CRIF Decision Hub - Terms of Use

Last modified: July 2020

Using our Website

This website (“Website”) is provided by CRIF Decision Solutions Ltd. (“CDS” / “we” / “us”), a company registered in England and Wales and located at Suite 1, 3rd Floor 11 - 12 St. James's Square, SW1Y 4LB London, United Kingdom.

By using our Website, you are agreeing to these terms of use ("Terms"), which shall take effect immediately on your first use of this Website. Please read them carefully. If you do not agree to be bound by all of these Terms, you must leave this Website immediately.

A number of our services are presented on this Website (“Services”). How you buy and use each of these Services will depend on separate terms and conditions provided by us or other organisations.

Nothing on this Website shall constitute an offer by us to provide any Services to any person at any time accessing this Website.

You must follow any policies made available to you on the Website. Do not misuse the Website. For example, do not interfere with the Website functionalities or try to access it using a method other than the interface and the instructions that we provide.

You may use the Website only as permitted by law.

The content on this Site is for your personal use only and not for commercial exploitation. You may not reproduce, republish, distribute, display or transmit for commercial, non-profit or public purposes all or any portion of the Website, except to the extent permitted above. You may not use this Website to transmit any false, misleading, fraudulent or illegal communications.

We reserve the right to investigate complaints or reported violations of our Terms and to take any action we deem appropriate including but not limited to reporting any suspected unlawful activity to law enforcement officials, regulators, or other third parties and disclosing any information necessary or appropriate to such persons or entities relating to user profiles, e-mail addresses, usage history, posted materials, IP addresses and traffic information.

We may suspend or stop providing the Website to you if you do not comply with our Terms or policies or if we are investigating suspected misconduct.

We are constantly changing and improving the Website. We may add or remove functionalities or features, and we may suspend or stop providing the Website altogether.

CDS may also add or create new limitations to the Website at any time. If we discontinue or change a functionality of the Website, we will give you reasonable advance notice, where possible.

In connection to your use of the Website, we may send you service announcements, administrative messages, and other information.

CRIF Decision Hub Account

You need to create a Company Account in order to subscribe to and use our Services.

You can create your own Company Account by signing up and registering your company.

Only the legal representatives of your company or those with duly authorised power of attorney are allowed to create a Company Account on behalf of the company. When you sign up, you declare that you have the authority to accept these Terms on behalf of the company.

If your request for registration is accepted:

- your Company Account will be created

- a default area for your Company Account will be created

- a default billing centre for your Company Account will be created

- the credentials and instructions on how to access the Account will be sent to the email address you specified when signing up

- when you login, you will access the Company Account using the “Account Administrator” profile.

Once a Company Account has been successfully created, one or more User Accounts may be created and assigned to your employees or representatives exclusively by the Account Administrator in order to use our Services as part of the same Company Account.

Every User Account you add is a subsidiary account with specific access rights to an individual Company Account.

The Account Administrator can create and disable any User Account.

Each User Account registration is for an individual user only. We do not permit a) anyone other than you to access the Company Account by using your credentials; or b) access through an individual User Account being made available to multiple users on a network or otherwise. You are the sole person responsible for preventing such unauthorised use.

To protect your Company Account, be diligent and pay maximum attention to the secrecy and confidentiality of your username and password, preventing them from being used inappropriately, erroneously or without authorisation. Do not reuse your password on third-party applications.

You are the sole person responsible for the activity carried out by your employees or representatives or by any unauthorised third party on or through your Company Account.

If you learn of any unauthorised use of your Company Account, immediately inform CDS in writing to the relevant contact details set out on the 'Contact us' page.

You hereby agree to provide accurate and complete registration information. It is your responsibility to inform us of any changes to that information.

By creating and accessing an Account, you agree that CDS can process your data in accordance with our privacy policies.

Subscribing to our Services

You need to login to a Company Account with an Account Administrator profile in order to subscribe to one of our Services.

In order to subscribe to a Service, an Account Administrator should go to the homepage of the Service and click the button to send a subscription request.

The submission of a request to subscribe to a Service does NOT mean that the Service is automatically activated or that either party is bound to sell or purchase the Service.

CDS will be notified and will start the procedures to activate the Service for the relevant Company Account.

Only when your company subscribes will the relevant terms and conditions of the Service be activated for that Company Account.

Our Warranties and Disclaimers

Our Website is provided using commercially reasonable skill and care, and we hope you will enjoy using it.

Other than as expressly set out in these Terms or additional terms, CDS makes no specific promises about the Website.

We do not make any commitments about the content of the Website, the specific functions of the Website, or their reliability, availability, or ability to meet your needs.

We provide the Website “as is” and give no warranties, conditions, guarantees or representations, explicit or implied, that this Website will be available without interruption, or that it is free of errors, viruses or bugs. You acknowledge that it is your responsibility to implement sufficient procedures and virus checks (including anti-virus and any other appropriate or applicable security checks) to satisfy your specific requirements as to the accuracy and or content of information.

