Login
Get Started

Bolt Identity Ltd. — Privacy Policy

Company: Bolt Identity Ltd., registered in England & Wales 16642339
Registered Office: Unit A77 4-6 Greatorex Street, London, United Kingdom, E1 5NF
Data protection Contact: contact@boltidentity.com

Summary

At Bolt Identity, we take your privacy seriously. We collect and process personal data only as needed to deliver our services, improve your experience, and meet legal obligations. We store data in secure facilities in the UK and, where necessary, in other countries with strong privacy protections. When data must be processed in countries without an official adequacy decision, we use contractual and legal safeguards to ensure it remains protected. We carefully vet our service providers, require them to process data only on our instructions, and put agreements in place to ensure compliance with applicable privacy laws.

If you prefer your data to remain in the specific region only, we can offer region-specific hosting and vendor routing upon request.

1. Introduction & scope

This Privacy Policy explains how Bolt Identity Ltd. (“Bolt”, “we”, “us”, “our”) collects, uses, stores, shares, and protects personal data when you:
  • Create an account on our platform or Portal;
  • Use our verification APIs (Email Lookup, Phone Lookup, IP Lookup, BIN Lookup, Address Lookup, AML for Persons/Businesses, Fraud Engine); or
  • Visit boltidentity.com and related sites.

This Policy applies to individuals whose personal data we process in connection with our Services, including users and the customers of our customers where relevant.

2. What personal data we collect

We collect the minimum personal data necessary for each purpose. Categories of personal data we collect include:

  • Account & signup: Full Name, Email address, password (hashed), phone number, company name, and country.
  • Verification & product data (collected via API or Portal): Email addresses, phone numbers, IP addresses, country, BIN (card issuer BIN), postal addresses (formatted & geolocation), current location (when provided for distance checks), full name, date of birth, gender (for AML person screening), business name (for AML business screening), and other identity attributes submitted for lookups.
  • Usage & telemetry: Logs of API calls (timestamp, endpoint, license key used), usage metrics, and diagnostic logs.
  • Billing & support: Billing contact, billing address, payment transaction records (via Stripe — we do not store full card PANs), support tickets and correspondence.
  • Cookies & analytics: Cookies and identifiers used by Google Analytics, Hotjar and similar tools (see Cookies section).
  • Other: Any information you provide in communications with us (e.g., support emails), and aggregated/anonymised data derived from the above.

3. How and why we use personal data — legal bases

We only process personal data where we have a lawful basis under applicable data protection laws:

  • Performance of a contract: To create and manage your account, process your orders, and provide the Services you request. (E.g., conducting lookups requested by you; delivering results to your application.)
  • Legitimate interests: Fraud detection, system security, abuse prevention, service improvement, and analytics. We carry out a balancing test and limit processing to what is necessary. Legitimate interest processing is used, for example, to score risk and to prevent abuse of the Service.
  • Legal obligation: To comply with legal requirements (e.g., AML, sanctions screening) when applicable.
  • Consent: For optional processing such as marketing communications or non-essential cookies (e.g., Google Analytics, Hotjar) we will rely on user consent where required.

If you need the specific legal basis for a processing activity, contact at contact@boltidentity.com.

4. Cookies, analytics & tracking

We use cookies and similar technologies to operate our site, improve performance, and understand how visitors use our services.

  • Essential cookies: Required for core site functionality and security. These do not require consent.
  • Analytics and performance cookies: Used to measure usage and improve the user experience. These are processed only where you provide consent.
  • Managing cookies: You can set your preferences using our cookie banner or adjust your browser settings to block or delete non-essential cookies at any time.

We only work with analytics and service providers that apply recognized privacy and security measures.

5. Sharing & recipients (categories)

We do not publish a public list of every vendor, but we will disclose categories of recipients (and will provide customers with a detailed Subprocessor Annex under contract or DPA):
We may share personal data with:

  • Hosting & infrastructure providers (cloud provider, managed databases).
  • Payment processors (e.g., Stripe) for payments and invoicing.
  • Analytics and monitoring providers (e.g., Google Analytics, Hotjar).
  • Partners & Third Parties: In operating our platform, we may engage trusted service infrastructure and reference databases to perform elements of risk assessment, fraud prevention, and regulatory screening. These providers operate under Bolt Identity’s direction, with strict security and confidentiality obligations.
  • Professional advisors (lawyers, auditors) bound by confidentiality.
  • Law enforcement, regulators or third parties where required by law or to respond to the legal process.
  • Acquirers or other parties in a corporate transaction (sale, merger, asset transfer) — subject to confidentiality and data protection obligations.

