Privacy

Privacy Policy

Effective Date: May 6, 2026

Checklynx, S.L., with NIF B22566111 ("Checklynx", "we", "us", or "our"), provides AML compliance solutions, including sanctions screening, politically exposed person (PEP) screening, customer screening workflows, API access, webhooks, case management, and related compliance tools.

This Privacy Policy explains how we collect, use, disclose, retain, and protect personal data when you visit checklynx.com, interact with our marketing or sales communications, request information, use our portal or API, or otherwise do business with us.

If you have questions about this Privacy Policy or our data practices, contact us at support@checklynx.com.

Our registered address is Amado Granell Mesado 65, esc3, p19.

1. Controller and processor roles

For website, marketing, account administration, billing, security, and customer relationship data, Checklynx generally acts as the data controller.

For personal data that a customer submits to the Checklynx platform for screening, case review, monitoring, API use, webhooks, CSV imports, or related compliance workflows, Checklynx generally acts as a data processor or service provider on behalf of that customer. In that context, the customer determines the purpose and lawful basis for using Checklynx and is responsible for providing any required notices and obtaining any required authorizations.

2. Personal data we collect

We collect different categories of personal data depending on how you interact with Checklynx.

Website visitors

When you visit the public marketing website at checklynx.com, we may collect:

• IP address;
• cookie identifiers and similar technology identifiers;
• pages viewed, links clicked, referrer URLs, campaign source, and navigation events;
• date, time, session duration, browser, device, operating system, language, time zone, and approximate location;
• cookie consent preferences.

Business contacts and prospects

When you contact us, request a demo, respond to outreach, subscribe to updates, or interact with our campaigns, we may collect:

• name and surname;
• business email address and phone number;
• job title, company, business sector, country, and professional profile information;
• the content of your messages and requests;
• meeting, campaign, lead source, and communication history;
• marketing preferences and unsubscribe status.

We may also receive professional contact information from public sources and B2B sales tools, including Apollo and Overloop.

Portal, API, and customer account users

When you use the Checklynx portal at app.checklynx.com, the API, or related authenticated services, we may collect:

• account data, such as name, email address, username, user ID, company name, role, permissions, and tenant or customer identifiers;
• authentication and authorization data, including Cognito login events, session information, access tokens, API key metadata, and security events;
• portal usage data, such as pages used, settings, actions taken, audit events, API requests, webhook configuration, case actions, and support interactions;
• billing, subscription, marketplace, and payment-related information;
• technical logs, error records, request metadata, IP addresses, timestamps, and device or browser information.

Screening and compliance data

Customers may submit or generate personal data through Checklynx for AML, sanctions, PEP, customer due diligence, monitoring, case management, and compliance review workflows. Depending on the customer configuration and use case, this may include:

• names, aliases, dates of birth, nationalities, countries of residence, addresses, identifiers, and customer reference IDs;
• company names, registration details, beneficial ownership or representative information;
• screening requests, screening runs, watchlist matches, risk indicators, results, evidence, case notes, review statuses, assignments, comments, attachments, and audit trail data;
• CSV import files, API payloads, webhook payloads, generated reports, and operational metadata.

Customers should not submit data that is unnecessary for the relevant compliance purpose.

For exploratory search in the dashboard search tab, we may use AI to help explain returned search results. We do not use AI for assessment, matching, summaries, case review, customer ongoing monitoring, transaction screening, or other compliance workflows.

Local storage

The portal may use browser local storage or similar client-side storage to maintain user preferences and session experience, such as display mode, language or locale, user email, username, user ID, company name, and related interface state.

The app.checklynx.com portal does not use Cookiebot cookies, Google tags, Google Analytics, Google Signals, Apollo, or Overloop. These website, analytics, attribution, and sales tools are not loaded in the authenticated portal.

You can manage or delete locally stored data through your browser settings. Logging out may clear some locally stored information.

3. How we use personal data

We use personal data to:

• operate, maintain, secure, and improve our website, portal, API, webhooks, and services;
• respond to inquiries, demo requests, support requests, and customer communications;
• create and administer accounts, tenants, users, roles, permissions, API keys, and access controls;
• provide sanctions, PEP, customer screening, monitoring, case management, reporting, webhook, and compliance workflows;
• process CSV imports, API requests, screening runs, reports, alerts, reviews, and audit trails;
• enrich adverse media checks using Google APIs where configured;
• manage billing, subscriptions, usage reporting, AWS Marketplace or Stripe-related workflows, and customer records;
• measure website performance, campaign attribution, and product interest;
• send relevant B2B marketing communications, product updates, resources, and event invitations;
• detect, prevent, and investigate fraud, misuse, unauthorized access, security incidents, service abuse, or unlawful activity;
• comply with legal, regulatory, accounting, tax, contractual, sanctions, AML, and recordkeeping obligations;
• enforce our agreements and protect our rights, customers, users, systems, and operations.

4. Legal bases

Where the GDPR, UK GDPR, or similar laws apply, we rely on the following legal bases:

• Consent: for non-essential cookies, certain analytics or marketing technologies, and communications where consent is required.
• Contract: where processing is necessary to provide the service, administer accounts, provide support, manage billing, or take steps requested before entering into a contract.
• Legitimate interests: for website security, service improvement, B2B prospecting, customer relationship management, analytics, fraud prevention, audit logging, and proportionate marketing, provided those interests are not overridden by your rights and freedoms.
• Legal obligation: where processing is necessary to comply with applicable laws, regulatory obligations, sanctions obligations, AML/KYC requirements, court orders, government requests, tax rules, or accounting obligations.

Where we process customer-submitted screening data as a processor, the customer is responsible for identifying the lawful basis for its own processing.