Liability for the Website

When permitted by law, CDS will not be responsible for lost profits, revenues or data, financial losses or indirect, special, consequential, exemplary, or punitive damages.

In all cases, CDS will not be liable for any loss or damage that is not reasonably foreseeable.

However, nothing in these Terms removes or limits our liability for death or personal injury caused by our negligence or for any liability which we cannot limit or exclude under the law.

We shall not be liable for any loss, injury, claim, liability or damage of any kind resulting from your use of the Website. You shall hold harmless and indemnify CDS and its affiliates, officers, agents, and employees from any claim, suit or action arising from or related to the use of the Website or violation of these Terms, including any liability or expenses arising from claims, losses, damages, suits, judgments, litigation costs and legal fees.

Link Policy

This Website may contain hypertext links to web pages operated and maintained by third parties. These links are provided for your convenience only and we do not control and are not responsible for the content of such web pages. Our inclusion of such links does not imply any endorsement of the material contained therein or of the owners. If you use the links to visit third party web pages, you do so at your own risk. You must not link to our Website without first obtaining our written permission.

General Provisions

We may modify these Terms to, for example, reflect changes to the law or changes to the Website.

We will post a notice of modifications to these Terms on this page.

If you do not agree to the modified Terms you must discontinue using the Website.

These Terms control the relationship between CDS and you. They do not create any third-party beneficiary rights.

If you do not comply with these Terms, and we do not take action right away, this does not mean that we are giving up any rights that we may have (such as taking action in the future).

If one specific term is not enforceable, this will not affect any other terms.

You agree that the laws of England and Wales, excluding choice-of-law provisions, will apply to any disputes arising out of or relating to these Terms.

All claims arising out of or relating to these Terms will be litigated exclusively in the courts of London, UK.

If you have any questions about this Website or these Terms, please use the relevant contact details set out on the 'Contact us' page.

Privacy Notice for CRIF Decision Solutions

Last modified: July 2020

CRIF Decision Solutions Ltd. is deeply committed to protecting your privacy, which is why we have set out this privacy notice describing the personal data that we might process about you, why we process it, where we might get your personal data from, and how we handle it.

This notice also sets out how you can engage with us or how you can contact the Information Commissioner’s Office, if you have any concerns about your personal data.

Who we are and how to contact us

CRIF Decision Solutions Ltd. is a company registered in the United Kingdom (Registration Number: 03395992) and our Data Protection Officer is contactable at or if you wish to write to us in this regard, please use the following address:

Data Protection Officer / Head of Compliance

CRIF Decision Solutions Ltd.

55 Old Broad Street

London EC2M 1RX

The type of information we have

CRIF Decision Solutions Ltd (“We”) processes data both as a Data Controller, for our own purposes, and as a Data Processor on behalf of other entities.


Provision of services

We provide information services, consumer reporting and cyber risk solutions to a broad range of clients, particularly in the financial and insurance services sectors, which allow them to, amongst other things:

  • screen the personal details of an individual and validate their identity (for example for Anti Money Laundering and ‘Know Your Customer’ purposes);
  • assess insurance claims history for Motor, Personal Injuries and Home policies;
  • allow insurers check Pet insurance claims;
  • investigate potential fraud;
  • assess Cyber Risk.

For many of these services, the personal data that we process is provided to us by third parties, rather than directly by you, the data subject.

Running our business

In the normal course of running our business we process the personal data of employees of our clients, suppliers and other third parties. This includes business contact details such as names, email addresses and phone numbers which may have been provided to us indirectly by your employer or our business partners rather than directly by you. These entities should provide their employees and associates with an appropriate information notice to cover how we process their data.

In addition, we process personal data of our own employees, in which role we are a joint Data Controller with our parent company CRIF SpA, via M. Fantin, 1-3, 40131 Bologna, Italy.

Promoting our services

Finally, we process personal data of persons to whom we wish to promote our services. This will include business contact data which we may have collected directly from you either in the course of provisioning you for our services, or from this web site or an industry information service.


We act as a Data Processor in the provision of a number of services and in these roles, we process the data provided to us by the respective Data Controllers, and act solely on the instructions of the Data Controller:

We are a Data Processor:

  • in our role as a Nominated Supplier to the Motor Insurers’ Bureau, ( - a group that manages databases that support the UK insurance industry, for example the Claims and Underwriting Exchange (CUE) database).
  • for Claims Portal Ltd. (, a not-for-profit company which manages the Small Claims Process for the processing of pre-action personal injury claims for the Ministry of Justice.
  • for an insurance industry service called ELIXIR which monitors the collection of premia from brokers on behalf of insurers.
  • in the provision of a messaging system between our insurance clients and the UK Department of Work & Pensions relating to certificates and compensation.
  • when we process personal data provided to us by prospective clients to allow them to assess the appropriateness of our services for their business.

