top of page

Intrepid Fox 

1. Is the Intrepid Fox solution compliant with GDPR?


At Intrepid Fox, we have a strong practice of protecting our customers’ information. We are committed to security, privacy, and compliance across everything we do, and our approach to our AI solutions is no different.

Generally we do no process personal data of natural persons within our AI solutions, since according to the Recital 14 of the GDPR, it only applies to natural persons and does not cover the processing of personal data concerning legal persons, in particular undertakings established as legal persons or legal entities. However, we still might process personal data in some cases, where legal entities representative or natural persons personal data is involved. For such occasions, we have appropriate procedures in place to comply with the requirements of GDPR.

We process personal data in a lawful, fair and transparent manner in relation to data subject according to Article 5 (1) (a) of the GDPR.

We process personal data with appropriate purpose limitation according to Article 5 (1) (b) of the GDPR. Purpose limitation requires us to be clear and open about why we are collecting personal data and that what we intend to do with it is in line with individuals’ reasonable expectations. Being clear about why we want to process personal data helps us ensure our processing is fair, as well as enables us to demonstrate our accountability for it.

We process personal data according to the data minimisation principles set out in Article 5 (1) (c) of the GDPR. The data minimisation principle is about only collecting the personal data we need to achieve our data processing purpose. Intrepid Fox collects only the minimum personal data necessary to achieve the purpose for which the personal data was collected. Once that purpose has been accomplished, the personal data is permanently deleted unless there is an legal obligation to retain the personal data for a longer period.

We process personal data according to the accuracy principles set out in Article 5 (1) (d) of the GDPR. According this principle, any collected personal data by Intrepid Fox needs to be accurate and, where necessary, kept up to date. Regarding input data, client of the bank/fintech company is providing input data and it is their responsibility to provide accurate input data.

We process data according to the storage limitation principles set out in Article 5 (1) (e) of the GDPR. The storage limitation principle is about keeping the data only for as long as you need it.  Our AI solutions do not keep data for longer than it is needed to achieve its purpose and data is kept according to the data controllers instructions. We take proportionate approach to retention periods, balancing needs with the impact of the retention on individuals’ privacy.

We use GDPR compliant third-parties for our data processing activities, such as:


Third parties

1. Amazon AWS

For data storage we use Amazon AWS cloud services hosted within EU, which is compliant with the GDPR. For more information about Amazon AWS compliance, please visit

2. Microsoft (Azure)

Microsoft’s AI products and solutions are compliant with applicable data protection and privacy laws today. Microsoft Azure AI solution does not train on user input data.  For more information please see - Microsoft Products and Services Data Protection AddendumMicrosoft’s Product Terms, and the Microsoft Privacy Statement.   

3. Open AI (for non-EU users)

For non-EU users, we use OpenAI solutions. Open AI solution does not train on user input data. For more information about the OpenAI solutions data protection compliance, please visit

4. Google Cloud

We use Google cloud services for hosting of our OCR (Optical Character Recognition) solution. For more information about Google cloud services, please visit



Article 5 (1) (f) of the GDPR sets out that the technical and organisational security measures we put in place have to be appropriate to the risks your processing poses to the rights and freedoms of individuals. The security principle requires us to protect the data we hold from unauthorised or unlawful processing, accidental loss, destruction or damage. We provide the following security measures:


Security Measures


1. Access control to systems (virtual): The following technical and organizational measures are in place for user identification and authentication.

● Encryption of data in transit and at rest (covered by infrastructure and platform partner)

● Personal and individual user log-in when entering the system

● Additional system log-in for special applications

● Automatic blocking of the computer after a certain period of time without user activity

● User access logs


2. Access control to data: The following measures are in place to ensure that data is accessed only by authorized employees in accordance with their access rights:

● Role-Based Access Control

● Authorization routines

● Reports/data logs (for technical, non-business purposes)

● Reviews / Audits (for technical, non-business purposes)

● Restricted use of removable media (e.g. external hard drives), encryption and authorization prior to using

3. Disclosure control: The following measures are in place to ensure secure transport, transmission, communicate, or storage of data on data media (manual or electronic).

● It is not allowed to store any customers’ data outside of infrastructure and platform partner

● Logging


4. Input control: The following measures are in place for verifying and tracking whether data have been entered, changed, removed, or deleted, and by whom.

● Access rights

● System logs

● Security/logging software

● Functional responsibilities

5. Availability control: The following measures are in place to assure data availability and protect against accidental destruction or loss of data.

● Back-up processes for technical (non-business) purposes (cloud storage and databases are used, which do not require backups)

● Retention of back-ups

● Customer might perform business purpose backups of data through API and set up the retention for backups

6. Separation control: The following measures are in place to ensure that data processed for different purposes are processed separately.

● Logical separation of client data within databases

● Encryption of client data in transit

● Separation of test, development, and production environments



2. What legal basis is applicable for the provided data processing activities? Does the Intrepidfox solution comply with all requirements in relation to the legal basis they rely on?



Intrepid Fox, when providing AI services, merely acts as a processor within the meaning of Article 28 of the GDPR and processes the personal data according to the banks and fintech companies instructions.


When using the AI services, clients of the banks and fintech companies (user of our services represents/is employed by such companies) upload and process various data (e.g. data of their customers, partners, suppliers, merchants, investors, or another legal or natural person whom the client wishes to verify via using of the service) through our services.

In such a case, the personal data is under the control of the bank/fintech company and Intrepid Fox may process such personal data for the purposes and to the extent necessary to provide the services ordered by the bank/fintech company in accordance with Terms and Conditions and Data Processing Agreement between the parties. Hence, in such a situation, Intrepid Fox acts as a data processor and processes the personal in accordance with the data processing agreement concluded with the bank/fintech company.

