Compliance | Prosigna
Try Prosigna free for 14 days — view live prospects and receive one premium brief. No credit card required.Get started
ProsignaProsigna
Request access →
Compliance

Compliance at Prosigna

This page is for compliance officers, data protection officers, and procurement teams evaluating Prosigna for their firm. It sets out, in plain terms, how we handle personal data, what our legal basis is, and what to expect from us during onboarding and ongoing operations.

For data subjects (people whose information we may hold), see our Privacy policy and opt-out form.

Our legal basis

Prosigna processes personal data on the basis of legitimate interests under Article 6(1)(f) of the UK GDPR (and equivalent provisions of the EU GDPR where applicable). The legitimate interest is to provide regulated financial services professionals with timely intelligence about wealth events drawn from statutorily public sources.

We have conducted a Legitimate Interests Assessment (LIA) covering each category of data we process. This LIA documents:

  • The specific purpose of each processing activity
  • Why that purpose cannot reasonably be achieved by less intrusive means
  • The reasonable expectations of the data subjects involved
  • The balance between our legitimate interests and the rights and freedoms of those individuals

What data we hold, and where it comes from

Prosigna ingests data from the following categories of source:

  • UK statutory registers: Companies House (director appointments and resignations, persons with significant control, dividend declarations, charge satisfactions), HM Land Registry, the London Gazette, the Probate Registry.
  • US regulatory filings: SEC EDGAR (Form 4, Schedule 13D/13G, Form 3, S-1, DEF 14A).
  • Proprietary analysis: aggregated and anonymised analysis of fund lifecycle data, sector M&A activity, and private equity manager behaviour, derived from a combination of public filings and licensed industry datasets.
  • Press and publicly available web content: limited to identifying business-context information already in the public domain.

We do not purchase data from undisclosed sources, scrape closed platforms, or hold special category data (health, religion, political opinions, etc.).

What we don't do

  • We do not sell consumer-marketing data.
  • We do not target individuals based on protected characteristics.
  • We do not process special category data under GDPR Article 9.
  • We do not use automated decision-making that produces legal or similarly significant effects on individuals.
  • We do not retain personal data indefinitely. See “Retention” below.

Data minimisation and the two-stage model

We operate a deliberate two-stage data model designed to minimise the personal data held about any individual before there is a clear commercial reason to hold it:

1
Pre-purchase stage
Prospect briefs in our inventory contain a signal summary, sector, geography, and a wealth-event description. Personally identifying contact data (email, phone, address) is held but not displayed to subscribing firms until a brief is purchased.
2
Post-purchase stage
Full personal data is released to the purchasing firm only at the moment of purchase, with a clear audit trail.

This means most individuals whose names appear in our system are surfaced to one adviser, once, in the context of a specific event — not broadcast to a wider audience.

Retention

We retain signal data for a maximum of 12 months from the date of the underlying event. After 12 months, briefs transition to a "stale" state and are removed from active inventory. Source records and audit logs are retained for compliance purposes in line with FCA and ICO guidance.

When a data subject objects or exercises their right to erasure, we add them to our suppression list and remove existing briefs immediately. The suppression list is retained indefinitely to prevent re-introduction.

Your firm's responsibilities

Once your firm purchases a prospect brief, your firm becomes an independent controller for that personal data. You are responsible for:

  • Conducting your own legitimate interests assessment for any outreach you conduct
  • Providing your own Article 14 privacy notice to the data subject when you first make contact
  • Honouring any objection the data subject raises with your firm directly
  • Complying with FCA conduct rules, including financial promotion restrictions, around how you use the information

We do not act as your data processor, and we do not control your downstream use of the data. We do, however, provide guidance on responsible outreach as part of customer onboarding.

International data transfers

Where we transfer personal data outside the UK or EEA, we rely on UK International Data Transfer Agreements (IDTA) or EU Standard Contractual Clauses (SCCs) as appropriate, supplemented by transfer risk assessments.

Incidents and breach notification

If we identify a personal data breach likely to result in risk to the rights or freedoms of data subjects, we will notify the ICO within 72 hours and affected customers without undue delay, in line with Article 33 GDPR.

Last updated: 17 May 2026

Compliance officers and DPOs can also review our data sources and privacy policy.

Contact our compliance team →
Prosigna · info@prosigna.io