CountryRisk.io (“CountryRisk”, “we”, “us” or “our”) provides an software-as-a-service application for country and sovereign risk assessments (“Platform”).

We are committed to providing products and services such as via www.countryrisk.io (“Website”) and our Platform to organisations (“Business Customers”) that meets their business needs of our Business Customers, their Users, their Customer Representatives and visitors to our Website (“Website Visitors”) in a way that safeguards privacy

This privacy policy explains what data we collect, what we do with this data and why we collect data. This privacy policy applies to personal data held about individuals who represent current or prospective Business Customers such as an employee of a Business Customer who procures the Platform we provide or a company director for the Business Customer (“Customer Representative” “User” or “you”).

CountryRisk.io is generally the processor for the personal data it processes on the Platform and the Business Customer to whom we provide our Platform to is the controller which is responsible under data protection laws.

Privacy is paramount to us. We protect and respect your privacy. We only use your data to provide you good service. We do not sell your personal data to other companies or use it for the purpose of advertisements

We collect personal and non-personal data. Personal data includes your name, work email-address, job title, newsletter preferences and location by country. This personal data is collected directly from you during the Platform registration process or from the Business Customer who procures our Platform and authorises you to use the Platform as a User.

Upon accessing our Website and/or Platform, your browser transmits certain data. This information is saved in log files and includes: used operating system, information about your web browser, referrer-URL (URL of your previously visited web page), hostname/IP-address, User activity data such as date and time of your access.

We also collect any personal data you upload or provide to us in connection with our business, Website and Platform. This includes when you contact us with a query or for assistance or visit our Website.

Personal data is collected when:

1.     you register on CountryRisk.io or engage with us such as contact us for support.

2.     you use the Platform and/or our Website. We use cookies and Google Analytics to collect personal data about you and your use of our Platform. For more information about how we use cookies and other similar technologies, please see our cookies policy.

3.     a Business Customer authorises you as a User of the Platform such as the relevant Business Customer the Customer Representative is representing; and

4.     from information we collect about you from other sources, such as Google and social media such as LinkedIn. This includes commercially available sources and public databases such as Companies House]. 

CountryRisk.io uses only carefully selected third parties (with whom appropriate agreements for data processing have been made) to assist us with our processing of personal data. These include:

• Digital Ocean Inc., 101 6th Avenue, New York: for hosting of the CountryRisk.io and CountryData.io web applications with server location in Germany.
• Wildbit LLC, 225 Chestnut St., Philadelphia, PA 19106, USA. Postmark for sending transactional emails (e.g. registration, password reset).
• Vercel Inc, 650 California St, San Francisco, CA 94108, US: for hosting of public webpages for CountryRisk.io and CountryData.io
• Front Inc, 525 Brannan St, 300 San Francisco, CA 94107, USA: for in-app support chat. 
• Campaign Monitor, L38 201 Elizabeth Street, Sydney, New South Wales, 2000 Australia, for email newsletter.
• Langfuse GmbH, Chausseestrasse 8, 10115 Berlin, Germany for genAI usage tracking.
• Alphabet / Google LLC , 1600 Amphitheatre Parkway, Mountain View, CA 94043, US: for using Google Analytics to track usage behavior.
• Snitcher B.V., Oude Enghweg 2 Unit Upsilio, 1217 JC, Hilversum, Netherlands: for measuring the business usage of our website. The service shows us the company name and address based on the IP of our visitors.

Other categories of recipients we may share your personal data with include:

• To the Business Customer that a relevant Customer Representative is acting on behalf of or whom a User is authorised by. Our professional advisers: including IT services, legal and accountancy services that assist us in carrying out our business activities in our legitimate interests.  
• Group companies and other companies we work closely with: for security, assistance, improving our Content, and reporting, based on our legitimate business interests.
• In the context of a transaction: we may share your personal data with potential partners and other third parties in connection with the consideration, negotiation, or completion of a corporate transaction in which we are acquired by or merged with another company or we sell or transfer all or a portion of our assets or business. This is on the basis of our legitimate interests for our business operations and the legitimate interests of third parties such as those in connection with the transaction.
• Government authorities, courts, law enforcement, fraud prevention agencies, the police or other regulatory bodies as required by law in connection with the investigation of crimes. This is on the basis of our legitimate interests for the establishment, exercise or defence of legal claims to protect our business or in compliance with applicable legal obligations where we believe it is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights of a third party.

