Back to HomeSanctis

Privacy Policy

Last updated: [DATE]

1. Data Controller

The data controller responsible for the processing of your personal data is:

[COMPANY NAME]
[STREET ADDRESS]
[POSTAL CODE, CITY]
Germany
Email: [PRIVACY@EXAMPLE.COM]

Data Protection Officer (DPO): [DPO NAME], [DPO@EXAMPLE.COM]

2. What Data We Collect

2.1 Account Data

When you create an account, we collect your email address, company name, and authentication credentials (managed via magic link). If you subscribe to a paid plan, billing information is processed by our payment provider (Stripe) and we store only a reference identifier.

2.2 Screening Query Data

When you perform sanctions screenings, we process the names, identifiers, and other data you submit for screening purposes. This may include names of individuals or entities, addresses, dates of birth, identification numbers, and other data relevant to sanctions compliance.

2.3 Usage Data

We automatically collect technical data including IP address, browser type and version, operating system, referral URLs, pages visited, timestamps, and interaction patterns. This data is collected via server logs and, where you have consented, analytics cookies.

2.4 AI Interaction Data

When you use our AI-powered features (risk explanations, compliance copilot), the queries and generated responses are logged for service improvement and audit trail purposes.

3. Legal Basis for Processing

We process your personal data on the following legal bases under Art. 6 GDPR:

  • Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide our sanctions screening services as described in our Terms of Service.
  • Legitimate interest (Art. 6(1)(f) GDPR): Processing for fraud prevention, security, service improvement, and analytics (where consent is not required).
  • Legal obligation (Art. 6(1)(c) GDPR): Processing required to comply with applicable laws, including anti-money laundering and sanctions regulations.
  • Consent (Art. 6(1)(a) GDPR): Processing based on your explicit consent, such as optional analytics cookies. You may withdraw consent at any time.

4. Processing of Criminal Offence Data (Art. 10 GDPR)

Important Notice:Our service processes data related to sanctions and criminal watchlists. This may include data relating to criminal convictions and offences under Art. 10 GDPR. Processing is carried out under the control of an official authority and is based on [APPLICABLE NATIONAL LAW PROVISION, e.g., § 10 BDSG / relevant national implementing legislation]. This processing is necessary for compliance with legal obligations related to sanctions screening and anti-money laundering requirements.

5. Data Recipients

We share personal data with the following categories of recipients, solely for the purposes described in this policy:

  • Supabase Inc. (San Francisco, USA) — Database hosting and authentication services.
  • Anthropic PBC (San Francisco, USA) — AI model provider for risk explanations and compliance copilot features.
  • Vercel Inc. (San Francisco, USA) — Application hosting, edge functions, and content delivery.
  • Stripe Inc. (San Francisco, USA) — Payment processing for subscription billing.

6. International Data Transfers

Your data may be transferred to and processed in the United States. We ensure adequate protection through the following safeguards:

  • EU-US Data Privacy Framework (DPF): Our US-based processors are certified under the EU-US Data Privacy Framework (adequacy decision by the European Commission, July 2023).
  • Standard Contractual Clauses (SCCs): Where DPF certification is not available, we rely on EU Standard Contractual Clauses adopted by the European Commission.

7. Data Retention

  • Account data: Retained for the duration of your account and up to 30 days after deletion, unless longer retention is required by law.
  • Screening data and audit trails: Retained for 7 years in accordance with OFAC, AML, and sanctions compliance recordkeeping requirements.
  • Usage and analytics data: Retained for up to 26 months, then anonymized or deleted.
  • Billing data:Retained for 10 years per German tax law (§ 147 AO).

8. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

  • Right of access (Art. 15): Obtain confirmation of whether and which personal data we process about you.
  • Right to rectification (Art. 16): Request correction of inaccurate personal data.
  • Right to erasure (Art. 17): Request deletion of your personal data, subject to legal retention obligations.
  • Right to restriction (Art. 18): Request restriction of processing in certain circumstances.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interest at any time.
  • Right to withdraw consent (Art. 7(3)): Withdraw consent at any time without affecting prior processing.
  • Right to lodge a complaint: File a complaint with your local data protection authority. In Germany: [ZUSTÄNDIGE DATENSCHUTZBEHÖRDE].

To exercise your rights, contact us at [PRIVACY@EXAMPLE.COM] or our DPO at [DPO@EXAMPLE.COM].

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
  • Right to delete: Request deletion of personal information we have collected, subject to certain exceptions.
  • Right to correct: Request correction of inaccurate personal information.
  • Right to opt-out of sale/sharing: We do not sell or share personal information for cross-context behavioral advertising.
  • Right to non-discrimination: We will not discriminate against you for exercising any CCPA/CPRA rights.

To exercise your California privacy rights, contact us at [PRIVACY@EXAMPLE.COM].

10. Cookies

We use the following categories of cookies:

  • Essential cookies: Required for authentication, session management, and security. These cookies are strictly necessary and do not require consent.
  • Analytics cookies (optional):Used to understand how visitors interact with our platform. These are only set with your explicit consent per TDDDSG § 25.

You can manage your cookie preferences at any time using the cookie settings on our website.

11. AI-Generated Content Notice

Sanctis uses artificial intelligence models to generate risk explanations, compliance recommendations, and screening analysis. This AI-generated content:

  • Is provided for informational purposes only.
  • Does not constitute legal, financial, or compliance advice.
  • May be inaccurate, incomplete, or outdated. Always verify AI-generated outputs with qualified legal counsel.
  • May involve transmitting query data to our AI provider (Anthropic) for processing. No personal data is used for model training.

12. Contact

For privacy-related inquiries, data access requests, or complaints:

Data Protection Officer
[DPO NAME]
[COMPANY NAME]
[STREET ADDRESS]
[POSTAL CODE, CITY]
Germany
Email: [DPO@EXAMPLE.COM]