This lawful basis of Article 6 (1) (b) of the GDPR for the bank/fintech company applies where the processing using AI is objectively necessary to deliver a contractual service to the relevant client of the bank/fintech company, or to take steps prior to entering into a contract at the individual’s request.

As explained above, we mainly use the data for the rendering of the services which the bank/fintech company has ordered from us and for communicating with the client of the bank/fintech company, however, if a client of the bank/fintech interacts with our service or website, our legal basis for processing the personal data as described hereunder may vary depending on the personal data at issue as well as the context in which we collect it. Ordinarily, we process personal data about you in reliance on your consent or on legitimate interest. We may also process data to comply with our legal obligations, or to fulfill a contract.


Doing that we use the data obtained for (i) our business operations (operating, maintaining, improving the features of our services, communicating with clients), (ii) business development (analysing usage statistics, preferences), (iii) marketing (news and offers relating to our services and products).


3. What data categories and types will be processed by the Intrepid Fox solution? Are there any special categories of personal data? Are there any data categories not covered by GDPR?


We do not process any special categories of personal data and there are no data categories not covered by GDPR.


a. Business Nature Verification

We collect the personal data through the use of personal information provision services, OCR (Optical Character Recognition) services when checking invoices, contracts, checks, and other documents from the user to verify the nature of the business.


We may collect the personal data from individuals who make inquiries within our solution.


・Date of birth


・Telephone number

・E-mail address

・Personal identification number


・Other data from the inquiries within our solutions.


b. Ownership Structure Verification

In order to provide our AI solutions, we use personal data obtained from services provided by third parties based on information collected by us to determine and verify ownership structure.

We collect data from certificates and extractions from shareholder registers. Personal data provided in registers in accordance with their terms and conditions, co-use policies, etc.



・Date of birth


・Telephone number

・E-mail address

・Personal identification number


・Other data from the inquiries within our solutions.

c. Directors Powers Verification

Our AI solution collects data from documents that define decision-making powers in a company, such as Articles of Association and Power of Attorney.


・Date of birth


・Telephone number

・E-mail address

・Personal identification number


・Other data from the inquiries within our solutions.




4. How long will our data be retained by the Intrepid Fox solution?


We will retain information, including personal data of users and visitors for as long as needed to provide our Service or respond to requests. We only retain and use the information and personal data as necessary to comply with our agreements, legal obligations, and the resolution of any disputes.

We retain such personal data for as long as it is useful in our products, either as an actual data point or in order to derive, correct or validate other data points, and provided that we are comfortable that the data is accurate and can be relied upon. Typically we store personal data about our users for 90 days after the inquiry of the user, however, companies to whom we provide our AI solutions can choose specific term for which data is being processed and we can make appropriate amendments to our data retention if needed.

As soon as the purpose of the processing is achieved and there are no other purposes for which we would be authorised to process the personal data, we erase the personal data.

We delete personal data when (a) it is no longer used for any purposes, or (b) a data subject requests deletion of their personal data or objects to us processing their data pursuant to their GDPR or other state or national rights (unless we have a valid legal justification to retain it, such as to resolve disputes or comply with our legal obligations).


5. Where will the data be stored? Please, define the geographic area as well.


No personal data within our EU based AI solutions are transferred outside the EU/EEA, UK or Switzerland.

The AI GPT models we use are hosted on the Microsoft Azure cloud environment localized in the Sweden.

Our services within Amazon AWS are hosted in in the United Kingdom.

The OCR (Optical Character Recognition) system is hosted in Google Cloud environment which is localised in the United Kingdom.

Open AI services for clients outside of EU are hosted in United States of America.


6. Are the appropriate safeguards for cross-border transfers of personal data ensured under GDPR for Intrepid Fox solution?


We endeavour to only process EU personal data on servers located in the EU, UK, Switzerland for EU/EEZ clients.


If personal data is transferred outside the European Union and the EEA countries, Intrepid Fox has taken adequate measures to secure that user personal data are processed in compliance with GDPR. Whenever we transfer personal data to countries outside of the EEA, UK or Switzerland we ensure that at least one of the following safeguards is in place:

  1. We will only transfer your personal data to countries that the European Commission have approved as providing an adequate level of protection for personal data;

  2. Ensure the transfer is subject to a specific derogation in the GDPR or national laws; or

  3. Use the standard contractual clauses as the transfer mechanism when a case-by-case analysis has been performed.

Where we use certain service providers, we may use specific contracts or codes of conduct or certification mechanisms approved by the European Commission which give personal data protection as it has in the EU, EEA or UK.


7. Is the use of Microsoft Azure Open AI technology GDPR compliant?


Yes, Microsoft Azure Open AI technology is GDPR compliant.

The Azure OpenAI Service is hosted in Azure infrastructure and protected by the most comprehensive enterprise compliance and security controls in the industry. These services were built to take advantage of the security and compliance features that are already well-established in Microsoft’s hyperscale cloud. This includes prioritization of reliability, redundancy, availability, and scalability, all of which are designed into our cloud services by default.

Microsoft’s Azure OpenAI Service services and capabilities allow customers to leverage OpenAI’s models, including GPT-3, GPT-4, and Codex in the Microsoft environment.

Customer Data, including prompts (Inputs) and completions (Output Content), embeddings, and any training data user might provide to the Microsoft Online Services, are not available to OpenAI. Microsoft hosts the OpenAI models in Microsoft’s Azure environment and the Azure OpenAI Service does not interact with any services operated by OpenAI (e.g., ChatGPT, or the OpenAI API).

For more information please see - Microsoft Products and Services Data Protection AddendumMicrosoft’s Product Terms, and the Microsoft Privacy Statement.   


GDPR Compliance

bottom of page