Some of our external service providers and partners are located outside the United Kingdom (UK) and the European Economic Area (EEA), and their processing of your personal data may involve a transfer to jurisdictions that do not offer the same level of data protection as the UK or EEA.

Whenever we transfer your personal data outside the UK and EEA, we ensure that an equivalent level of protection is applied by implementing one or more of the following safeguards:

• The destination country has been formally recognised by the UK Government or the European Commission as providing an adequate level of protection for personal data; or
• We use standard contractual clauses (SCCs) approved by the European Commission and/or the UK International Data Transfer Agreement (IDTA) or UK Addendum to the SCCs, as issued by the UK Information Commissioner’s Office, which contractually ensure that personal data is given the same level of protection as under UK and EU data protection laws or
• Recognised frameworks such as the UK and EU-US Data Privacy Framework; or
• Other derogations to transfer personal data permitted under data protection laws.

Copies  of the safeguards we apply can be provided upon request.

We do not, and will not, sell, rent or publish your data to any third party. Your data stays with us. The only exceptions are listed above. We use any collected data on the instructions of the Business Customer. Where we use personal data solely for internal use to improve our service and product, we are the controller and we aggregate data from all users and calculate statistics (e.g. number of ratings completed over a certain time period or average number of ratings completed per registered user).

We rely on the following legal grounds to process your personal information:

• Consent. We may use your personal data subject to your consent (e.g. newsletter preferences). To change your consent settings, please contact us at [email protected]. You can also change your consent setting for the newsletters within the application or use the link provided in the newsletter emails.
• Performance of a contract. We may need to collect and use your personal information (e.g. name, address or payment details) to enter into an agreement with you and to perform the agreed upon services.
• Legitimate interests. We may use your personal information for our legitimate interests to provide (e.g. sending transactional emails) and improve our services. We may also use your personal information for the legitimate interests of third parties such as the Business Customer who authorises you to use the Platform as a User.

Please note if you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with the Business Customer nor comply with our Terms of Use with a User (such as allowing you access to our Platform and/or our Website), or we may be prevented from complying with our legal obligations.  

Registration on the Platform

• Types of information: name, work email address, newsletter preferences, location by country, name of organisation
• Lawful basis: performance of a contract (with the Business Customer to provide services); performance of a contract (via User acceptance of Platform T&Cs)

Using the Platform and/or our Website

• Types of information: IP address, operating system, web browser information, referrer URL, hostname, user activity data (e.g., date and time of access), user contributed data (e.g., ratings, comments, chats)
• Lawful basis: performance of a contract (via User acceptance of Platform or Website T&Cs); our legitimate interests (to ensure the Platform operates correctly, improve services and ensure platform functionality)

Contacting Support

• Types of information: name, work email address, other data provided during communication
• Lawful basis: our legitimate interests (to respond to queries and provide assistance)

Receiving Newsletters or Updates

• Types of information: name, work email address, newsletter preferences
• Lawful basis: consent (for marketing communications)

Use of Strictly Necessary Cookies

• Types of information: data collected through cookies for navigation and preference settings
• Lawful basis: legitimate interests (to ensure functionality and improve user experience)

Use of Non-Strictly Necessary Cookies

• Types of information: data collected through analytics cookies
• Lawful basis: consent (for analytical cookies to improve services and understand website usage)

Sending Transactional Emails (e.g., account activation)

• Types of information: name, work email address
• Lawful basis: performance of a contract (via User acceptance of Platform T&Cs)

Data Sharing with Business Customers

• Types of information: name, other data relevant to authorised Users
• Lawful basis: legitimate interests of third parties (to allow Business Customers to manage authorised Users)

Data Sharing with Third-Party Processors (e.g., hosting)

• Types of information: name, other data relevant to the services provided by third-party processors
• Lawful basis: our legitimate interests (ensuring service delivery)

We will retain your personal data only for as long as is reasonably necessary to fulfil the purposes for which it was collected, including to comply with any legal, regulatory, tax, accounting, or reporting obligations. In some circumstances, we may retain your personal data for a longer period if there is a complaint or if we reasonably believe there is a likelihood of a legal dispute in connection with our relationship with you.

