Privacy Policy

SanctScan ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our sanctions screening platform and related services (collectively, the "Service").

1. Information We Collect

1.1 Information You Provide

We collect information you provide directly to us, including:

• Account Information: Name, email address, password, and organization details when you create an account.

• Screening Data: Names, aliases, and other identifying information of individuals or entities you submit for sanctions screening.

• Payment Information: Billing details processed through our payment provider, Polar.sh. We do not store complete credit card numbers on our servers.

• Communications: Information you provide when contacting us for support or feedback.

1.2 Information Collected Automatically

When you use our Service, we automatically collect:

• Usage Data: Information about how you interact with our Service, including features used, searches performed, and time spent on the platform.

• Device Information: Browser type, operating system, IP address, and device identifiers.

• Cookies and Similar Technologies: We use cookies and similar tracking technologies to enhance your experience. See our Cookie section below for more details.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our Service

• Process sanctions screening requests and deliver screening results

• Send you alerts and notifications about monitored entities
• Process payments and manage your subscription
• Respond to your comments, questions, and support requests

• Send you technical notices, updates, security alerts, and administrative messages

• Analyze usage patterns to improve our Service and develop new features

• Detect, prevent, and address fraud and security issues
• Comply with legal obligations

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), our legal bases for collecting and using your personal information include:

• Contract Performance: Processing necessary to provide you with our Service

• Legitimate Interests: Processing for our legitimate business purposes, such as improving our Service and preventing fraud

• Consent: Where you have given us explicit consent for specific processing activities

• Legal Obligation: Processing necessary to comply with applicable laws

4. Information Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

• Service Providers: We share information with third-party vendors who provide services on our behalf, including hosting (Cloudflare), payment processing (Polar.sh), email delivery, and analytics (PostHog).

• Organization Members: If you are part of an organization account, other members of your organization may view screening history and monitored entities.

• Legal Requirements: We may disclose information if required by law, regulation, or legal process.

• Business Transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

• With Your Consent: We may share information for any other purpose with your explicit consent.

5. Data Retention

We retain your information for as long as your account is active or as needed to provide you with our Service. Specifically:

• Account Data: Retained until you delete your account

• Screening History: Retained for the duration of your subscription to support compliance auditing and reporting

• Payment Records: Retained for 7 years as required for tax and accounting purposes

• Usage Analytics: Aggregated and anonymized data may be retained indefinitely

After account deletion, we may retain certain information as required by law or for legitimate business purposes.

6. Data Security

We implement appropriate technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS/HTTPS)
• Encryption of data at rest
• Access controls and authentication mechanisms
• Regular security assessments
• Secure hosting infrastructure (Cloudflare)

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

7. Your Rights and Choices

7.1 All Users

All users have the right to:

• Access and update your account information
• Delete your account
• Opt out of marketing communications
• Manage cookie preferences

7.2 European Economic Area (EEA) Residents

If you are in the EEA, you have additional rights under GDPR:

• Right to Access: Request a copy of your personal data

• Right to Rectification: Request correction of inaccurate data

• Right to Erasure: Request deletion of your data

• Right to Restrict Processing: Request limitation of how we use your data

• Right to Data Portability: Request your data in a machine-readable format

• Right to Object: Object to processing based on legitimate interests

• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

7.3 California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect and how it is used
• Request deletion of your personal information
• Opt out of the sale or sharing of personal information
• Non-discrimination for exercising your privacy rights

We do not sell or share your personal information as defined by the CCPA/CPRA.

8. Cookies

We use cookies and similar tracking technologies to:

• Essential Cookies: Required for the Service to function properly (authentication, security)

• Analytics Cookies: Help us understand how visitors interact with our Service (PostHog)

• Preference Cookies: Remember your settings and preferences

You can control cookies through your browser settings. Note that disabling certain cookies may affect the functionality of our Service.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that are different from the laws of your country.

When we transfer data internationally, we implement appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, to ensure your data remains protected.

10. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, or if you wish to exercise your privacy rights, please contact us at:

Email: privacy@sanctscan.app

For GDPR-related inquiries, you may also contact your local data protection authority if you believe we have not adequately addressed your concerns.