exfin

Legal

Public Records Notice

Version 1.0 · Effective 12 July 2026

Information on the processing of personal data from public registers, provided under Art. 14 GDPR.

Why you are reading this

exfin, operated by Orlyn, Inhaber: Luca Diaz Hilterscheid, Märkische Heide 5, 14532 Kleinmachnow, Deutschland ("we"), is research software for banks. Part of what it does is mirror official company registers and official gazettes: the public record of companies, who directs them, who owns them, and what official publications say about them.

Public registers publish a limited set of personal data about people acting in a business capacity. Because we collect this data from the registers and not from the people it concerns, Art. 14 GDPR obliges us to inform those people. Informing every named person individually would be impossible and disproportionate for register-scale data (Art. 14(5)(b) GDPR); this permanently published notice is the compensating measure the law provides for. It states, specifically and completely: what we process, from which named sources, why, for how long, who receives it, and your rights.

We do not build consumer profiles. We do not score, rate, or rank any person. Our software shows banks what the public register itself states, with a citation to the register entry for every fact.

Who is responsible (controller)

Orlyn, Inhaber: Luca Diaz Hilterscheid, Märkische Heide 5, 14532 Kleinmachnow, Deutschland.
Privacy contact: privacy@orlyn.ai.
No data protection officer has been appointed; data protection matters go to the privacy contact above.

For this processing, the register-publicity graph, we are the controller. Where a bank separately instructs research on a named person (its own customer due diligence), that bank is the controller and we act as its processor; see our Privacy Policy, section 5.

What data we process

We process only what the source register or gazette itself publishes:

  • The name of the person as stated in the register
  • The register role, verbatim (for example "Geschäftsführer", "director", "person with significant control")
  • The company the role relates to, and the dates the register states
  • For UK beneficial-owner entries: the partial date of birth (month and year) that Companies House itself publishes, used solely to tell people with the same name apart
  • Beneficial-ownership facts as the register states them, in the register's own control bands, never as invented exact figures
  • Insolvency and enforcement publications naming a person in a commercial capacity, only while the source itself publishes them

We never collect private addresses, full dates of birth beyond what the register itself publishes, or any data from social networks, credit agencies, or data brokers. Register entries under a register's own protection regime (for example UK "super-secure" persons) are skipped entirely, never reconstructed.

The sources, each named

Data protection authorities rightly reject blanket references to "public sources". These are the registers and gazettes our software processes today:

  • Companies House (find-and-update.company-information.service.gov.uk): the UK company register, including officer appointments, the register of persons with significant control (PSC), and filed accounts
  • GLEIF (gleif.org): the Global Legal Entity Identifier Foundation's public LEI data, including entity relationship records
  • Handelsregister (handelsregister.de): the German commercial register, via on-demand register extracts
  • Insolvenzbekanntmachungen (insolvenzbekanntmachungen.de): the German official insolvency publications portal
  • Zefix and SHAB (zefix.ch, shab.ch): the Swiss central business name index and the Swiss Official Gazette of Commerce

We maintain a country-by-country catalog of official registers (for example Unternehmensregister, BODACC in France, and their counterparts in other jurisdictions). When a new source goes live in the product, this notice is updated to name it before its data is displayed to customers.

Why we process it (legal basis)

Legal basis: Art. 6(1)(f) GDPR, legitimate interest. The interests pursued:

  • Register publicity is the point of these registers. Commercial registers and official gazettes publish these facts by statutory mandate precisely so that third parties can rely on them; legal certainty and the transparency of commerce depend on that publicity. The Court of Justice of the EU confirmed this function of company-register person data in C-398/15 (Manni).
  • Banks are legally required to know who they deal with. Regulated banks must identify who directs and who beneficially owns their counterparties (customer due diligence under the German GwG and the EU anti-money-laundering framework). Our users are these obliged entities, acting in that capacity. For beneficial-ownership data, EU law expressly preserves access for obliged entities performing due diligence (C-37/20).
  • Our own interest is to provide that lawful lookup with citations instead of screenshots: every fact traceable to its register entry.

