Data Privacy

Tiller Technologies is deeply committed to safeguarding user privacy and personal data, a commitment detailed in our Privacy Policy, available at 'Tiller Technologies Privacy Policy'. This policy transparently outlines how Tiller collects, uses, shares, retains, and secures personal data across various interactions, whether users are Browse marketing websites, engaging directly, or utilizing the 'Verify by Tiller' service. Data collection in relation to our website is limited to basic usage information (via IP addresses analysis and cookies) Within our Verify by Tiller platform more extensive information may be captured including, identity verification details, such as full names, addresses, identity documents, facial images, and financial information, but only collected after explicit user consent is obtained. This data is primarily utilized for identity verification, fraud prevention, and financial crime prevention as part of our clients onboarding regulatory obligations.

Tiller makes a clear distinction between its roles as a data processor (for data collected via 'Verify by Tiller' service, where the requesting organization is the controller) and as data controller (for employees of clients, website visitors, and direct contacts). Personal data is shared only with selected, trusted third parties necessary for service delivery, such as identity processing service providers and sanction screening agencies, and may be shared with government bodies or law enforcement when legally required. The company enforces robust security controls and policies, requiring appropriate measures from all third-party contractors. Data is only retained for the legitimate or lawful needs of its own operation and that of its clients. Tiller upholds all user rights under GDPR, including the rights to access, rectification, erasure, restriction of processing, data portability, and objection to processing, ensuring individuals maintain control over their personal information.

Tiller Technologies is commitment to data privacy and protection, adhering to a robust framework of global and regional regulations. Our approach ensures full compliance with the 7 principles of General Data Protection Regulation (GDPR) (EU) 2016/679, which is detailed in our Privacy and Personal Data Protection Policy. This commitment extends to specific national legislation, including the Data Protection Act 2018 (DPA 2018) and Data (Use and Access) Act 2025 (DUAA) in the UK, as well as the Data Protection (Jersey) Law 2018 (DPJL), which underpins our Data Processor Agreement. These legal frameworks guide every aspect of our data handling, from collection and processing to storage and disclosure, ensuring the highest standards of data integrity and confidentiality.

Beyond these foundational regulations, Tiller Technologies continuously monitors and integrates other relevant regional or industry-specific privacy laws and best practices, such as those recommended by ISO/IEC 27018 for personally identifiable information (PII) in cloud environments. Tiller Technologies Privacy Policy 'Tiller Technologies Privacy Policy' further details how we manage personal data, uphold individual rights (including access, rectification, and erasure), and employ stringent security measures to protect your information. Through this multi-layered compliance strategy, Tiller Technologies actively builds and maintains trust, ensuring that our data processing activities not only meet but often exceed regulatory requirements, providing our clients and their customers with confidence in our secure and privacy-conscious operations.

Tiller Technologies formalizes its commitment to data protection through a comprehensive Data Processor Agreement (DPA) that governs the processing of personal data on behalf of its clients. This DPA is included in all contracts with Tiller and in summary sets out the following. As the designated "Processor," Tiller adheres strictly to applicable data protection and privacy legislation, notably the Data Protection (Jersey) Law 2018, ensuring that all processing activities are conducted lawfully and responsibly. The primary purpose of this processing is to deliver Tiller Technologies' services, encompassing various categories of personal data as defined by the DPA, to facilitate the functionality and security of its platform. This agreement meticulously outlines Tiller's obligations, reinforcing that all personal data is handled under the strict written instructions of the client, who acts as the "Controller". Finally, Tiller also includes GDPR Standard Contractual Clauses (SCC) in its applicable contracts.

The DPA also establishes clear protocols for managing data subject rights and breach notifications. Tiller is mandated to promptly notify its clients (Controllers) of any complaints, notices, or communications related to data processing, as well as any requests received from data subjects regarding their personal data or other rights. Furthermore, Tiller provides full cooperation and assistance to clients in responding to such inquiries. To support its service delivery, Tiller utilizes a limited number of approved sub-processors, including reputable entities like Azure Services (Microsoft Ireland Operations Limited), GB Group plc, Experian Limited and IDMerit LLC, all operating under the stringent terms set forth in the DPA to maintain the highest standards of data security and privacy.

Verify by Tiller processing and hosting is performed from a Dublin, Ireland based data centre with georedundant DR hosting from a centre in Amsterdam, Netherlands and therefore falls under EU commission regulations. Some aspects of our operations do require some limited PII data related to the individuals to be transferred to that person’s country of residency for the purposes of residential address verification. In all instances Transfer Impact Assessments (TIA) have been performed to assess any risk and ensure all parties meet EU GDPR standards and enforced by its Standard Contractual Clauses (SCC).

Some industries and jurisdictions may enforce additional restrictions such as those required by the Commission de Surveillance du Secteur Financier (CSSF), Luxembourg’s financial regulator requiring Binding Corporate Rules (BCRs) be pre-approved by the CSSF. In those situations, the client will need to determine if their operation and the services they are taking from Tiller meet the regulations they operate under. However, Tiller will always collaborate with its clients to help them meet and evidence their compliance wherever possible.