Privacy Policy

Okanewatch LTD ("we", "us", "our") is the data controller of personal data collected through AMLRegister (the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, with whom we share it, how long we retain it, and the rights you have in relation to it.

Our registered office is at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom, and we are registered with the UK Information Commissioner's Office (ICO). If you have any questions about this Policy or about how we process your personal data, you can contact our Data Protection Office at dpo@amlregister.com or write to Okanewatch Data Protection Office at the address above.

We take your privacy seriously. We process the minimum amount of personal data necessary to provide the Service, we do not sell personal data, and we apply appropriate technical and organisational measures to keep personal data secure. This Policy should be read together with our Cookie Policy and our Data Processing Agreement where applicable.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. The current version will always be available on our website, with an updated "Effective" date. Material changes will be notified to you through a prominent notice on the Service.

When you use the Service, we may collect the following categories of personal data: (a) technical data including your IP address, browser type, device identifiers, operating system, and the referring URL; (b) usage data including the wallet addresses you submit for screening, the reports you download, the pages you visit, and timestamps; (c) if you create an account, account data including your email address, a hashed password, account role, and preferences; and (d) if you purchase a paid plan, limited payment-related metadata such as a subscription identifier and invoice reference — we do not store full payment card details on our systems.

Wallet addresses are public blockchain data and are not, in most cases, considered personal data because they are not ordinarily linked to an identified individual. However, in certain circumstances — for example, where an address has been publicly attributed to a named individual — it can constitute personal data. We treat wallet addresses with appropriate care and do not use them to re-identify individuals beyond what is required to provide the Service.

We may also collect personal data you voluntarily provide when you contact us, for example by submitting a contact form, responding to a survey, or subscribing to our insights newsletter. This data typically includes your name, email address, and the content of your message.

We do not intentionally collect special categories of personal data (such as health data, biometric data, or data revealing racial origin, political opinions, or religious beliefs). Please do not submit such information through the Service.

We use personal data to provide, operate, and improve the Service. Specifically, we use it to: (a) process wallet screening requests and generate risk reports; (b) authenticate users and secure accounts; (c) enforce rate limits and prevent abuse; (d) generate aggregate statistics about Service usage, such as total checks per chain; (e) respond to customer enquiries and provide support; (f) communicate service announcements, invoices, and (with your consent) marketing messages; and (g) comply with legal and regulatory obligations, including our own AML obligations where applicable.

Where our internal systems process your data, we maintain audit logs of relevant system events for integrity and compliance purposes. Access to these logs is restricted to authorised compliance staff.

We do not use personal data for automated decision-making that produces legal or similarly significant effects on you without human review. The risk score produced by the Service is advisory and is not itself an automated decision within the meaning of Article 22 UK GDPR.

We may use anonymised or aggregated data — which cannot reasonably be used to identify you — for analytics, research, product development, and public reporting. Aggregated data is not subject to this Privacy Policy.

Under the UK GDPR and EU GDPR, we must have a valid legal basis for each processing activity. Our primary bases are: (a) performance of a contract — where processing is necessary to provide the Service you have requested; (b) legitimate interests — where processing is necessary for our legitimate business interests (such as securing the Service, preventing fraud, improving our product) and those interests are not overridden by your rights and freedoms; (c) consent — where we have asked for and you have given consent (for example, for non-essential cookies or marketing emails); and (d) legal obligation — where processing is necessary to comply with a legal obligation to which we are subject.

Where we rely on legitimate interests, we have conducted a balancing assessment to confirm that our interests do not override your fundamental rights. You have the right to object to such processing — see section 7 of this Policy on your rights.

Where we rely on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

Where processing is required by law, we will process the data only for the purposes and duration specified by that law. We will inform you of such processing where we are permitted to do so.

We share personal data only where necessary and with appropriate safeguards. Categories of recipients include: (a) service providers who process data on our behalf under written contracts (such as our hosting provider Render, blockchain data providers, and email service providers); (b) professional advisers such as lawyers, auditors, and insurers where necessary for the establishment, exercise, or defence of legal claims; (c) regulators, law enforcement, and courts where required by law or necessary to protect vital interests; and (d) acquirers or successors in the context of a merger, acquisition, or corporate reorganisation.

We do not sell personal data to third parties. We do not share wallet check data with other users. Aggregated, anonymised statistics may be published as part of transparency reports or marketing materials.

Where we transfer personal data to a country outside the United Kingdom or European Economic Area that has not been designated as providing adequate protection, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or your explicit consent. Copies of the transfer mechanism can be requested by contacting our Data Protection Office.

A list of our key sub-processors is maintained and made available on request to enterprise customers under our Data Processing Agreement. We update this list as our processing arrangements change.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. Specific retention periods include: (a) wallet check records — thirty (30) days by default, then deleted by an automated nightly cleanup process, unless the check is saved to a customer compliance file; (b) rate-limit records — twenty-four (24) hours; (c) account data — for the life of the account plus seven (7) years for financial records; (d) authentication session tokens — thirty (30) days or until logout; (e) internal audit and compliance logs — seven (7) years.