In accordance with Data Protection, Bolt Identity engages subprocessors, partners/third-parties to provide infrastructure, analytics, payment processing, and other essential services. For confidentiality and security purposes, the full list is only provided to verified Enterprise customers who have entered into a binding agreement with Bolt Identity and who require this information for compliance purposes.

6. Retention — how long we keep data

Bolt Identity retains personal data for as long as necessary to deliver our services and meet the purposes described in this Policy. Unless deletion is specifically requested by the customer, data may be retained indefinitely, subject to legal, regulatory, or security requirements.
If you request deletion of your personal data, we will delete or irreversibly anonymise it in our own systems. Where data has been shared with trusted service providers or verification partners to perform checks on our behalf, we will forward your deletion request to them, but ultimate deletion within their systems is governed by their own data protection practices and contractual commitments.

7. Your rights (how to exercise them)

Under applicable law you may have the right to:

  • Request access to the personal data we hold about you.
  • Request correction of inaccurate or incomplete personal data.
  • Request deletion (“right to be forgotten”) — subject to legal obligations and legitimate interests.
  • Request restriction of processing (pause processing while a dispute is resolved).
  • Object to processing based on legitimate interests (we will assess and respond).
  • Request data portability (receive a machine-readable copy of your data).
  • Withdraw consent where processing is based on consent.

How to make a request: Email contact@boltidentity.com with “DATA SUBJECT REQUEST” in the subject and include: (a) type of request; (b) proof of identity (to prevent disclosure to wrong person); (c) any specific data identifiers (account email, license key). We will respond within one month. If the request is complex, we may extend by up to two further months — we will notify you and explain the reason. We may refuse manifestly unfounded or excessive requests (we will explain why).

7.1. Additional rights for U.S. residents

If you are a resident of certain U.S. states (such as California, Colorado, Virginia, Connecticut, Utah), you may have additional privacy rights under state law, including:

  • The right to know the categories of personal information we collect, use, and disclose.
  • The right to access a copy of the personal information we hold about you.
  • The right to request deletion of your personal information, subject to legal obligations.
  • The right to correct inaccurate personal information.
  • The right to opt out of the “sale” or “sharing” of your personal information (we do not sell personal information)
  • The right to limit the use or disclosure of sensitive personal information.

To exercise these rights, please contact us at contact@boltidentity.com with “U.S. PRIVACY REQUEST” in the subject line. We will respond within the timeframe required by applicable state law.

8. Automated decision-making & profiling

Our Fraud Engine and other verification services use automated profiling and scoring to assess risk (e.g., likelihood of fraud, disposable email, proxy detection) and return risk decisions (e.g., Verified / Risky / Suspicious / Decline). These scores are used to deliver the Service and to help our customers make decisions.

  • If you are adversely affected by an automated decision (for example, being blocked from a service), you may request human review via contact@boltidentity.com.
  • Where required by law, we will provide meaningful information about the logic involved, the significance, and the envisaged consequences of automated processing.

Note: Our outputs are advisory signals for customers; customers remain responsible for how they use results and for complying with applicable laws (including providing end-users with required notices and rights).

9. Security measures

We take security seriously and apply appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse, or disclosure. These measures include:

  • Encryption of data in transit and at rest where appropriate.
  • Access controls and monitoring to ensure only authorised personnel can access personal data.
  • Segregation of customer data and role-based access.
  • Regular backups and security monitoring.
  • Incident response procedures, including notification to customers and regulators where required by law.

While no system can guarantee absolute security, we continuously review and enhance our safeguards to align with industry standards. If you believe your data may have been compromised, please contact us at contact@boltidentity.com immediately.

10. Third-party services & subprocessors

To provide our Services, Bolt Identity relies on carefully selected third-party providers (for example, hosting, analytics, payments, and verification partners).
  • These providers may process limited personal data only as needed to perform their function.
  • We choose providers that demonstrate strong regulatory, compliance, and security practices consistent with industry standards.
  • Some providers may be located outside the UK. Where this is the case, we only engage vendors that maintain recognised safeguards for protecting personal data.
  • Customers may contact contact@boltidentity.com for more information about the categories of subprocessors we use.

11. Children’s data

Our Services are not intended for minors. We do not knowingly collect personal data from persons under 16. If you believe a minor has provided us personal data, contact contact@boltidentity.com and we will delete it where required.

12. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or services. Updates will apply to all personal data we hold, including data collected before the change, unless otherwise required by law. We will always publish the updated Policy with a new effective date. For material changes that affect your rights, we will provide notice (for example, by email or through the Portal).
Scroll to Top