Privacy Policy

Last updated: June 7, 2026

This Privacy Policy explains how AnchorAPI ("we", "us", "our") collects, uses, and protects personal data in connection with the AnchorAPI service at https://www.anchorapi.dev (the "Service"). We handle personal data in accordance with the Personal Data Protection Act B.E. 2562 (2019) ("PDPA") and, where applicable, the EU/UK General Data Protection Regulation (GDPR).

We may update this Policy from time to time. We encourage you to review it periodically, and we will notify you of material changes by appropriate means.


1. Scope of this Policy and our role

Where we act as controller. We are the controller of the account, organization and billing, usage, technical, free-checker, and communications data described in Section 2, which we determine how and why to process in order to operate the Service.

Where we act as processor. When a business customer submits personal data to the Service for screening — for example, where a wallet address or accompanying data relates to the customer's own end users — we process that data on the customer's behalf and on its instructions, as a data processor. The customer is the controller of that data.


2. Personal data we collect

We may collect personal data directly from you, automatically through your use of the Service, and — for screening data — from our business customers who submit it. The categories we collect are:

  • Account data — your email address and the authentication information needed to sign you in. We use passwordless "magic link" sign-in and do not store passwords.
  • Organization and billing data — your plan, subscription status, invoices, and limited billing metadata. Payment details are collected by our third-party payment processor; we do not store full payment card numbers.
  • Usage data — API requests made, endpoints called, timestamps, request counts, response statuses, and audit logs, used to provide the Service, enforce usage limits, bill, secure the Service, and troubleshoot.
  • Technical data — IP address, browser/user-agent, and approximate location derived from IP, used for security, abuse prevention, and geographic access controls.
  • Free-checker data — when the public free checker is used, limited data about the check (such as a hashed form of the queried address, the selected chain, whether a match was found, and the requesting IP). No account is required to use the free checker.
  • Communications — records of correspondence if you contact us.
  • Screening data submitted by customers — wallet addresses and any accompanying data submitted through the Service by business customers.

Wallet addresses. Wallet addresses are public blockchain identifiers. A standalone address is generally not, by itself, personal data about you; however, where an address is linked to an identifiable person it may constitute personal data, in which case it is handled under this Policy and, for customer-submitted data, the Data Processing Agreement.

Special category data. We do not seek to collect special category / sensitive personal data (such as data revealing race, religion, health, or biometric data) in operating the Service, and you should not submit it.

Children. The Service is intended for businesses and is not directed to individuals below the age of majority (or, under the GDPR, below the applicable age of consent for information society services). We do not knowingly collect personal data from children.


We use personal data for the purposes below. For each, we state the legal basis under the PDPA and, where it applies, under the GDPR:

PurposePDPA basisGDPR basis (Art. 6)
Provide, operate, and maintain the ServiceContract (§ 24(3))Contract (6(1)(b))
Authenticate you and secure your accountContract; legitimate interest (§ 24(5))Contract; legitimate interests (6(1)(f))
Process payments and manage subscriptionsContract (§ 24(3))Contract (6(1)(b))
Enforce usage limits; prevent abuse and fraudLegitimate interest (§ 24(5))Legitimate interests (6(1)(f))
Apply geographic and compliance-related access controlsLegal obligation; legitimate interestLegal obligation (6(1)(c)); legitimate interests (6(1)(f))
Communicate with you about the ServiceContract; legitimate interestContract; legitimate interests (6(1)(f))
Comply with legal obligationsLegal obligation (§ 24(6))Legal obligation (6(1)(c))
Improve and troubleshoot the ServiceLegitimate interest (§ 24(5))Legitimate interests (6(1)(f))
Optional marketing communicationsConsent (§ 19)Consent (6(1)(a))

Where we rely on legitimate interests, those interests are operating, securing, and improving the Service, preventing abuse and fraud, and protecting our and others' rights; we have balanced those interests against your rights and freedoms.

Where we rely on consent, you may withdraw it at any time without affecting prior processing.

If you do not provide personal data we need to operate the Service, we may be unable to provide the Service or perform our contract with you.


4. Automated processing and risk scoring

On its paid tier, the Service returns a risk score and a risk level for a queried address. Producing those indicators involves automated processing and may constitute profiling.

We do not use these indicators to make a decision producing legal or similarly significant effects about you. The score and level are informational; the decision whether to act on them is made by the business customer using the Service. Where we generate a score or level for data submitted by a business customer, we do so as a processor on that customer's instructions, and that customer, as controller, is responsible for the lawful basis for the processing and for any obligations relating to automated decision-making and profiling toward its own data subjects, including under Article 22 of the GDPR.


5. Who we share data with

We disclose personal data only as needed, to:

Service providers (processors) who help us run the Service — such as our hosting/database provider, payment processor, email delivery provider, and error- and uptime-monitoring providers — who process data on our behalf under written agreements.

Legal and safety recipients — where required by law or where disclosure is reasonably necessary to comply with legal process, enforce our terms, or protect rights, safety, and security.

Business transfers — in connection with a merger, acquisition, or sale of assets, subject to this Policy.

Sub-processors — The service providers in Section 5.1 act as our processors and, where we process personal data on behalf of a business customer under Section 1, as our sub-processors. We engage them under written agreements imposing data protection obligations no less protective than those to which we are subject.

A current list of these sub-processors is set out below. However, we may add or replace a sub-processor from time to time; where we act as a processor for a business customer, we will give that customer reasonable prior notice of any intended addition or replacement and a reasonable opportunity to object on reasonable data-protection grounds, as provided in the Data Processing Agreement.