We may retain anonymised data (which can no longer be linked to an individual) indefinitely for analytical purposes. Anonymisation is irreversible and does not fall within the scope of this Privacy Policy.

When retention periods expire, personal data is permanently deleted or irreversibly anonymised. We operate automated retention jobs to ensure deletion occurs on schedule and we keep records of these deletions for audit purposes.

If you request deletion of your personal data before the expiry of the retention period, we will comply unless we are legally required to retain it or have an overriding legitimate interest in doing so, in which case we will inform you of the reason and the remaining retention period.

Subject to certain exceptions, you have the following rights in relation to your personal data: (a) the right of access — to obtain confirmation that we process your data and a copy of that data; (b) the right to rectification — to have inaccurate data corrected and incomplete data completed; (c) the right to erasure — to have your data deleted in specified circumstances; (d) the right to restriction — to have processing of your data limited in specified circumstances; (e) the right to data portability — to receive your data in a structured, commonly used, machine-readable format and transmit it to another controller; (f) the right to object — to object to processing carried out on the basis of our legitimate interests or for direct marketing; and (g) rights related to automated decision-making — not to be subject to a decision based solely on automated processing.

To exercise these rights, please contact us at dpo@amlregister.com. We will respond to your request within one month, extendable by two further months where the request is complex. There is no fee unless your request is manifestly unfounded or excessive.

You have the right to lodge a complaint with a supervisory authority. The lead supervisory authority for Okanewatch LTD is the UK Information Commissioner's Office (ICO, ico.org.uk). If you are located in the European Economic Area, you may also complain to your local supervisory authority.

If you have any concerns about how we process your personal data, we encourage you to contact our Data Protection Office first — we are committed to resolving issues quickly and will do our best to address your concerns.

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Measures include encryption in transit (TLS 1.2 or higher), encryption at rest for sensitive fields, access controls based on the principle of least privilege, multi-factor authentication for privileged access, audit logging, regular security reviews, and staff training on privacy and security.

No system is perfectly secure. While we work hard to protect your personal data, we cannot guarantee absolute security of information transmitted to or stored by us. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where the risk is high, we will notify you directly.

You have an important role in keeping your account secure. Please choose a strong password, do not reuse passwords across services, enable multi-factor authentication if available, and contact us immediately if you suspect your account has been compromised.

Our security practices are reviewed regularly by our internal security team and, for enterprise customers, are described in more detail in our Security and Compliance documentation available on request.

The Service is not directed to children under the age of 16, and we do not knowingly collect personal data from children. If you are under 16, please do not provide any personal data through the Service. If we become aware that we have collected personal data from a child without parental consent, we will take reasonable steps to delete that data promptly.

If you are a parent or guardian and believe your child has provided personal data to us, please contact us at dpo@amlregister.com so we can investigate and take appropriate action.

Okanewatch LTD is based in the United Kingdom, but our service providers and staff may be located in other countries. Where personal data is transferred outside the UK or European Economic Area to a country not designated as providing adequate protection, we apply one of the following safeguards: (a) the UK International Data Transfer Agreement or UK Addendum to the EU Standard Contractual Clauses; (b) the EU Standard Contractual Clauses; (c) binding corporate rules; or (d) your explicit consent where appropriate.

The majority of our processing takes place within the UK and the European Economic Area, where our primary hosting and sub-processors are located. Where transfers to third countries occur (for example, certain analytics or support tooling), these transfers are subject to the safeguards described above.

Enterprise customers may request a copy of the applicable transfer mechanisms and a list of third-country sub-processors by contacting dpo@amlregister.com. We are committed to transparency about our data flows.

We use cookies and similar technologies on the Service. Strictly necessary cookies (such as session tokens, CSRF tokens, and rate-limit identifiers) are used to provide core functionality and do not require consent. Analytics cookies and marketing cookies are only used with your consent, which can be granted or withdrawn at any time via the cookie banner and settings.

For a detailed description of the cookies we use, their purposes, and retention periods, please see our Cookie Policy. Your choices about cookies do not affect your ability to use the core wallet-check features of the Service.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through a prominent notice on the Service or by email (where we have your contact details), in each case at least thirty (30) days before the changes take effect, unless a shorter notice period is required by law.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after a change takes effect constitutes acceptance of the revised Policy. If you do not agree to the revised Policy, you should stop using the Service and, if applicable, close your account.

Archived versions of this Policy are available on request from dpo@amlregister.com for transparency.

If you have any questions, comments, or complaints about this Privacy Policy or our processing of your personal data, please contact us: by email at dpo@amlregister.com; by post to Okanewatch Data Protection Office, Okanewatch LTD, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom. We will do our best to resolve any concerns promptly and fairly.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk, 0303 123 1113), or with your local supervisory authority if you are based in the European Economic Area.