Privacy policy
Last updated: 30 June 2026
The amisanctioned platform at amisanctioned.com (the "Service") is operated by Prime Calibre Limited (Hong Kong), which owns and runs the platform, its technology, and its data infrastructure. Subscriptions are sold by Prime Calibre Pty Ltd (ABN 76 678 167 407, Australia), which is your contracting party and the data processor for your account information. Prime Calibre Limited processes your data as a sub-processor in the course of delivering the Service. This policy describes how we collect, use, and protect your personal information.
1. Information we collect
Account information. When you create an account, we collect your name, email address, and (for team plans) the email addresses of members you invite. Payment is processed by Stripe — we do not store card numbers.
Usage data. We log the searches you run, the entities you view or add to a watchlist, the endpoints you access, and timestamps. This is used for service delivery, abuse prevention, and usage limits.
Visitor logs. Standard web-server logs (IP address, user agent, request URL, timestamp) are kept for security, abuse prevention, and rate limiting.
Cookies and sessions. We use a session cookie strictly necessary to keep you logged in. The public site uses no tracking cookies and no advertising pixels. We use Cloudflare Web Analytics, which does not set cookies and does not fingerprint visitors.
2. Sanctioned-entity and PEP data we process
The Service processes names, dates of birth, places of birth, nationalities, addresses, identifiers (passport, IMO, MMSI, registration number) and related fields, as published by the originating sanctions authorities (OFAC, UN, EU, UK OFSI and the other national lists shown on the sources page), and politically-exposed-person (PEP) records sourced from public-office data. All of this data is already public on the authorities' own websites and public registers; we re-publish it for ease of search.
3. Lawful basis (GDPR / UK GDPR)
Our lawful basis for processing personal data appearing in sanctions designations and PEP records is legitimate interests (Article 6(1)(f)): the prevention of financial crime, compliance with international sanctions regimes, and providing a public reference tool. The data subjects' interests in privacy are heavily outweighed by the public interest in sanctions transparency, the data is sourced from official government registers in the public domain, and we provide a takedown / correction mechanism at /corrections.
For account holders, our lawful basis is contract performance (delivering the service you signed up for) and legitimate interests (security and abuse prevention).
4. How we use your information
- Provide, maintain, and improve the Service
- Authenticate your identity and manage your account
- Send transactional emails (login codes, watchlist alerts, digests)
- Monitor for abuse and enforce our Terms of Service
- Respond to support and correction requests
We do not sell your personal information. We do not use your data for advertising.
5. Data sharing and sub-processors
We share personal data only with the following parties, each of which processes data solely for the purpose of delivering the Service:
- Prime Calibre Limited (Hong Kong) — platform operation, data processing, and infrastructure management as sub-processor
- Railway (Singapore) — application hosting and database
- Cloudflare (global edge network) — CDN, DNS, analytics, and DDoS protection
- Stripe (Australia / US) — payment processing
- Resend (US) — transactional email delivery
We do not share your search activity or watchlist with any other third party. Data may be transferred outside the EEA / UK to these providers under Standard Contractual Clauses or equivalent safeguards.
6. Data residency
Your data is hosted on infrastructure in Singapore (via Railway) and served globally via Cloudflare's edge network. Platform operations are managed by Prime Calibre Limited in Hong Kong. Payment processing is handled by Stripe in Australia and the United States.
7. Data retention
- Account data (name, email) — retained while your account is active. Deleted within 30 days of account termination.
- Usage and search history (searches run, entities viewed, watchlist, timestamps) — retained for 12 months from creation for abuse prevention and audit purposes, then deleted.
- Visitor logs (IP address, user agent, request URL) — retained for 30 days, then deleted.
- Session data (tokens) — retained for the duration of the session plus 30 days, then deleted.
- Payment data — processed and retained by Stripe per their retention policy. We do not store card details.
8. Security
All data is transmitted over TLS 1.2+. Session tokens are cryptographically generated. We use parameterised database queries to prevent injection attacks. Security headers (HSTS, X-Content-Type-Options, X-Frame-Options) are enforced on all responses.
9. Your rights
Subject to applicable law, you may exercise the following rights at any time by emailing [email protected]:
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate data
- Erasure — request deletion of your personal data
- Data portability — request your data in a structured, machine-readable format
- Restriction — request that we limit processing of your data
- Objection — object to processing of your data
Note on sanctioned-entity and PEP records. If the only entry concerning you on this site is a re-publication of an active sanctions designation or a public-office PEP record, we are unable to erase it without first establishing that the underlying designation or public record has been removed at source. We will, however, correct any factual error (wrong DOB, wrong nationality, misidentified individual) on request — see /corrections. We will respond to rights requests within one month.
10. Complaints
If you are in the UK/EU/EEA, you have additional rights under GDPR. If you believe we have not handled your data lawfully, you may complain to your national supervisory authority (e.g. the UK Information Commissioner's Office). A Data Processing Agreement is available to business customers on request — email [email protected]. We would appreciate the opportunity to address your concerns first.
11. Changes
We may update this policy from time to time. We will notify registered users of material changes by email at least 14 days before they take effect.
12. Contact
For privacy questions: [email protected]. Corrections: /corrections.