Last updated: June 7, 2026
This Privacy Policy explains how AnchorAPI ("we", "us", "our") collects, uses, and protects personal data in connection with the AnchorAPI service at https://www.anchorapi.dev (the "Service"). We handle personal data in accordance with the Personal Data Protection Act B.E. 2562 (2019) ("PDPA") and, where applicable, the EU/UK General Data Protection Regulation (GDPR).
We may update this Policy from time to time. We encourage you to review it periodically, and we will notify you of material changes by appropriate means.
Where we act as controller. We are the controller of the account, organization and billing, usage, technical, free-checker, and communications data described in Section 2, which we determine how and why to process in order to operate the Service.
Where we act as processor. When a business customer submits personal data to the Service for screening — for example, where a wallet address or accompanying data relates to the customer's own end users — we process that data on the customer's behalf and on its instructions, as a data processor. The customer is the controller of that data.
We may collect personal data directly from you, automatically through your use of the Service, and — for screening data — from our business customers who submit it. The categories we collect are:
Wallet addresses. Wallet addresses are public blockchain identifiers. A standalone address is generally not, by itself, personal data about you; however, where an address is linked to an identifiable person it may constitute personal data, in which case it is handled under this Policy and, for customer-submitted data, the Data Processing Agreement.
Special category data. We do not seek to collect special category / sensitive personal data (such as data revealing race, religion, health, or biometric data) in operating the Service, and you should not submit it.
Children. The Service is intended for businesses and is not directed to individuals below the age of majority (or, under the GDPR, below the applicable age of consent for information society services). We do not knowingly collect personal data from children.
We use personal data for the purposes below. For each, we state the legal basis under the PDPA and, where it applies, under the GDPR:
| Purpose | PDPA basis | GDPR basis (Art. 6) |
|---|---|---|
| Provide, operate, and maintain the Service | Contract (§ 24(3)) | Contract (6(1)(b)) |
| Authenticate you and secure your account | Contract; legitimate interest (§ 24(5)) | Contract; legitimate interests (6(1)(f)) |
| Process payments and manage subscriptions | Contract (§ 24(3)) | Contract (6(1)(b)) |
| Enforce usage limits; prevent abuse and fraud | Legitimate interest (§ 24(5)) | Legitimate interests (6(1)(f)) |
| Apply geographic and compliance-related access controls | Legal obligation; legitimate interest | Legal obligation (6(1)(c)); legitimate interests (6(1)(f)) |
| Communicate with you about the Service | Contract; legitimate interest | Contract; legitimate interests (6(1)(f)) |
| Comply with legal obligations | Legal obligation (§ 24(6)) | Legal obligation (6(1)(c)) |
| Improve and troubleshoot the Service | Legitimate interest (§ 24(5)) | Legitimate interests (6(1)(f)) |
| Optional marketing communications | Consent (§ 19) | Consent (6(1)(a)) |
Where we rely on legitimate interests, those interests are operating, securing, and improving the Service, preventing abuse and fraud, and protecting our and others' rights; we have balanced those interests against your rights and freedoms.
Where we rely on consent, you may withdraw it at any time without affecting prior processing.
If you do not provide personal data we need to operate the Service, we may be unable to provide the Service or perform our contract with you.
On its paid tier, the Service returns a risk score and a risk level for a queried address. Producing those indicators involves automated processing and may constitute profiling.
We do not use these indicators to make a decision producing legal or similarly significant effects about you. The score and level are informational; the decision whether to act on them is made by the business customer using the Service. Where we generate a score or level for data submitted by a business customer, we do so as a processor on that customer's instructions, and that customer, as controller, is responsible for the lawful basis for the processing and for any obligations relating to automated decision-making and profiling toward its own data subjects, including under Article 22 of the GDPR.
We disclose personal data only as needed, to:
Service providers (processors) who help us run the Service — such as our hosting/database provider, payment processor, email delivery provider, and error- and uptime-monitoring providers — who process data on our behalf under written agreements.
Legal and safety recipients — where required by law or where disclosure is reasonably necessary to comply with legal process, enforce our terms, or protect rights, safety, and security.
Business transfers — in connection with a merger, acquisition, or sale of assets, subject to this Policy.
