Applicant Privacy Policy

Our privacy policy explains how we will handle your personal information when you sign up and use our app, websites, products and services. Where we say ‘we’ and ‘us’ we mean CDD Services. Where we say ‘Agent’ this means our Client or one of their representatives known as the ‘Agent’.

Here we explain:

For the purposes of conducting a Service for our Agent, we are joint data controllers together with our Agent. Our due diligence Software is called Spotlite.

If you want to contact us directly, our details are: -

CDD Management Services Ltd
2 Mount Street,
M2 5WQ
United Kingdom

The contact details for our Data Protection Officer are: -

David Crack
CDD Management Services Ltd
2 Mount Street,
M2 5WQ
United Kingdom

Access Rights

You are entitled to know what personal information we hold about you and to receive a copy of it. For our products and services, it is you, the user, that provides your personal data and can access it by going into your certificate which is held on our systems for 15 days. If you would like to make an access request for personal information not contained in the service you are using, please email

Correction rights

You are entitled to correct personal information we hold about you that is inaccurate.
You have the ability to correct data about yourself whilst using our Spotlite app as it is you, the user, who enters the data.
However, if you wish to make a correction request, please email:

Deletion rights

You are entitled, under certain circumstances to ask us to delete the personal information we hold about you, which is deleted after 15 days. If you have a deletion request, please email:

Complain to the ICO

You can also complain to the Information Commissioner’s Office (ICO) who is responsible for making sure that organisations comply with the law on handling personal information –

Our Client has requested that we conduct due diligence checks on you

We require information from you for the purposes of regulatory compliance, due diligence, correspondence, security and prevention of abuse. Our Agent – the Spotlite User – will make it clear to you why they have asked us to perform these checks and what they are going to do with information once our checks are complete.

You are in control; nothing can happen until you provide consent

Whilst we are providing a Service to our Agent, we can only provide that Service with your consent.

The Spotlite app will provide you with a summary of the main points of our privacy policy as well as provide a link to this document. You should read both before proceeding. To confirm your consent, the app will ask you to take a selfie (the picture will only be taken when you blink at the camera) and then tick the box to confirming you consent for your data and photograph to be used to conduct the checks associated with our Agent’s requested Service.

This is the information we collect from you

Besides your selfie, we will ask you to provide your phone number, email address, selected identity documents, nationality, age and address. You may also be asked to provide or confirm any social media profile details. The specific identity documents required, and the detail collected depends on the Service requested by our Agent. They will provide more information to you on request.

How we use your information

We use your identity information to perform multiple checks with Third-Party Data and Service Providers across the globe. Some of these checks are automatic data provision; some are manual processes.

In some circumstances, we may ask you some additional questions to confirm your identity or to resolve ambiguities in any external data we have found about you.

Where we share or disclose your information

We only share your data with Third-Party Data and Service Providers for the purpose of completing the Service checks requested by our Agent. We do not provide your information to third-parties for the purposes of sales and marketing or for third-party research. We may ask your consent to keep you informed about developments within CDD Services group of companies.

Assuming we can verify your identity and we are legally empowered to do so, we will securely disclose to you the results of our checks by sending you a link to a copy of the Certificate we send to our Client. If there are any inaccuracies in the data, you should let our Client know immediately.

We will also provide you with the contact details of each of the third-parties who have provided us with information. You may contact them directly concerning the data they provide about you.

If we suspect you are abusing our services for criminal intent, any wrong doing or any other conduct we deem inappropriate, then we will report our suspicions to the relevant law enforcement agencies for your jurisdiction as well as other relevant third-party organisations. It is illegal for us to tell you that we have reported our suspicion or that a criminal investigation is in progress.

How long do we store your personal data?

Unless otherwise requested by our Client and specifically communicated to you, we only retain a copy of your certificate for a period of 15 days; after that date, we remove your selfie and biometric details from our systems and you will need to contact our Agent directly for a copy of the Certificate. Thereafter, we only retain your name, our Agent’s reference and third-party references for our legitimate interest of reconciling and billing our accounts and for audit purposes.

The exception to this is if we suspect you are abusing our services for criminal intent, any wrong doing or any other conduct we deem inappropriate. In these circumstances, we may securely retain your biometric details, Certificate and third-party verification data as part of our criminal prevention services and to support criminal investigations.

Where we do retain data about you, this data is held up to a period of seven years.

Your rights in respect to your personal data

The right to withdraw consent as to the processing of your personal data

You can withdraw your consent after your documents have been scanned and before the Spotlite User submits your details for processing. Once the Submit button is pressed, your identification data is automatically sent to our third-party suppliers. In most cases the third-party checks are completed in seconds; where the process is manual you can withdraw at any time by notifying our Agent who will inform us accordingly.
The right to have your personal data erased from our records

If you withdraw your consent before the Submit button is pressed and the User cancels the Service, then all your personal data is removed from the device and our servers immediately.

Once our certificate is produced, we only hold your details for 15 days unless our Agent has explicitly asked us to do otherwise. In these cases, you need to inform our Agent who will contact us directly.

The exception to this is if we suspect you are abusing our services for criminal intent, any wrong doing or any other conduct we deem inappropriate. In these circumstances, it is of vital interest that we retain your biometric details to support investigations and protect our clients from future abuse by you. We may retain your biometric information for a period of seven years as part of our criminal prevention service.
The right to restrict further processing of your personal data

Following the completion of the automated checks, you can contact our Agent to prevent further processing of your data. Our Client will inform us accordingly.
The right to have your data transmitted to another data controller

You may email your certificate to another data controller of your choosing.

The right to object to the processing of your personal data

You can object to the use of our Services to perform these due diligence checks. You will need to agree an alternative course of action with our Agent directly.

If you are unhappy with our data protection policy, please let us know how we may improve. Alternatively, you may lodge a complaint with the UK’s Information Commissioners’ Office.

Where we store your personal information

The information that we collect from you is stored in the UK.

Depending on the Service, we may need to share data with some third-party providers outside of the jurisdiction of the UK, EU or EEA. In these cases, the third-party concerned may retain a record of our enquiry for technical monitoring, service quality improvements, troubleshooting and billing purposes. We contractually ensure that such third parties do not use your information for any purpose other than supporting our enquiries and that they maintain appropriate administrative, technical and physical security measures to protect this information against unauthorized access or disclosure.

You can find out if we use such third-parties for enquiries on you by asking the Spotlite User to click on Privacy Policy link and click on the ‘View Control Standards’ button for the Service they are requesting. This information will also be supplied to you on the Certificate.

Information Security

We use a range of technical and organisational measures to safeguard access to and use of, your personal information. These include structured access controls to systems, network protection, intrusion detection, physical access controls and staff training.

Subject Access Requests

We fully disclose the information we hold about you within the Certificate, unless there is a legal reason prevent us from doing so or we cannot validate your identity. It is illegal for us to disclose to you, information pertaining to reporting our suspicions concerning your potential criminal behaviour or of ongoing criminal or regulatory investigations concerning your information.