How we get the information and why we have it

Provision of services
  1. We provide clients with information that allows them to check the identity of their customers or potential customers (e.g. information on former addresses, Politically Exposed Persons, Sanctions lists, court judgements, electoral roll etc.). We may obtain this information from commercial or public sources.
  2. We provide clients with information that allows them to check if there are frauds in the insurance sector. We may obtain this information from insurance claims databases, commercial or public sources, or from our clients, for example when they share information about suspected or actual fraud.

For these services, we process personal data on the basis of our legitimate interests in providing the services in question, and the legitimate interests of our clients who need to be able to know their customers, carry our anti-money laundering checks, detect fraud, etc. These interests are set out in Legitimate Interests Assessments which are available on request.

Running our business

Your information may have been gathered from you or your employer, or through a reseller when your organisation was being set up for our services, or where you or your employer provides a service to us. Such data can be used to enable us to:

  • provide you with the ability to use our services (for example provide you with username and password), provide support services such as a Helpdesk service, and to monitor such use for billing or security purposes
  • administer your or your employer’s contract with us, including invoicing, debt recovery etc.

Our legal basis for processing this data is either for our legitimate interests, or for the performance of a contract if we are dealing directly with you. If we are dealing with your employer or client, they should be advising you as to why they are providing your personal data to their customers or service providers.

We obtain information about current, past or prospective employees either directly from you, or from recruitment consultants and the like. This information is used for HR administration, including payroll and recruitment.

Promoting our services

Your information may have been gathered from you or your employer, or through a reseller when your organisation was being set up for our services. We may also have gathered your data through your interactions with this website (for example through the “Contact us” page, website analytics or cookies) or from another organisation involved in business-to-business information services.

Such data can be used to enable us to keep you informed about developments at CRIF Decision Solutions Ltd and in our services, conducting market research and analysis, or determining your suitability for our services.

We may not be able to respond to your requests, if you choose not to supply the data requested.

We are doing so on the basis of our legitimate interests in promoting and developing our business. A specific Legitimate Interests Assessment for these purposes is available on request.

The following table summarises the data we process as a Data Controller, the sources of that data and our legal bases:

Identity Verification Services (ID Check, AML Check, Vehicle Check and Vehicle Keeper Check) Policyholders, prospective policyholders, claimants, Bankrupts, persons with judgements Politically Exposed Persons and their relatives and close associates; criminals and individuals or organisations that are subject to global sanctions, terrorists; users of the system. Names; contact details; place and date of birth; country of residence and country of citizenship; occupations; relationship (if applicable) to a public figure; bank account details; judgements and insolvency information;
User login credentials and permissions.
Commercially available sources for anti-money laundering services Legitimate Interest
Insurance Claims Searches History and Risk Assessment (RADAR Personal Injury, Home and Motor Policy Check) Policyholder/proposer Claimant; users of the system. Names; contact details; date of birth, gender; occupations; injury details; representatives’ contact details; car registration.
User login credentials and permissions.
Motor, home and personal injury claims data supplemented by commercially available data. Legitimate Interest
Pet Insurance Claims (CACHE Pet) Policyholders, Third Parties; Veterinary Surgeons; Suppliers (other than Veterinary Surgeons; Witnesses; users of the system. Names; gender; date of birth; occupation; contact details; bank account; claim details.
User login credentials and permissions.
Insurer Legitimate Interest
Insurance Fraud (Sherlock and Footprint) Employees of insurance companies, fraud investigators; persons linked to the claim; users of the system. Names; contact details; gender; date of birth; NIN; driving licence; investigator’s case history, including previous queries. Details of linkages between persons and the claim.
User login credentials and permissions.
Inquiries by insurers and investigators Legitimate Interest
Promoting our services Clients and their agents and employees Business or personal contact details Directly from our website or through third party sources. Legitimate Interest
Cyber Check Clients and their employees Name, business email and phone Clients when accounts are set up Legitimate Interest
Assisting users of our services Clients and their agents and employees Business or personal contact details Directly from the data subject, or indirectly from their employer or our resellers, as part of the process for activating users on our services. Legitimate Interest
Employment Our employees For employees: Name, DOB, Address, Contact information, Health records, performance and disciplinary records, annual leave history, salary and payroll details.
For their NOK: Name, address, contact number
For their children: Name, date of birth.
Direct from employees Performance of contract
Business contacts Contacts in suppliers and clients Names, business emails and telephones Either directly or from employers Legitimate Interest
Data Subject Rights Requests Data subjects Identification data including NIN Directly from data subject Legal Obligation

In all cases we will also process personal data as required by applicable law.