Where a bank instructs a check on a specific person, that bank is the controller of its instruction, must record its purpose, and we act on documented instruction only.

How long we keep it

  • Register role and ownership facts: as long as the source register publishes them, subject to your objection (below). Facts a register supersedes are marked historical, as registers themselves do; they are not silently deleted, because the historical record is what due diligence verifies against.
  • Insolvency publications naming a person: at most 180 days, which keeps every copy inside the source register's own six-month deletion clock (Section 3 InsBekV). The purge is enforced by code, runs daily, and its counts are audited. Private copies must not outlive the register; we agree, and we built the deletion in.
  • Debt-register entries (Section 882b ff. ZPO): this data class exists in our schema with a purge clock of at most 1095 days (inside the statutory three-year clock of Section 882e ZPO), but no such data is collected today. Access to the Schuldnerverzeichnis is itself statutorily gated; a connector will only ever ship with that gating built in, and this notice will be updated first.

Who receives the data

Recipients are our customer banks and comparable regulated financial institutions, under contract, within their due-diligence work. The data is shown inside a closed, authenticated product; we do not republish register data on the open web, we operate no public people-search, and we never sell personal data. The technical service providers that host our infrastructure are listed in the Privacy Policy, section 6.

Transfers

Register data originates from EU, UK, and Swiss registers. It is stored in the product database in the United Kingdom [DATABASE REGION TO CONFIRM] (adequacy decision) and processed on EU infrastructure; the full transfer picture, including the technical subprocessors, is in the Privacy Policy, sections 6 and 7.

What we will never do with it

  • No scores. We compute no creditworthiness score, risk score, rating, ranking, traffic light, or probability value about any natural person, anywhere: not in the database, not in the interface, not in reports. This is enforced by automated checks in our build pipeline. The German credit bureau rules (Section 31 BDSG) and the EU case law on scoring (C-634/21) draw a line we deliberately stay far behind.
  • No predictions. A register fact is displayed as a cited fact or not at all; it is never presented as a prediction about a person.
  • No automated decisions. Nothing in the product decides anything about a person (Art. 22 GDPR). Banks are contractually prohibited from using our output as the sole basis for automated decisions about natural persons.
  • No enrichment. No data from social networks, credit agencies, or data brokers is merged into register facts. Same-name persons are never merged into one record without a register-published anchor; when in doubt, we keep records separate.

Verify at source

Registers remain the authoritative record. Every fact in exfin carries a citation naming its register, the register identifier, the retrieval date, and a link to the register entry, so that any fact can be verified at the source. Correcting an incorrect register entry is only possible at the register itself; we mirror corrections when the register publishes them, and on request (see rights below).

Your rights

You have the rights of Art. 15 to 21 GDPR against us for this processing: access, rectification, erasure, restriction, and objection.

Objections (Art. 21 GDPR). Write to privacy@orlyn.ai. We acknowledge receipt within five business days and decide within one month of receipt. Following German case law, we distinguish two situations, and we state our policy plainly:

  • Entries whose publication purpose has lapsed: for example an old insolvency publication past the register's own deletion clock, or a role at a company that was dissolved long ago. Display suppression is granted readily, without you having to prove particular harm.
  • Facts a register currently mandates and publishes: for example a current directorship. Register publicity generally prevails; we review each case individually, weigh documented particular circumstances, answer with reasons, and point to the register as the venue for correcting the underlying entry.

A granted suppression takes effect for all users of our software at once, across every customer.

Complaints. You have the right to complain to a data protection supervisory authority, in particular in the member state of your residence or workplace. The authority responsible for us is the Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg (LDA Brandenburg), Stahnsdorfer Damm 77, 14532 Kleinmachnow, lda.brandenburg.de.

Changes to this notice

When a new register source goes live, or retention or recipients change, this notice is updated first and the version and effective date above change. The current version is always at this address.

← Back to the site