How We Process and Protect Your Data
Learn how AML PROOF processes, stores, and protects your data, our trusted sub‑processors, international transfer safeguards, and the GDPR/AMLR controls we apply across the platform.
Data Processing Overview
What Data We Process
- Client identification data (§ 5 and § 8 of Act No. 253/2008 Coll.)
- Records of trades and ongoing monitoring of the business relationship (§ 16 of Act No. 253/2008 Coll.)
- Risk assessment (§ 21a of Act No. 253/2008 Coll.)
- Suspicious transaction reports and audit trails (§ 18 of Act No. 253/2008 Coll.)
- User account and authentication information
Processing Purposes
- Fulfilling obligations under Act No. 253/2008 Coll. and Act No. 69/2006 Coll.
- Risk assessment and fraud prevention
- Client identification and control, enhanced client identification and control (§ 9a, § 13)
- Reporting suspicious transactions to the Financial Analytical Office (§ 18)
- Service provision and platform functionality
Legal Basis for Processing
Legal Obligation
Processing required to comply with AML/CFT laws and regulatory requirements across jurisdictions.
Includes: KYC/KYB identification, AML records, sanctions screening, FIU reporting.
Legitimate Interest
Processing necessary for fraud prevention, security, and providing effective compliance services.
Includes: security monitoring, fraud prevention, pseudonymized usage analytics, commercial communications to existing clients.
Contractual Necessity
Processing required to perform our contractual obligations and deliver agreed services.
Includes: account operation, report generation, platform access.
Trusted Sub-processors
We work with carefully selected sub-processors to deliver our services. All sub-processors are bound by strict data protection agreements and undergo regular security assessments.
| Sub-processor | Service | Location | Data Processed |
|---|---|---|---|
| Neon | Database Services | US, EU | User data, compliance records |
| Vercel Inc. | Hosting, Storage & Analytics | Global CDN | Application data, logs, files |
| Stripe Inc. | Payment processing and invoicing | US, EU | Payment information |
| Fio banka | Remote micro-transfer (identity verification) | Czech Republic | Bank account for 1 CZK / 0.10 EUR micro-transfer; transaction data for matching and refunds |
| QR Server | Payment QR code generation | EU (Germany) | Payment payload (account, amount, variable symbol, message) in URL for QR image generation |
| Resend | Email Services | US | Email addresses, communications |
| OAuth Authentication | US, EU | Authentication data, profile information | |
| MV ČR (Ministerstvo vnitra) | Document Validity Check (Invalid Documents Registry) | Czech Republic | Document type and number for validity check (CZ ID card, passport) |
| OpenSanctions | PEP and Sanctions Screening | EU | Names, dates of birth, countries for screening |
| European Commission / EU Council | EU Consolidated Sanctions List (data source) | EU | We download the list; screening is performed locally; no client data is sent |
| MZV ČR (Ministerstvo zahraničních věcí) | Czech National Sanctions List (data source) | Czech Republic | We use the list for screening; data is imported and searched locally; no client data is sent |
| Google (Gemini AI) | Adverse media screening | US, EU | Only the first and last name of the screened person is sent to the model as a search query. No other personal data is sent. The results are based exclusively on publicly available media sources. |
| ARES | KYB Verification and Data Auto-fill | Czech Republic | Czech company information, registration numbers, registration data |
International Data Transfers
Transfer Safeguards
- Standard Contractual Clauses (SCCs) for EU transfers
- Adequacy decisions where applicable
- Data Processing Agreements with all processors
- Regular compliance audits and assessments
Data Localization
EU client data is primarily processed and stored within the European Economic Area.
We utilize global cloud infrastructure with appropriate safeguards for cross-border transfers.
Data Retention & Deletion
Compliance Records
10 Years
Records are retained for a period of 10 years according to § 16 of Act No. 253/2008 Coll.
Transaction Data
10 Years
Records of trades and ongoing monitoring of the business relationship are retained according to § 16 of Act No. 253/2008 Coll.
Account Data
30 Days
User account data deleted within 30 days of account closure. Except for compliance records, which are subject to the statutory retention period under § 8 of Act No. 253/2008 Coll.
Your Data Rights
Individual Rights
- Right of Access
Request copies of your personal data
- Right to Rectification
Correct inaccurate personal data
- Right to Erasure
Request deletion where legally permissible
- Right to Portability
Receive your data in a structured format
Limitations
Regulatory Compliance Requirements
Some data rights may be limited by AML/CFT legal obligations. We are required to retain certain compliance records for regulatory periods, even after account closure.
Contact for Data Rights
To exercise your data rights, contact our Data Protection Officer:
Email: privacy@amlproof.ai
A Data Protection Officer (DPO) is in the process of being appointed. Contact details of the DPO will be published immediately after the appointment is completed.
Questions About Data Processing?
If you have questions about how we process your data, our sub-processors, or want to exercise your data rights, please don't hesitate to contact us.