5. Cookies, Google tags, and analytics

This section applies to the public marketing website at checklynx.com. It does not apply to the authenticated app.checklynx.com portal.

On the public marketing website, we use cookies, tags, pixels, local storage, and similar technologies to operate the website, remember preferences, understand site usage, attribute campaigns, and improve our services.

We use Google Tag Manager with container GTM-KZBNRNWM to manage website tags. Depending on the active configuration and your consent choices, this may include Google Analytics, Google Signals, conversion measurement, advertising features, or related Google services.

Google Signals may allow Google Analytics to use aggregated data from signed-in Google users who have enabled Ads Personalization. This can support cross-device analytics, advertising reporting, conversion measurement, and remarketing features.

These technologies may process data such as IP address, cookie identifiers, page views, click events, browser and device information, approximate location, campaign source, and interactions with our website or marketing campaigns.

We use Cookiebot to manage cookie preferences. You can accept or reject cookie categories through the cookie banner or browser settings. Non-essential analytics, attribution, and marketing cookies are used only where we have a valid legal basis, including consent where required.

6. Apollo and Overloop

We use Apollo and Overloop for B2B prospecting, outreach, lead management, enrichment, campaign attribution, and sales operations. Apollo and Overloop are not used in the authenticated app.checklynx.com portal.

These services may process professional contact information such as name, business email address, phone number, job title, employer, location, professional profile information, lead source, campaign activity, email interactions, and attributed website visits.

We use these tools to identify relevant business contacts, avoid duplicate or irrelevant communications, manage outreach, measure campaign effectiveness, and keep records of business interactions. Our use is intended for professional and business-related contexts.

You can object to direct marketing at any time by using an unsubscribe link, replying to a message, or contacting us at support@checklynx.com.

7. Service providers and recipients

We may disclose personal data to:

• hosting, cloud infrastructure, security, storage, logging, monitoring, queueing, and backend service providers, including Amazon Web Services services used to operate Checklynx;
• authentication and account management services, including AWS Cognito;
• adverse media enrichment providers, including Google APIs where configured;
• public website analytics, tag management, cookie consent, sales, outreach, CRM, and attribution providers, including Google, Cookiebot, Apollo, and Overloop;
• billing, marketplace, and payment providers, including AWS Marketplace and Stripe where applicable;
• email and notification providers, including AWS SES where used for service emails or invitations;
• professional advisers, auditors, accountants, lawyers, insurers, and consultants;
• authorities, regulators, courts, law enforcement, or other parties where disclosure is required or permitted by law;
• customers, suppliers, partners, or integration recipients where necessary to provide the service, including customer-configured webhook endpoints;
• parties involved in a merger, acquisition, financing, restructuring, sale of assets, or similar business transaction.

We require service providers acting on our behalf to apply appropriate confidentiality, security, and data protection safeguards.

8. International transfers

Production customer and screening data is hosted in AWS Ireland. We may also process and store limited personal data in other countries where necessary to operate our website, marketing, support, billing, security, or service-provider workflows. Some providers may be located in, or may access data from, the United States or other jurisdictions outside the European Economic Area.

Where required by applicable law, we use appropriate transfer mechanisms such as adequacy decisions, the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, the EU-US Data Privacy Framework where applicable, or other lawful safeguards.

9. Data retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer period is required or permitted by law.

Retention periods depend on the type of data and context, including:

• website and cookie data: retained according to cookie duration, consent settings, and analytics tool configuration;
• business contact and marketing data: retained while there is a reasonable business relationship or interest, unless you unsubscribe or object;
• account, portal, API, billing, and support data: retained while the customer relationship continues and for applicable legal, accounting, audit, security, or limitation periods;
• screening, case, audit trail, CSV import, webhook, and customer workflow data: retained according to customer instructions, contractual settings, operational needs, and applicable compliance or legal requirements;
• security logs and technical records: retained for the period needed to protect the service, investigate incidents, maintain auditability, and meet operational requirements;
• suppression records: retained as needed to honor unsubscribe, objection, and no-contact requests.

10. Security

We use administrative, technical, and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, disclosure, or destruction. These measures may include encryption, access controls, role-based permissions, logging, monitoring, backups, key management, vendor review, confidentiality obligations, and secure cloud infrastructure.

No method of transmission or storage is completely secure. If you believe your interaction with Checklynx is no longer secure, contact us immediately at support@checklynx.com.

11. Your privacy rights

Depending on your location and the applicable law, you may have the right to:

• access your personal data;
• correct inaccurate or incomplete data;
• request deletion of personal data;
• restrict or object to processing;
• object to direct marketing;
• withdraw consent where processing is based on consent;
• receive a portable copy of your data where applicable;
• lodge a complaint with a data protection authority.

To exercise your rights, contact support@checklynx.com. We may need to verify your identity before responding.

If your request relates to data submitted to Checklynx by one of our customers, we may direct you to that customer or assist the customer in responding, depending on our role and contractual obligations.

If you are in the European Economic Area, you may contact your local data protection authority. If you are in Spain, you may contact the Agencia Espanola de Proteccion de Datos. If you are in the United Kingdom, you may contact the Information Commissioner's Office.

12. Direct marketing

We may send B2B marketing communications about Checklynx, AML, sanctions, PEP, KYC, compliance resources, events, or related services.

You can opt out of marketing communications at any time by using the unsubscribe link in the message, replying to the message, or contacting support@checklynx.com. We may still send non-marketing messages, such as service, security, legal, billing, support, or transactional communications.

13. Children

Our website, portal, API, and services are intended for businesses and professional users. They are not directed to children, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will take appropriate steps.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be posted on this page with a new effective date. If changes are material, we may provide additional notice through the website, portal, email, or another appropriate channel.

If you have questions about this Privacy Policy or our data practices, contact us at support@checklynx.com.