SanctionSnap – Privacy Policy
Last updated: 14 June 2025
SBM ehf. ("SanctionSnap", "we") respects your privacy and protects your data in line with the EU GDPR.
1. Scope
This policy covers data we collect when you visit our website, create an account, or call the SanctionSnap API.
2. Who we are
SBM ehf., kennitala 5401250580, Reykjavik, Iceland is the data controller.
3. Data we collect
| Category | Examples | Purpose |
|---|---|---|
| Account data | Email address, name (if provided) | Create and secure your account |
| Billing data | Card details (held by Stripe), VAT number | Charge you and issue invoices |
| Usage logs | API key, endpoint hit, IP address, timestamp, call cost | Rate‑limits, support, security |
| Input data | Names or IDs you send to `/search` or `/screen` | Return matches to you only |
We do not keep cookies for advertising. Site cookies are only for login sessions.
4. Legal bases (GDPR Art. 6)
- Contract – to deliver the service you request.
- Legitimate interests – prevent abuse, improve reliability.
- Legal obligation – keep tax and accounting records.
5. How we share data
| Recipient | Reason | Location |
|---|---|---|
| Clerk | Auth, session handling | USA |
| Stripe | Billing and invoices | EU or USA (per Stripe's sub‑processors) |
| Fly.io | Hosting of API and site | EU (primary region), fail‑over USA |
| Lawful authorities | Only when required by law | Depends on request |
We never sell personal data.
6. Data retention
| Data | Retention |
|---|---|
| Account | Until you delete it or 5 years after last activity |
| Billing | 7 years (Icelandic accounting law) |
| Usage logs | 12 months, then aggregated |
| Input data | Deleted automatically after 30 days |
7. Security
We use TLS 1.3, access controls, and encrypted storage. Staff access is logged and limited.
8. International transfers
Where data moves outside the EEA (e.g., to Clerk or Stripe in the USA) we rely on EU‑approved SCCs and Stripe's BCRs.
9. Your rights
You may:
- Access your data
- Correct mistakes
- Delete data (where allowed by law)
- Object or restrict processing
- Port your data to another provider
Email privacy@sanctionsnap.com to exercise these rights. We reply within 30 days.
10. Complaints
You can lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd).
11. Changes
We will post any privacy changes on this page and, for major changes, email account holders 30 days before they apply.
12. Contact
SBM ehf. / SanctionSnap
Reykjavik, Iceland
privacy@sanctionsnap.com