Privacy Policy

This Privacy Policy explains how Screening API ("we," "us," or "our") collects, uses, shares, and retains personal data when you use our Service. It also describes your rights with respect to that data.

1. What We Collect

1.1 Account data

When you register, we collect your email address and the time of registration. We derive an organisation name from your email domain. We do not collect a password (we use magic-link authentication).

1.2 Usage and API data

We log each API request made with your API Key. Log records include:

A non-personally-identifiable request identifier
The blockchain address submitted for screening (see section 1.3)
The chain identifier
Timestamp and response latency
The screening result (risk score, risk level, matched labels)

Usage logs are associated with your organisation, not with individual users within your organisation.

1.3 Screening addresses

The blockchain addresses you submit are processed to produce a screening result. We treat submitted addresses as confidential (see Terms of Service §9). We do not sell or share submitted addresses with third parties outside of infrastructure providers described below.

Note: blockchain addresses are pseudonymous, not inherently personally identifiable. However, in certain contexts they may be linkable to individuals. We handle them accordingly.

1.4 Billing data

If you subscribe to a paid plan, billing is processed by Stripe, Inc. We collect the Stripe customer ID associated with your organisation. We do not store your payment card details; those are held by Stripe under PCI DSS.

1.5 Communications

If you contact us by email or submit a support request, we retain that correspondence.

1.6 Technical data

We collect standard web server logs (IP address, user agent, referrer) for security, debugging, and abuse prevention. If you visit our website, we may set a session cookie to maintain your authenticated state.

2. How We Use Your Data

Purpose	Legal basis
Providing the Service (screening API, dashboard)	Contract performance
Billing and subscription management	Contract performance
Sending transactional emails (magic links, invoices, alerts)	Contract performance
Detecting and preventing abuse and fraud	Legitimate interest
Security monitoring and incident response	Legitimate interest
Improving the Service	Legitimate interest
Complying with legal obligations (e.g., responding to law enforcement)	Legal obligation

We do not use your data for behavioural advertising or sell it to data brokers.

We share data only as described below:

Recipient	Purpose	Data shared
Supabase, Inc.	Database hosting (Postgres)	All stored data
Vercel, Inc.	Application hosting and edge network	Request logs
Stripe, Inc.	Payment processing	Email, billing details
Resend, Inc.	Transactional email delivery	Email address, email content
GitHub, Inc.	CI/CD (pipeline workflows)	No personal data

We require all sub-processors to maintain appropriate confidentiality and security obligations. We do not transfer your data to countries that lack adequate data protection unless covered by appropriate safeguards (e.g., EU Standard Contractual Clauses).

Legal disclosures. We may disclose data if required by law, court order, or governmental authority. Where legally permitted, we will notify you before complying with such a request.

Business transfers. In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. We will notify you via email or dashboard notice before your data is subject to a materially different privacy policy.

4. Data Retention

Data type	Retention period
Account data (email, org)	Until account deletion, then 30 days
API usage logs	90 days rolling
Billing records	7 years (tax and accounting obligations)
Security/access logs	30 days
Support correspondence	2 years after case closure

When you delete your account, we delete or anonymise your personal data within 30 days, except where we have a legal obligation to retain it (e.g., billing records).

5. Your Rights

Depending on your jurisdiction, you may have the following rights:

Access. Request a copy of the personal data we hold about you.
Rectification. Ask us to correct inaccurate data.
Erasure. Ask us to delete your personal data (subject to legal retention obligations).
Restriction. Ask us to restrict processing of your data in certain circumstances.
Portability. Receive your data in a structured, machine-readable format.
Objection. Object to processing based on legitimate interests.
Withdraw consent. Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email us at [CONTACT EMAIL PLACEHOLDER]. We will respond within 30 days. We may ask you to verify your identity before processing the request.

If you are located in the European Economic Area or the United Kingdom, you also have the right to lodge a complaint with your local data protection authority.

6. Security

We implement technical and organisational measures to protect your data, including:

API Keys are stored as SHA-256 hashes; we cannot recover a key once issued.
Passwords are not used (magic-link authentication).
Database access is restricted to application services via TLS-encrypted connections.
Session tokens are stored in HttpOnly, Secure, SameSite=Lax cookies.

No transmission over the internet is fully secure. You use the Service at your own risk, and we cannot guarantee absolute security.

7. Contact

For privacy-related questions or to exercise your rights, contact us at:

[CONTACT EMAIL AND ADDRESS — PLACEHOLDER]

[DATA PROTECTION OFFICER DETAILS — IF REQUIRED BY APPLICABLE LAW]

We may update this Privacy Policy from time to time. Material changes will be communicated as described in the Terms of Service §13.