Sub-processor list

Sub-processorService providedPersonal data processedLocation / region
Vercel Inc.Hosting of the website and API (serverless compute)Account, usage, and technical dataUnited States
Supabase, Inc.PostgreSQL database storing the Service's application dataAccount, usage, free-checker, and other stored personal dataSingapore (ap-southeast-1)
GitHub, Inc. (GitHub Actions)Scheduled data pipeline that ingests public sanctions-list dataNone in normal operation (public sanctions-list data only)United States / global
Resend (Plus Five Five, Inc.)Transactional email, including magic-link sign-inEmail addressUnited States
Stripe, Inc. (and Stripe Payments Europe, Ltd.)Subscription billing and payment processing (Stripe stores all card data; we do not)Billing and contact dataUnited States / Ireland
Functional Software, Inc. (Sentry)Error and performance monitoringTechnical and usage dataUnited States
UptimeRobotUptime and system-availability monitoringTechnical dataUnited States

6. International data transfers

We operate from the Kingdom of Thailand and use service providers that process personal data in other countries, including Singapore and the United States (see Annex A). Where we transfer personal data across borders, we do so on a lawful basis.

Under the PDPA (§§ 28–29): to a destination providing adequate protection, or subject to appropriate safeguards, or under another statutory exception.

Under the GDPR, where it applies: on the basis of an adequacy decision, or appropriate safeguards under Article 46 (such as the European Commission's Standard Contractual Clauses or the UK International Data Transfer Agreement / Addendum), or a derogation under Article 49. Neither Singapore nor the United States benefits from an EU adequacy decision of general application, so Article 46 safeguards are our operative mechanism for those transfers.


7. How long we keep data

We keep personal data only as long as necessary for the purposes described, applying the following criteria and periods:

  • Account data — for the life of the account and a reasonable period thereafter;
  • Usage and technical logs — [12 (twelve) months], after which they are deleted or anonymized;
  • Free-checker records — [90 (ninety) days];
  • Billing and accounting records — for the period required by tax and accounting law (in Thailand, generally not less than 5 (five) years);
  • Communications — for a reasonable period appropriate to the matter.

Where we no longer need personal data, we delete, destroy, or anonymize it.


8. Cookies and similar technologies

Cookies and similar technologies (such as local storage and pixels) are small files or data stored on your device when you visit our website, used to operate the Service, maintain your session, and understand usage.

We use: strictly necessary cookies (including the token that maintains your authenticated sign-in session, and cookies supporting security and abuse prevention), functional/preference cookies where offered, and analytics cookies used only with consent where consent is required. We do not use advertising or cross-site tracking cookies.

Consent. Strictly necessary cookies do not require consent. Analytics and other non-essential cookies are used only with consent, collected through our cookie banner and changeable at any time, consistent with the PDPA and the Personal Data Protection Committee's cookie guidance and, where applicable, the GDPR and the rules on cookies in the relevant EU/UK jurisdiction.


9. Your rights

Subject to the conditions and exceptions in the PDPA and, where applicable, the GDPR, you have the following rights in relation to personal data we hold about you as a controller:

  • Access and copy (PDPA § 30; GDPR Art. 15) — to access, and obtain a copy of, your personal data and information about how it is processed.
  • Rectification (PDPA § 35; GDPR Art. 16) — to have inaccurate, out-of-date, incomplete, or misleading data corrected.
  • Erasure (PDPA § 33; GDPR Art. 17) — to have your data deleted, destroyed, or anonymized where it is no longer necessary, consent is withdrawn and no other basis applies, you successfully object, or it was unlawfully processed.
  • Restriction (PDPA § 34; GDPR Art. 18) — to have processing suspended in certain circumstances.
  • Objection (PDPA § 32; GDPR Art. 21) — to object to processing based on legitimate interests and to processing for direct marketing.
  • Data portability (PDPA § 31; GDPR Art. 20) — to receive, in a commonly used machine-readable format, data you provided which we process by automated means on the basis of consent or contract, and to have it transmitted to another controller where technically feasible.
  • Withdrawal of consent (PDPA § 19; GDPR Art. 7(3)) — where processing is based on consent, to withdraw it at any time, without affecting prior processing.
  • Rights related to automated decision-making (GDPR Art. 22) — see Section 4.
  • Complaint — to lodge a complaint with a supervisory authority (Section 12).

How to exercise your rights. Contact us at the contact details provided on the website. We may ask you to verify your identity before acting on a request.

Limits and exceptions. These rights are subject to the conditions and exceptions in the PDPA and the GDPR. We may decline a request where the law permits or requires — for example, to comply with a legal obligation or court order, to establish, exercise, or defend a legal claim, or where the request would adversely affect the rights of others — and will record and explain our reasons.


10. Security

We implement appropriate technical and organizational measures to protect personal data against loss and unauthorized access, alteration, or disclosure, including encryption in transit, hashing of sensitive identifiers (such as API keys and queried addresses), access controls, and reputable infrastructure providers. We require our processors to maintain protection no less protective than this Policy. We maintain procedures to handle personal data breaches, including notification to the Personal Data Protection Committee and, under the GDPR, to the relevant supervisory authority and affected individuals, where required by law. No system is perfectly secure, and we cannot guarantee absolute security.


11. Changes to this Policy

We may update this Policy from time to time. We will post the updated version with a new "Last updated" date and, where required, notify you of material changes.


12. Contact

For any privacy question or to exercise your rights, contact AnchorAPI or our data protection contact at hi@anchorapi.dev