Privacy Policy
Your privacy is important to us. This policy explains how we collect, use, and protect your personal information when you use our AML compliance platform.
Legal Basis
AML Proof s.r.o. processes personal data in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679, \"GDPR\"), the cornerstone of European data protection law.
The GDPR was adopted by the European Parliament and the Council of the European Union and is enforced under the supervision of the European Data Protection Board (EDPB) together with the national data protection authorities of each EU Member State.
AML Proof s.r.o., as the data controller, determines the purposes and means of processing your personal data when you use our platform.
AML Proof s.r.o. acts as a processor in relation to the personal data of clients of Obliged Entities. You, as the obliged entity, remain the data controller of this data. Our relationship is governed by the Data Processing Agreement (DPA), which is part of our Terms and Conditions.
Legal Obligation
Includes: KYC/KYB identification, maintaining AML records, sanctions screening, reporting to the Financial Analytical Office.
Legitimate Interest
Includes: platform security monitoring, fraud prevention, platform improvement (pseudonymized analytics), commercial communication to existing clients.
Contractual Necessity
Includes: user account operation, generating compliance reports, access to platform features.
Information We Collect
Personal Information
- • Name and contact details
- • Email address and phone number
- • Job title and organization
- • Professional credentials
- • Account preferences
Usage Data
- • Platform usage patterns
- • Feature interactions
- • Session duration and frequency
- • Device and browser information
- • IP address and location data
Compliance Data
- • AML case information
- • Risk assessment data
- • Training records
- • Audit trail information
- • Regulatory reporting data
Technical Information
- • Cookies and tracking pixels
- • Log files and error reports
- • Performance metrics
- • Security event logs
- • API usage statistics
How We Use Your Information
Service Provision
- Provide and maintain our AML compliance platform
- Process and manage compliance cases
- Generate reports and analytics
- Facilitate training and certification
Communication
- Send service updates and notifications
- Provide customer support
- Share regulatory updates
- Deliver training materials
Improvement
- Analyze usage patterns and performance
- Develop new features and services
- Enhance security measures
- Optimize user experience
Compliance
- Meet legal and regulatory obligations
- Respond to lawful requests
- Maintain audit trails
- Protect against fraud and abuse
Data Security & Protection
We implement comprehensive security measures to protect your personal information from unauthorized access, use, or disclosure.
Technical Safeguards
- End-to-end encryption for data transmission
- Advanced encryption for data at rest
- Multi-factor authentication systems
- Regular security monitoring and audits
Operational Controls
- Role-based access controls
- Security training programs for employees and persons in a comparable position programs
- Incident response procedures
- Regular backup and recovery testing
Privacy when using AI
- We operate the Gemma 4 and Apertus models in 'privacy-first' mode.
- No data entered into the system is sent to train public AI models, nor does it leave the secure European/Swiss space.
Your Privacy Rights
You have important rights regarding your personal information. Contact us to exercise these rights.
Access
Request copies of your personal information
Correction
Update or correct inaccurate information
Deletion
Request deletion of your personal data where legally permissible. Certain AML/CTF compliance records cannot be deleted before the end of mandatory retention periods.
Portability
Export your data in a portable format
Right to Object
Object to processing based on legitimate interest or for direct marketing purposes (Art. 21 GDPR)
Right to Restriction
Request temporary restriction of processing your personal data in cases set out by Art. 18 GDPR
Data Retention
We retain your personal information only as long as necessary to fulfill the purposes outlined in this policy and comply with legal obligations.
Account Data
Deleted within 30 days after account closure (except where law requires longer retention)
Compliance Records
We retain data for 10 years in accordance with the legal requirements of AML legislation. Personal data is retained for the period stipulated by Act No. 253/2008 Coll., generally for 10 years from the transaction or the termination of the business relationship.
Usage Analytics
3 years
Annex 1: Data Processing Agreement (DPA)
1. Subject Matter and Roles
This section governs the relationship between the User (Controller) and AML Proof s.r.o. (Processor). The Processor processes the personal data of identified persons in order to enable the Controller to fulfill their obligations under Act No. 253/2008 Coll.
2. Processor's Obligations
- Process data only on documented instructions from the Controller (including parameters set in the application).
- Ensure that persons authorized to process the data have committed themselves to confidentiality.
- Implement appropriate technical and organizational measures (encryption, local Gemma 4 AI models, secure hosting in the EU).
- Assist the Controller in fulfilling their obligation to respond to requests for exercising data subjects' rights.
3. Engagement of Sub-processors
The Controller grants general authorization to engage further processors (e.g., EU cloud infrastructure provider). The Processor will inform the Controller of any intended changes.
4. Security
The Processor guarantees that data does not leave the EU/EEA and Switzerland space. AI models are used without transferring data to third parties for training purposes.
5. Audit
The Processor will allow for and contribute to audits or inspections conducted by the Controller to demonstrate compliance with Article 28 of the GDPR.
6. Termination
Upon termination of the provision of services, the Processor will delete all personal data unless legal obligation (especially Act No. 253/2008 Coll. regarding the 10-year archiving period) requires their further storage.
Questions About Your Privacy?
If you have questions about this privacy policy or how we handle your personal information, please contact our privacy team. A Data Protection Officer has not been appointed; data processing within a scope not requiring a DPO was assessed internally.
If you believe your personal data have been processed unlawfully, you also have the right to lodge a complaint with the Úřad pro ochranu osobních údajů (ÚOOÚ) or with your local supervisory authority within the European Economic Area.