When determining the appropriate retention period, we take into account the nature, scope, and sensitivity of the personal data; the potential risk of harm from unauthorised access, use, or disclosure; the purposes for which the data is processed and whether those purposes could be achieved through other means; and any applicable legal, regulatory, tax, accounting, or professional requirements.

As a data subject under the UK General Data Protection Regulation (UK GDPR) and EU General Data Protection Regulation (EU GDPR), in certain circumstances, you have the following rights in relation to the personal data we hold about you:

1.     Right of Access

You have the right to request access to your personal data (commonly known as a "data subject access request"). This allows you to receive a copy of the personal data we hold about you and to verify that we are processing it lawfully.

2.     Right to Rectification

You may request the correction of any incomplete or inaccurate personal data that we hold about you. We may need to verify the accuracy of the new data before updating our records.

3.     Right to Erasure

You can ask us to delete or remove your personal data where there is no valid reason for us to continue processing it. This includes situations where:

• you have successfully exercised your right to object to processing,
• we have processed the data unlawfully, or
• we are required to erase it under applicable law.

Please note that we may not be able to comply with your request in certain circumstances where we have legal or regulatory obligations to retain the data. If this applies, we will inform you at the time of your request.

4.     Right to Object

You have the right to object to the processing of your personal data where we are relying on a legitimate interest (ours or a third party’s), and you believe that such processing impacts your fundamental rights and freedoms.
You also have the absolute right to object to the processing of your personal data for direct marketing purposes.

5.     Right to Restrict Processing

You can request that we suspend the processing of your personal data in the following situations:

• you contest the accuracy of the data and we are verifying it;
• the processing is unlawful, but you do not want us to erase the data;
• we no longer need the data, but you require it to establish, exercise, or defend legal claims; or
• you have objected to our use of your data and we are verifying whether we have overriding legitimate grounds to continue processing it.

6.     Right to Data Portability

You may request that we transfer your personal data to you or a third party. We will provide the data in a structured, commonly used, and machine-readable format. This right only applies to personal data processed by automated means where the processing is based on your consent or a contract.

7.     Right to Withdraw Consent

Where we rely on your consent to process your personal data, you may withdraw that consent at any time. This will not affect the lawfulness of any processing carried out prior to your withdrawal. In some cases, withdrawing consent may limit the services we can provide. We will inform you if this is the case at the time of your request.

8.     Right to Lodge a Complaint

You have the right to lodge a complaint with the UK Information Commissioner( at https://ico.org.uk/make-a-complaint/ or the relevant data protection authority in your jurisdiction if you believe we have not complied with applicable data protection laws.

We may ask you to verify your identity before responding to a request. This is a security measure to ensure that personal data is not disclosed to anyone who does not have the right to receive it.

We aim to respond to all legitimate requests within one month. In complex cases or where you have made multiple requests, we may require more time. If so, we will inform you and keep you updated.

We do not use your personal data for automated decision-making, including profiling, as defined under the UK GDPR. This means that no decisions about you are made solely by automated means without human involvement, and your personal data is not subject to automated processing intended to evaluate, analyse, or predict aspects relating to your behaviour, preferences, or other personal characteristics.

CountryRisk.io may update the privacy policy from time to time. The most current version will be published here.

We want to provide the best experience to you. Hence, we would love to hear from you and welcome any feedback or to raise any concerns about CountryRisk.io and this privacy policy. You can reach us at [email protected]. If you remain dissatisfied after this process, you may escalate the matter to [email protected] before exercising your right to complain to a data protection regulator such as the UK’s Information Commission. We are committed to resolving any concerns promptly and transparently.