third parties. We do not share Customer-Submitted Data with any third party except as instructed by the Customer or required by law.

Third-Party Service Providers

We use the following third-party services:

  • Authentication: Google, Microsoft Entra ID, Auth0 (for enterprise SSO)
  • Cloud Infrastructure: Amazon Web Services (hosting, data storage, computing)
  • Error Monitoring: Sentry (technical error tracking)

These providers are bound by contractual obligations to process data only as instructed and to maintain appropriate security measures.

Your Rights (GDPR)

If you are a platform user (authorised personnel), you have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data, subject to legal retention requirements
  • Restriction: Request that we limit processing of your data in certain circumstances
  • Portability: Request your data in a machine-readable format
  • Objection: Object to processing based on legitimate interests

To exercise these rights, please contact us using the details below. We will respond within the timeframes required by applicable law.

Rights Regarding Customer-Submitted Data

If you are a Data Subject whose personal data has been submitted by a Customer for regulatory reporting, please direct any requests regarding access, rectification, erasure, or other rights to the relevant Customer (the Data Controller). As a Data Processor, we will assist the Customer in responding to such requests in accordance with our contractual obligations.

Cookies

Our platform uses cookies strictly for functional purposes, such as maintaining your authenticated session. We do not use cookies for advertising, tracking, or profiling purposes.

Please refer to our Cookie Policy for more information.

Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity. Any such transfer will be subject to this Privacy Policy, and we will notify affected parties as required by law.

Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. If we make significant changes, we will notify Customers through appropriate channels. The "Last updated" date at the top indicates when the policy was last revised.

Contact Us

For questions about this Privacy Policy or to exercise your data protection rights, please contact:

Label Technologies Group of entities
Email: contact@labeltech.io

If you believe we have not addressed your concerns adequately, you have the right to lodge a complaint with your local data protection authority.