Privacy Policy

1. Introduction

Important information and who we are

Welcome to TrueFathom (operated by Diamond Dynamics Ltd), Privacy and Data Protection Policy ("Privacy Policy").

At Diamond Dynamics Ltd ("we", "us", or "our") we are committed to protecting and respecting your privacy and Personal Data in compliance with the United Kingdom General Data Protection Regulation ("GDPR"), the DPA 2018 and all other mandatory laws and regulations of the United Kingdom.

This Privacy Policy explains how we collect, process and keep your data safe. The Privacy Policy will tell you about your privacy rights, how the law protects you, and inform our employees and staff members of all their obligations and protocols when processing data.

This privacy policy applies to our websites: truefathom.com and app.truefathom.com, and the TrueFathom API at api.truefathom.com.

The individuals from which we may gather and use data can include:

• Customers
• Suppliers
• Business contacts
• Employees/Staff Members
• Third parties connected to your customers
• And any other people that the organisation has a relationship with or may need to contact.

This Privacy Policy applies to all our employees and staff members and all Personal Data processed at any time by us.

Who is your Data Controller

Diamond Dynamics Ltd is your Data Controller and responsible for your Personal Data.

We have appointed a data protection officer ("DPO") who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights surrounding your Personal Data please contact the DPO:

James Ruthven — [email protected]

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Processing Data on Behalf of a Controller

In discharging our responsibilities as a Data Controller we have employees who will deal with your data on our behalf (known as "Processors"). The Data Controller and our Processors have the following responsibilities:

• Ensure that all processing of Personal Data is governed by one of the legal bases laid out in the GDPR;
• Ensure that Processors authorised to process Personal Data have committed themselves to confidentiality;
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk;
• Assist the Controller in fulfilling the obligation to respond to data subject rights requests;
• Make available to the Controller all information necessary to demonstrate GDPR compliance;
• Maintain a record of all categories of processing activities;
• Cooperate with the supervisory authority;
• Notify the Controller without undue delay after becoming aware of a Personal Data Breach.

2. Legal Basis for Data Collection

Types of Data

"Personal Data" means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of Personal Data about you:

• Profile/Identity Data: First name, last name, job title.
• Contact Data: Phone number, email addresses, business address.
• Marketing and Communications Data: Your preferences in receiving marketing information from us.
• Billing Data: Information relating to your payment details and billing address.
• Financial Data: Banking details for payment processing.
• Transactional Data: Details and records of all payments for our services.
• Technical Data: IP address, browser type and version, time zone, operating system.
• Customer Support Data: Feedback and support ticket correspondence.
• Usage Data: Information about how you use our platform, API, and services.
• Maritime Data: Vessel screening queries, portfolio compositions, risk assessments, and compliance certificate requests you make through the platform. This data relates to vessels and companies, not to you personally, but is associated with your account.

We do not collect any Special Categories of Personal Data about you (race, ethnicity, religious beliefs, health data, etc.). Nor do we collect information about criminal convictions and offences.

The Legal Basis for Collecting That Data

• Consent: When you tick a box confirming you are happy to receive communications from us, or opt in to a service.
• Contractual Obligations: We may require certain information to fulfil our contractual obligations and provide the promised service.
• Legal Compliance: We are required by law to collect and process certain types of data, such as for anti-money laundering purposes.
• Legitimate Interest: We might need to collect certain information to meet our legitimate interests — aspects reasonably expected as part of running our business, that will not materially impact your rights.

3. How We Use Your Personal Data

Our Uses

We will only use your Personal Data when the law allows us to. This includes:

• When you sign up for an account — to provide the service and process billing.
• When you use the platform — to deliver vessel screening, risk scoring, and compliance features.
• When you contact support — to resolve your queries.
• For sanctions screening — our platform screens vessels and entities against sanctions lists as part of the service. This is automated decision-making that may affect the risk assessments we provide to you.

Marketing and Content Updates

You will receive marketing communications from us only if you have opted in to receiving them. You can unsubscribe at any time by clicking the unsubscribe link in any email or updating your notification preferences at app.truefathom.com/settings/notifications.

Change of Purpose

We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

4. Your Rights and How You Are Protected

What Control Do I Have?

You may delete your account at any time — this will remove your account and associated data from our systems. Your account information is protected by password and, where configured, two-factor authentication.

You can access and update information associated with your account at app.truefathom.com/settings/profile.

California Privacy Rights: Under California Civil Code sections 1798.83-1798.84, California residents are entitled to ask for a notice identifying categories of personal information shared with third parties for marketing purposes. Contact [email protected] for this notice.

How Does TrueFathom Protect Personal Data?

We implement security measures including encryption at rest and in transit, access controls, and regular security audits. Personal Data is only accessible by a limited number of employees with special access rights who are bound by obligations of confidentiality. Data is stored in Google Cloud Platform (europe-west1 region) with enterprise-grade security.

Opting Out of Marketing

You can stop marketing messages at any time by clicking the unsubscribe link in any email, or by updating your preferences in the platform. Where you opt out of marketing, we will continue to retain other Personal Data provided to us for service delivery purposes.

Requesting Your Data

You will not have to pay a fee to access your Personal Data. We may need to request specific information to confirm your identity before fulfilling your request. We aim to respond to all legitimate requests within one month.

5. Your Data and Third Parties

Third-Party Sharing

We may share your Personal Data with:

• Payment processors: Stripe, for billing and subscription management.
• Authentication provider: Google Identity Platform (Firebase), for secure sign-in.
• Email provider: Resend, for transactional and marketing emails.
• Analytics: PostHog (self-hosted), Microsoft Clarity, and Google Analytics for understanding platform usage. No personal data is sold to third parties.
• Infrastructure: Google Cloud Platform for hosting and data storage.

We do not sell your Personal Data to any third party.

Third-Party Links

Our platform may include links to third-party websites. We do not control these websites and are not responsible for their privacy practices. We encourage you to read the privacy policy of every website you visit.

6. Data Retention

We will retain your Personal Data for as long as your account is active, plus 6 years for financial record-keeping requirements. Maritime screening data (vessel queries, certificates) is retained for the duration of your account to support audit trails and compliance evidence.

7. Age Limit

You must be aged 18 or older to use TrueFathom. This platform is not intended for children and we do not knowingly collect data relating to children.

8. International Transfer of Data

Your data is stored and processed in the European Union (Google Cloud, europe-west1 region). Where data is transferred outside the EU/UK, we ensure appropriate safeguards are in place including Standard Contractual Clauses.

9. Cookies

TrueFathom uses essential cookies for authentication and platform functionality. We also use analytics cookies (PostHog, Google Analytics, Microsoft Clarity) to understand platform usage. No advertising cookies are used. You can manage your cookie preferences via the cookie banner shown on your first visit. See our Cookie Policy for full details.

10. Changes to This Policy

We keep our Privacy Policy under review and will place any updates on this page. By continuing to use TrueFathom after changes are posted, you accept the modified policy.

11. Contact

Diamond Dynamics Ltd
Company number: 15224576
Data Protection Officer: James Ruthven
Email: [email protected]