Privacy Policy

Last updated: 27 March 2026

1. Who we are

Mithrandir ("we", "us", "our") provides a sanctions screening API service accessible at mithrandir.info. This policy explains what personal data we collect, why we collect it, and how we handle it in accordance with the UK GDPR and the Data Protection Act 2018.

For any privacy enquiries, please contact us at privacy@mithrandir.app.

2. Data we collect

We collect and process the following categories of data:

Account data

Name and email address provided when you register. Used to manage your account and send service communications.

API usage data

Records of each screening check including the queried name, any corroborating details submitted (date of birth, nationality, gender), the match result, confidence score, and timestamp. This data is retained for two years for audit purposes.

Billing data

Credit usage and transaction records. We do not store full payment card details - payments are processed by our third-party payment provider.

Technical data

IP addresses, browser type, and request logs collected automatically when you use the service. Used for security, fraud prevention, and service operation.

3. How we use your data

We process your data on the following legal bases:

  • ContractTo provide the screening service you have signed up for.
  • Legal obligationTo maintain audit records as required under AML/CTF regulations applicable to our business.
  • Legitimate interestsTo improve the service, detect fraud, and ensure security of the platform.
  • ConsentFor any marketing communications (you may opt out at any time).

4. Data about third parties

When you use Mithrandir to screen individuals, you are submitting personal data about those individuals (names, dates of birth, nationalities) to our service. You are the data controller for that data. We process it as your data processor solely to provide the screening result, and we do not use it for any other purpose. You are responsible for ensuring you have a lawful basis to submit that data for screening.

5. Data retention

Check records and audit logs are retained for two years by default, in line with standard AML/CTF record-keeping requirements. Account data is retained for the duration of your account and for up to 12 months after closure. You may request earlier deletion where no legal obligation prevents it.

6. Data transfers

Our database is hosted in the EU (Frankfurt, Germany) via Neon Inc. Our application is hosted via Netlify Inc. (US). Where data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses under UK GDPR Article 46.

7. Your rights

Under UK GDPR, you have the right to:

  • -Access the personal data we hold about you.
  • -Request correction of inaccurate data.
  • -Request erasure of your data where no legal obligation prevents it.
  • -Object to processing based on legitimate interests.
  • -Request restriction of processing.
  • -Data portability - receive your data in a machine-readable format.
  • -Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, contact us at privacy@mithrandir.app. We will respond within 30 days.

8. Cookies

We use strictly necessary cookies only: a session authentication cookie to keep you signed in. We do not use analytics or advertising cookies. No cookie consent banner is required as we do not set non-essential cookies.

9. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via the email address on your account. The date at the top of this page reflects the most recent revision.