What we do with the information

As a Data Controller, we make information available to our clients to assist them in their decision-making, whether that is about financial services or insurance quotations/claims. Our clients include financial and insurance services organisations and professional advisers (e.g. solicitors, loss adjustors).

The electronic processing of personal data for which we are a Controller is generally undertaken by our parent company CRIF SpA., located in Italy, under a formal contract that provides protection appropriate to the personal data. CRIF SpA is accredited to ISO27001:2013, the international standard for information security management systems.

For the management of some marketing contact data, client Helpdesk services etc. we use external services that may be based outside the United Kingdom and the EEA. We use Standard Contractual Clauses as a safeguard for such transfers to ensure they are made in compliance with Data Protection Legislation.

Identity Verification Services Clients
Insurance Claims Searches Clients
Pet Insurance Claims Clients
Insurance Fraud Clients
Cyber Check KYND as the service provider
Promoting our services External service providers, other CRIF companies
Assisting users of our services External service providers
Employment Other CRIF companies
Business contacts Other CRIF companies
Data Subject Rights Requests Outsourced Data Protection Officer

Where we are the “data processor”, we act on the instructions of the data controller.

How we store your information

Where we are the Data Controller, we keep the information according to the following criteria:

Identity Verification Three years after client search
Insurance Claims Searches and Risk Assessment Results of search enquiries performed by users is retained for one month.
Claims data is retained for a period determined by the MIB.
Pet Insurance Claims Six years after the claims are closed
Insurance Fraud Investigations Enquiry history retained for three years after client search.
Enquiries can be packaged into investigation cases; these cases are retained for one month.
Cyber Check One year after termination of contract
Promoting our services Eighteen months if no contract established
Assisting users of our services One year after termination of contract
Employment 10 years from termination of employment relationship
Business contacts One year after termination of contract
Data Subject Rights Requests Two years from last contact with Data Subject

On a case by case basis, records may be retained for longer where required for actual or potential legal actions or investigations by supervisory authorities, or the management or mitigation of operational or strategic risks to the organisation.

Where we are a data processor, we keep your data for as long as the Data Controller asks us to.

Your data protection rights

Where we are processing your personal data as a Data Controller, you may have the right to request of us access to, and rectification or erasure, of personal data or the restriction of processing concerning your data or to object to processing as well as the right to data portability. Furthermore, to the extent that our processing may be based on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before this withdrawal.

Please bear in mind that your rights in relation to your Personal Data are not absolute. It is important to note that we are processing much of the data either on the basis of legitimate interests or performance of contract, rather than consent. This means there is no absolute right to have such data erased, but you may have rights to both object to such processing or to restrict it.

In circumstances where we have obtained your data from a third party we may need to confirm the accuracy of the data with that third party before rectification.

Marketing communications with you will be conducted in compliance with the Privacy and Electronic Communications Regulations (PECR) which give you specific privacy rights in relation to electronic communications. We provide an opt-out in each communication which allows you express your preferences with regard to receiving subsequent communications.

Please contact us at the email or postal addresses above if you wish to make a data subject request.

In our role as Data Processor, we also hold personal data. In such cases, you would need to contact the respective “Data Controller” to exercise your data protection rights. If you have any requests we can direct you to the appropriate Data Controller.

How to complain

You can also complain to the ICO if you are unhappy with how we have used your data.

The ICO’s postal address is:

Information Commissioner’s Office
Wycliffe House
Water Lane

Helpline telephone number: 0303 123 1113

Online at

COOKIE POLICY:This site places cookies on your device and you can click on this link to understand which cookies we use and why.

How we use cookies

What is a cookie?

A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is a small piece of data sent from a website and stored in a user's web browser while the user is browsing that website. Every time the user loads the website, the browser sends the cookie back to the server to notify the website of the user's previous activity.

We use cookies for many purposes.
We use them, for example, to remember your settings once you are signed in, to count how many visitors we receive to a page.

Find out more about how to manage cookies.

Types of cookies used by us

We use different types of cookie to run our website.
Some or all of the cookies identified below may be stored in your browser.

Application cookies

We have some cookies that are created cone the user signs in.
This type of cookies is necessary to run the services on the portal as they include details about the configuration of the user within the web site.

By signing up into the web site the user accepts the use of these cookies as a functionality necessary in order to run the services via the web site.
These cookies are deleted from the browser once the web session of the user terminates

Google Analytics cookies

We use Google Analytics software to collect information about how you use our portal.
Thanks to this feature we can make sure that the site meets the needs of users and we can make improvements in terms of usability.

For your information, Google Analytics stores details about:

  • the pages you visit on this web site
  • how long you spend on each page
  • how you reached this web site

We don’t collect or store your personal information (eg your name or address) so we can't use these cookies to identify who you are.

These cookies are deleted from the browser once the web session of the user terminates

Please be aware that you can opt out of Google Analytics cookies.