Sub-processors — The service providers in Section 5.1 act as our processors and, where we process personal data on behalf of a business customer under Section 1, as our sub-processors. We engage them under written agreements imposing data protection obligations no less protective than those to which we are subject.
A current list of these sub-processors is set out below. However, we may add or replace a sub-processor from time to time; where we act as a processor for a business customer, we will give that customer reasonable prior notice of any intended addition or replacement and a reasonable opportunity to object on reasonable data-protection grounds, as provided in the Data Processing Agreement.
Sub-processor list
| Sub-processor | Service provided | Personal data processed | Location / region |
|---|---|---|---|
| Vercel Inc. | Hosting of the website and API (serverless compute) | Account, usage, and technical data | United States |
| Supabase, Inc. | PostgreSQL database storing the Service's application data | Account, usage, free-checker, and other stored personal data | Singapore (ap-southeast-1) |
| GitHub, Inc. (GitHub Actions) | Scheduled data pipeline that ingests public sanctions-list data | None in normal operation (public sanctions-list data only) | United States / global |
| Resend (Plus Five Five, Inc.) | Transactional email, including magic-link sign-in | Email address | United States |
| Stripe, Inc. (and Stripe Payments Europe, Ltd.) | Subscription billing and payment processing (Stripe stores all card data; we do not) | Billing and contact data | United States / Ireland |
| Functional Software, Inc. (Sentry) | Error and performance monitoring | Technical and usage data | United States |
| UptimeRobot | Uptime and system-availability monitoring | Technical data | United States |
We operate from the Kingdom of Thailand and use service providers that process personal data in other countries, including Singapore and the United States (see Annex A). Where we transfer personal data across borders, we do so on a lawful basis.
Under the PDPA (§§ 28–29): to a destination providing adequate protection, or subject to appropriate safeguards, or under another statutory exception.
Under the GDPR, where it applies: on the basis of an adequacy decision, or appropriate safeguards under Article 46 (such as the European Commission's Standard Contractual Clauses or the UK International Data Transfer Agreement / Addendum), or a derogation under Article 49. Neither Singapore nor the United States benefits from an EU adequacy decision of general application, so Article 46 safeguards are our operative mechanism for those transfers.
We keep personal data only as long as necessary for the purposes described, applying the following criteria and periods:
Where we no longer need personal data, we delete, destroy, or anonymize it.
Cookies and similar technologies (such as local storage and pixels) are small files or data stored on your device when you visit our website, used to operate the Service, maintain your session, and understand usage.
We use: strictly necessary cookies (including the token that maintains your authenticated sign-in session, and cookies supporting security and abuse prevention), functional/preference cookies where offered, and analytics cookies used only with consent where consent is required. We do not use advertising or cross-site tracking cookies.
Consent. Strictly necessary cookies do not require consent. Analytics and other non-essential cookies are used only with consent, collected through our cookie banner and changeable at any time, consistent with the PDPA and the Personal Data Protection Committee's cookie guidance and, where applicable, the GDPR and the rules on cookies in the relevant EU/UK jurisdiction.
Subject to the conditions and exceptions in the PDPA and, where applicable, the GDPR, you have the following rights in relation to personal data we hold about you as a controller:
How to exercise your rights. Contact us at the contact details provided on the website. We may ask you to verify your identity before acting on a request.
Limits and exceptions. These rights are subject to the conditions and exceptions in the PDPA and the GDPR. We may decline a request where the law permits or requires — for example, to comply with a legal obligation or court order, to establish, exercise, or defend a legal claim, or where the request would adversely affect the rights of others — and will record and explain our reasons.
We implement appropriate technical and organizational measures to protect personal data against loss and unauthorized access, alteration, or disclosure, including encryption in transit, hashing of sensitive identifiers (such as API keys and queried addresses), access controls, and reputable infrastructure providers. We require our processors to maintain protection no less protective than this Policy. We maintain procedures to handle personal data breaches, including notification to the Personal Data Protection Committee and, under the GDPR, to the relevant supervisory authority and affected individuals, where required by law. No system is perfectly secure, and we cannot guarantee absolute security.
We may update this Policy from time to time. We will post the updated version with a new "Last updated" date and, where required, notify you of material changes.
For any privacy question or to exercise your rights, contact AnchorAPI or our data protection contact at hi@anchorapi.dev