Summary: Codecia collects personal data to deliver advisory and escrow services, meet AML/KYC legal obligations, and communicate with clients and enquirers. We do not sell your data. We retain KYC records for a minimum of five years as required by the UK Money Laundering Regulations 2017. You have rights to access, correct, and in certain cases delete your data.
Codecia Ltd ("Codecia", "we", "us", "our") is a company registered in England and Wales (Company No. 07656907) with its registered address at 125 Hawfinch House, 1 Moorhen Drive, London NW9 7BX.
We are the data controller for personal data processed in connection with our advisory and paymaster/escrow services and website at codecia.com.
We can be contacted at: enquiries@codecia.com
The personal data we collect depends on the nature of your relationship with us. We collect data through our website, by email, and through our paymaster and escrow onboarding platform.
For paymaster and escrow transactions, we are legally required to collect and verify:
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Responding to enquiries and onboarding new clients | Contact and identity data | Legitimate interests / pre-contractual steps |
| Delivering advisory services under an engagement letter | Identity, transaction, and correspondence data | Performance of contract |
| KYC and AML verification for escrow transactions | Full KYC dataset including identity documents | Legal obligation (UK MLR 2017) |
| Sanctions screening and PEP checks | Full name, nationality, date of birth | Legal obligation (UK MLR 2017 / OFSI) |
| Escrow account management and fund disbursement | Identity, bank account, and transaction data | Performance of contract / legal obligation |
| Transaction dashboard access (OTP and IP validation) | Email, IP address, session data | Performance of contract / legitimate interests |
| Regulatory reporting and record-keeping | KYC documents and transaction records | Legal obligation |
| Fraud prevention and security | IP address, session data, identity data | Legitimate interests |
| Communications about your transaction or engagement | Contact data | Performance of contract / legitimate interests |
| Improving our website and services | Technical and usage data | Legitimate interests |
We rely on the following legal bases under the UK GDPR when processing your personal data:
Where we process special category data (such as data that may reveal nationality or political exposure status), we rely on Article 9(2)(g) (substantial public interest — prevention of financial crime) and Article 9(2)(b) (employment and social security obligations) as applicable.
Important: Our collection of KYC and AML data is a legal obligation under the UK Money Laundering Regulations 2017. Failure to provide complete information will prevent us from opening or completing an escrow transaction.
Codecia is required by law to conduct customer due diligence (CDD) on all parties to escrow and paymaster transactions. This includes verifying the identity of individuals, beneficial owners, directors, trustees, and corporate entities before receiving or releasing funds.
Transactions above £10,000 (or equivalent), transactions involving PEPs, or transactions presenting higher risk factors are subject to enhanced due diligence (EDD). This may involve requesting additional documentation, independent verification, or senior management approval.
We are required to verify the legitimate origin of all funds deposited into escrow. You will be asked to provide a written narrative describing the origin of funds, supported by documentary evidence such as bank statements, sale proceeds documentation, audited accounts, or similar financial records.
When you access the transaction dashboard, your IP address is recorded at login and verified on each action. This is a security measure to prevent unauthorised access to your transaction data and to ensure that actions are completed only by the party to whom they are assigned. We do not use this data for any other purpose.
We conduct screening against OFAC, UN, EU, and FATF consolidated sanctions lists, and against PEP databases. Screening is conducted at onboarding and may be repeated periodically or when circumstances change. A match or potential match will be escalated in accordance with our internal procedures and may be reported to the National Crime Agency.
If we have knowledge or suspicion that funds are connected to money laundering or terrorist financing, we are legally obliged to submit a Suspicious Activity Report (SAR) to the National Crime Agency. We cannot notify you if a SAR has been submitted as this may constitute "tipping off" under the Proceeds of Crime Act 2002.
We share personal data only where necessary and appropriate. We do not sell your data to third parties.
We may share your data with:
All third-party data processors are subject to written data processing agreements and are required to process data only on our documented instructions.
Where your transaction involves counterparties, counsel, or financial institutions outside the United Kingdom or the European Economic Area, personal data may need to be transferred internationally to complete the transaction. Such transfers will only be made:
You may request details of the specific safeguards in place for any international transfer by contacting us at enquiries@codecia.com.
| Data Category | Retention Period | Basis |
|---|---|---|
| KYC documentation and identity records | Minimum 5 years from end of business relationship | UK MLR 2017, Regulation 40 |
| Escrow transaction records and correspondence | Minimum 5 years from closing | UK MLR 2017; limitation periods |
| AML screening records and SAR documentation | Minimum 5 years | UK MLR 2017; POCA 2002 |
| Engagement letters and advisory correspondence | 6 years from end of engagement | Limitation Act 1980 (contract claims) |
| Enquiry and pre-engagement data | 12 months from last contact if no engagement follows | Legitimate interests |
| IP address and session logs (dashboard) | 12 months from transaction close | Security / fraud prevention |
| Website analytics and usage data | 13 months | Legitimate interests |
We may retain data beyond these periods where required by law, where proceedings are threatened or commenced, or where there is a continuing legitimate business reason. Retained data is stored securely and access is restricted.
Under the UK GDPR and the Data Protection Act 2018, you have the following rights in respect of your personal data:
To exercise any of these rights, please contact us at enquiries@codecia.com with "Data Subject Request" in the subject line. We will respond within one calendar month. We may ask you to verify your identity before processing your request.
We will not charge a fee for reasonable requests. If a request is manifestly unfounded or excessive, we may charge a reasonable fee or decline to respond, with written reasons.
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and, where required, notify affected individuals without undue delay.
You should immediately notify us at enquiries@codecia.com if you believe your transaction dashboard credentials have been compromised.
Our website uses a small number of technically necessary cookies required for session management and security. We do not use advertising, tracking, or behavioural profiling cookies.
You may disable cookies through your browser settings, but this may prevent you from using the transaction dashboard.
Our services are directed at businesses and adults. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have collected data relating to a child, please contact us immediately at enquiries@codecia.com and we will take steps to delete it.
We may update this Privacy Policy from time to time to reflect changes in our services, legal obligations, or regulatory requirements. The "last updated" date at the top of this page will be revised accordingly. Where changes are material, we will notify active clients by email.
We encourage you to review this Policy periodically. Continued use of our services after changes are published constitutes acceptance of the updated Policy.
If you have any questions about this Privacy Policy, wish to exercise your data subject rights, or have a complaint about how we have handled your data, please contact us:
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the supervisory authority for data protection in the United Kingdom: