Privacy Policy
Last updated: 30th October 2025.
Speed Read
You should read this notice so you know how we handle your personal data. It explains who we are, how and why we collect personal data from you, how and why it will be processed by us, and our commitment to protecting your data.
- Who we are: Mistho Services Limited (“Mistho”, “we”, “us”, “our”). UK company number 13636487. ICO registration ZB253263.
- Two roles: We act as controller for our website, communications and security operations; and as processor (and your authorised agent) for your selected Partner during verification via a data source portal.
- What’s new: we retain transaction-level IP address data and related security signals at verification time to protect the service (e.g., geo-blocking, anomaly detection, credential-stuffing prevention). We don’t use this for marketing.
- Precision on scope: the verification workflow is short-lived, has no human interaction other than your own, and restricted to predefined pages of the data source portal that contain the data categories you were shown and consented to share. No human access; no stored credentials; tokens not re-usable.
- Sharing: we share data only with Partners (when acting as processor), service providers, professional advisers, authorities (where required), and in business transfers.
- Retention: we keep data only as long as needed. Security logs (incl. transaction-level IP) are typically retained up to 12 months for security, and may be kept longer for incidents or legal requirements.
- Transfers: when data leaves the UK, we use adequacy or appropriate safeguards (IDTA/SCCs + measures).
- Your rights: access, rectify, erase, restrict, object, portability; withdraw consent; complain to the ICO.
Contents
- About Mistho
- Role map (controller vs processor)
- How the Mistho Service works
- What we collect (data categories)
- How we collect data
- How we use data & legal bases
- Communications
- Disclosures
- International transfers
- Security
- Retention
- Your rights
- UK Digital Identity & Attributes Trust Framework
- Complaints & Incident Procedure
- Sub-processors
- Contact us
1) About Mistho
Mistho Services Limited is registered in England and Wales (company 13636487), registered office 27 Old Gloucester Street, London, WC1N 3AX.
Children: Our website is not intended for children and we do not knowingly collect data relating to children.
2) Role map (controller vs processor)
We operate in two roles. This table summarises purposes, typical data and legal bases.
| Domain | Our role | What we do | Typical data | Legal bases |
|---|---|---|---|---|
| Website & marketing | Controller | Operate site, respond to general enquiries, manage newsletters and preferences | Identity, Contact, Usage, Technical, Marketing & Communications | Contract / Legitimate interests / Consent / Legal obligation |
| End‑user support enquiries (direct contacts during Partner‑run verification) | Controller | We do not offer direct customer support for Partner Services, but when users contact us directly we receive and process their contact details to respond or triage them to the Partner | Name, email address, message content, Partner name/reference (if provided) | Legitimate interests (respond to enquiries; ensure service quality); Legal obligation (handle UK GDPR rights requests) |
| Security & service operations (incl. verification‑event logs) | Controller | Protect the service (e.g., geo‑blocking, anomaly detection, abuse prevention); maintain transaction‑level IP logs tied to verification events | Technical (IP, user‑agent, timestamps, coarse geolocation from IP, risk/reputation indicators), Usage | Legitimate interests; Legal obligation |
| Verification flow via a data source portal | Processor (and your authorised agent) | After you log in and complete 2FA, run a short‑lived session with no human interaction other than your own that navigates only to predetermined pages to collect the categories shown on the consent screen and send them to your Partner | Identity; Contact; Employment & Pay; deductions/contributions; official payroll/tax documents; sub‑fields on the same pages only | Partner’s instructions (controller) |
We do not sell your personal data.
3) How the Mistho Service works
(when Mistho acts as a processor on behalf of a third‑party controller)
- You are referred by a Partner and shown a consent screen describing the exact categories to be shared.
- You log in to your data source portal and complete any required multi‑factor authentication yourself.
- Our system starts a short‑lived, encrypted session with no human interaction other than your own . It isdeterministic and restricted to predefined pages that contain the consented categories.
- No Mistho employee can view or interact with your account during the session. Credentials and session tokens are not stored or re‑usable by us.
- The workflow terminates immediately after retrieval and transmits the data securely to your Partner for the stated purpose.
4) What we collect (data categories)
A) When we act as controller
| Category | Examples | Why we use it | Typical retention |
|---|---|---|---|
| Identity & Contact | Name, email (if provided), phone (if provided), address | Respond to enquiries; manage account/communications | As long as needed for the purpose, then deletion/anonymisation |
| Technical | IP, user‑agent, OS, browser, time zone, language, cookies/IDs, pages visited, referral URLs | Site operation, diagnostics and security | See Security logs below |
| Security (verification‑event) | Transaction‑level IP, timestamps, user‑agent, coarse geolocation from IP, risk/reputation indicators, rate‑limit flags | Protect the service (geo‑blocking, anomaly detection, abuse prevention, incident response and audit); not used for marketing | Typically up to 12 months; longer if required for incidents or legal/regulatory duties |
| Usage | Interactions with our site/service, performance/error logs | Improve service; analytics | As per analytics needs and legal duties |
| Marketing & Comms | Newsletter preferences, unsubscribes, support tickets | Send or stop marketing; service communications | Until you unsubscribe or law requires otherwise |
B) When we act as processor for your Partner
We collect only the categories shown on your consent screen and needed for the Partner Services. The collection involves no human interaction other than your own and is restricted to predefined pages of the data source portal.
5) How we collect data
- Direct interactions: forms, support channels, surveys, newsletter sign‑ups.
- Automated technologies: site usage metrics; and for verification events, transaction-level IP and related security signals used for security and operations (not marketing).
- From other sources: where lawful, from Partners, analytics providers and other service providers.
Cookies: You can set your browser to refuse all or some cookies or to alert you when websites set or access cookies. See our Cookie Policy for details.
6) How we use data & legal bases
We will only use your personal data when the law allows us to. Most commonly: consent, contract, legitimate interests, and legal obligation.
Controller purposes include managing our relationship, responding to enquiries, administering our site, and ensuring network security.
Processor purposes include acting under the Partner’s instructions to provide the verification service.
We do not conduct profiling or automated decision-making that produces legal or similarly significant effects about you.
Processor purposes for Partners
We process the categories in Section 4B only under the Partner’s instructions to deliver the Mistho Service and transmit data to the Partner for the Partner Services.
7) Communications
Marketing communications: With your consent, we may send newsletters or updates. You can unsubscribe at any time using the link in any message.
Service communications: We may send essential service or policy-related messages under legitimate interests.
8) Disclosures
We share data only as needed for the purposes above.
| Recipient | Role | Why we share |
|---|---|---|
| Partners | Independent controllers (we act as their processor) | Provide the Partner Services you selected |
| Service providers | Processors | Hosting, security, logging, analytics, email, support |
| Professional advisers | Independent controllers | Legal, insurance, auditing, banking/accounting |
| Authorities/regulators | Controllers | Where required to comply with laws and lawful requests |
| Business transferees | Controllers | In connection with a merger, acquisition, or restructuring |
We do not permit third‑party service providers to use your personal data for their own purposes and only allow them to process it for specified purposes under our instructions.
9) International transfers
When data leaves the UK, we ensure an essentially equivalent level of protection by using:
| Mechanism | When used |
|---|---|
| Adequacy regulations | Transfers to countries recognised by the UK as providing adequate protection |
| IDTA / SCCs (with UK Addendum) + measures | Transfers to other countries via contractual safeguards and supplementary measures where needed |
See Section 15 (Sub-processors) for our current sub-processors and their locations.
We also maintain an up-to-date version of this list on our Trust / Legal pages.
10) Security
We apply appropriate administrative, technical and organisational measures, including:
- Encryption in transit and at rest (including TLS/SSL).
- Principle of least privilege and strict access controls.
- Monitoring, logging and regular testing.
- Verification sessions are encrypted and short‑lived with no human interaction other than your own; restricted to predefined pages; credentials and session tokens are not stored or re‑usable; no staff can view or interact with your account during a session.
- Transaction‑level IP logs and related security signals are maintained to detect and prevent abuse (e.g., geo‑blocking, anomaly detection, credential‑stuffing prevention) and are not used for marketing.
We maintain procedures to handle suspected personal data breaches and will notify you and applicable regulators when legally required.
11) Retention
We retain data only as long as necessary for the purposes collected or to satisfy legal/regulatory requirements. When no longer needed, we delete or anonymise; where immediate deletion is not possible (e.g., backups), we isolate until deletion.
| Context | Typical retention |
|---|---|
| Support/contact records | Duration of engagement + reasonable period for queries/claims |
| Marketing preferences | Until you unsubscribe or request deletion |
| Website analytics | As per analytics configuration and legal requirements |
| Security logs (verification‑event transaction‑level IP, etc.) | Typically up to 12 months; may be longer for incident investigation or legal obligations |
| Processor data for Partners | Only for the period instructed by the Partner; then securely deleted/returned unless we must retain a copy to comply with law |
12) Your rights
You may request access, rectification, erasure, restriction, objection, portability, and may withdraw consent where relied upon. If we act as processor, please contact the relevant Partner; we will assist them where needed.
No fee usually required. We may charge a reasonable fee or refuse to act on requests that are unfounded, repetitive or excessive.
We may need additional information to verify your identity.
We aim to respond within one month and will inform you if more time is needed for complex or multiple requests.
13) UK Digital Identity & Attributes Trust Framework
Mistho participates in the UK Digital Identity and Attributes Trust Framework and complies with its requirements as an Attribute Provider (see our Legal Notice).
14) Complaints & Incident Procedure
If you are dissatisfied with any aspect of our services, you may submit a complaint in accordance with our Complaints & Incident Procedure. Complaints & Incident Procedure relating to data collection, access, correction or deletion will be handled in line with UK GDPR and may require involvement of the relying party that originally collected or provided your data; we will coordinate with them to resolve your request.
15) Sub-processors
We use certain trusted third-party service providers (“sub-processors”) and affiliated group entities to host, transmit or store personal data when delivering the Mistho Service on behalf of Partners, and to operate our own business systems as a controller.
All sub-processors act only under our documented instructions, are bound by confidentiality and data-protection obligations, and are assessed for security and compliance before onboarding.
When Mistho acts as processor (for Partner verifications)| Sub-processor | Purpose | Location / Region | Legal mechanism |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, hosting and network security | United Kingdom (London region) | Data hosted in UK (adequacy) |
| MongoDB Atlas (AWS UK instance) | Managed database hosting and storage | United Kingdom (London region) | Data hosted in UK (adequacy) |
| Mistho GmbH | Technical infrastructure provision, technical maintenance, and provision of communication channels (including email delivery services) in support of Mistho Services Limited | Germany (EU) | Intra-group Data Processing Agreement and SCCs / UK Addendum (where applicable) |
When Mistho acts as controller (own operations)
| Processor / Service Provider | Purpose | Location / Region | Legal mechanism |
|---|---|---|---|
| Google Workspace (Google Ireland Limited) | Business email, document management, and internal collaboration | EU (primary region: Ireland) | UK adequacy (EEA) |
| Mistho GmbH | Technical infrastructure, internal IT operations, and support for Mistho Services Ltd | Germany (EU) | Intra-group Data Processing Agreement and SCCs / UK Addendum (where applicable) |
We maintain and update this list (including locations and new sub-processors) on our Trust / Legal pages. Where required by contract, we will notify Partners before onboarding a new sub-processor.
16) Contact us
Data Protection Officer (via Evalian Limited)
Email: dpo@evalian.co.uk
Post: Evalian Limited, West Lodge, Leylands Farm, 1 Nobs Crook, Colden Common, Winchester, Hampshire, SO21 1TH
You may also complain to the Information Commissioner’s Office (ICO) at http://www.ico.org.uk. We would appreciate the chance to deal with your concerns first, so please contact us initially.
Mistho Services Limited
Registered in England and Wales – 13636487