🛡️ GDPR Compliant Service
We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable privacy laws.
1. Introduction
FATF Countries API ("we," "our," or "us") operates the fatf-countries.com website and provides API services for accessing FATF compliance data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
By using our Service, you consent to the data practices described in this policy. If you do not agree with our policies and practices, please do not use our Service.
2. Data Controller Information
Data Controller Details
Company: FATF Countries API
Website: fatf-countries.com
Privacy Officer: contact@fatf-countries.com (subject: "Privacy")
Data Protection: contact@fatf-countries.com (mark subject as "Data Protection")
3. Information We Collect
3.1 Personal Information You Provide
We collect information you provide directly to us, including:
- Account Information: Name, email address, company name
- Authentication Data: Password (stored as encrypted hash)
- Payment Information: Processed securely via Stripe (we don't store card details)
- Communication Data: Support tickets, emails, feedback
- Profile Information: API usage preferences, notification settings
3.2 Information Collected Automatically
When you use our Service, we automatically collect:
- API Usage Data: Endpoints accessed, request timestamps, response codes
- Log Data: IP address, browser type, operating system
- Device Information: Hardware model, unique device identifiers
- Analytics Data: Pages visited, time spent, referral source
3.3 Cookies and Tracking Technologies
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential | Authentication, security, session management | Session / 24 hours |
| Functional | User preferences, language settings | 1 year |
| Analytics | Usage patterns, service improvement | 2 years |
| Performance | Load times, error tracking | 30 days |
4. Legal Basis for Processing (GDPR)
We process your personal data under the following legal bases:
4.1 Contract Performance
- Providing API services you've subscribed to
- Processing payments and managing subscriptions
- Sending service-related communications
4.2 Legitimate Interests
- Improving and optimizing our Service
- Preventing fraud and ensuring security
- Analyzing usage patterns and trends
- Sending marketing communications (with opt-out)
4.3 Legal Obligations
- Complying with tax and accounting requirements
- Responding to legal requests and court orders
- Maintaining records as required by law
4.4 Consent
- Marketing communications (where required)
- Optional analytics and improvement programs
5. Your Rights Under GDPR
5.1 Right to Access
You can request a copy of all personal data we hold about you. We'll provide this within 30 days in a portable format.
5.2 Right to Rectification
You can correct any inaccurate or incomplete personal data through your account dashboard or by contacting us.
5.3 Right to Erasure ("Right to be Forgotten")
You can request deletion of your personal data, subject to certain legal exceptions for record-keeping.
5.4 Right to Restrict Processing
You can request that we limit how we use your data in certain circumstances.
5.5 Right to Data Portability
You can receive your data in a structured, machine-readable format to transfer to another service.
5.6 Right to Object
You can object to:
- Processing based on legitimate interests
- Direct marketing communications
- Processing for research or statistical purposes
5.7 Rights Related to Automated Decision-Making
You have the right not to be subject to decisions based solely on automated processing that significantly affect you.
To exercise any of these rights: Contact privacy@fatf-countries.com with your request. We'll respond within 30 days.
6. How We Use Your Information
We use the collected information for:
- Service Delivery: Providing API access and processing requests
- Account Management: Managing subscriptions and authentication
- Communication: Sending updates, alerts, and support messages
- Improvement: Analyzing usage to enhance our Service
- Security: Detecting and preventing fraud or abuse
- Legal Compliance: Meeting regulatory requirements
- Marketing: Sending promotional content (with consent)
7. Data Sharing and Disclosure
7.1 Service Providers
We share data with trusted third parties who assist us:
- Stripe: Payment processing (PCI DSS compliant)
- Dreamhost: Web hosting and SMTP email services
- Database: Local MySQL database (no external database services)
- Analytics: Currently no third-party analytics services are integrated
7.2 Legal Requirements
We may disclose information when required by:
- Court orders or subpoenas
- Government investigations
- Law enforcement requests with proper authority
7.3 Business Transfers
If we're involved in a merger, acquisition, or sale of assets, your information may be transferred with appropriate protections.
7.4 Your Consent
With your explicit consent for purposes not listed above.
⚠️ We Never Sell Your Data
We do not and will never sell, rent, or trade your personal information to third parties for their marketing purposes.
8. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption: TLS/SSL for data in transit, AES-256 for data at rest
- Access Controls: Role-based access, multi-factor authentication
- Security Audits: Regular vulnerability assessments
- Incident Response: 72-hour breach notification policy
- Employee Training: Regular privacy and security training
- Data Minimization: Collecting only necessary information
9. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account Data | Active account + 30 days | Service continuity |
| API Logs | 90 days | Security & debugging |
| Payment Records | 7 years | Legal requirement |
| Support Tickets | 2 years | Service improvement |
| Marketing Data | Until opt-out + 30 days | Suppression lists |
10. International Data Transfers
Your data may be transferred to and processed in countries outside the EEA. We ensure appropriate safeguards:
- Standard Contractual Clauses: EU-approved transfer mechanisms
- Adequacy Decisions: Transfers to countries with adequate protection
- Privacy Shield: For US-based service providers (where applicable)
11. Children's Privacy
Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn we've collected data from a child, we will delete it promptly.
12. California Privacy Rights (CCPA)
California residents have additional rights under CCPA:
- Right to know what personal information is collected
- Right to know if personal information is sold or disclosed
- Right to opt-out of the sale of personal information
- Right to non-discrimination for exercising privacy rights
To exercise these rights: privacy@fatf-countries.com
13. Marketing Communications
13.1 Opt-In/Opt-Out
- Marketing emails require explicit consent
- Unsubscribe link in every marketing email
- Account dashboard preference center
- Email unsubscribe@fatf-countries.com
13.2 Service Communications
Essential service emails (account, security, legal) cannot be opted out of while maintaining an account.
14. Third-Party Links
Our Service may contain links to third-party websites. We're not responsible for their privacy practices. Please review their privacy policies before providing personal information.
15. Changes to This Policy
- We'll notify you of material changes 30 days in advance via email
- Minor changes may be made without notice
- Continued use after changes constitutes acceptance
- Previous versions available upon request
16. Data Breach Notification
In the event of a data breach that poses risk to your rights and freedoms:
- We'll notify affected users within 72 hours of discovery
- We'll provide details about the breach and its potential impact
- We'll outline steps taken to address the breach
- We'll provide recommendations for protecting your information
17. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority if you believe we're not complying with data protection laws. In the EU, you can contact your local data protection authority.
18. Contact Information
Privacy & Data Protection Contacts
All Privacy Inquiries: contact@fatf-countries.com
For privacy questions, GDPR requests, data protection concerns, security issues, or legal inquiries, please use the email above and specify the nature of your request in the subject line:
- GDPR Requests: Subject: "GDPR Request"
- Data Export: Subject: "Data Export Request"
- Data Deletion: Subject: "Account Deletion Request"
- Privacy Questions: Subject: "Privacy Inquiry"
- Security Issues: Subject: "Security Concern"
Response Time: We typically respond within 1-3 business days.
📋 How to Exercise Your Privacy Rights
To exercise your GDPR privacy rights, please email us with these subject lines:
- Download Your Data: Email "Data Export Request" with your account details
- Update Information: Email "Account Update Request" with the changes needed
- Delete Account: Email "Account Deletion Request" with confirmation
- Manage Cookies: Use the Cookie Settings in our website footer
- Stop Marketing Emails: Email "Unsubscribe Request" or use email footer links
We will process your requests within 30 days and confirm completion via email.
Our Privacy Commitment
We believe privacy is a fundamental right. We collect only what's necessary, protect it rigorously, and give you complete control over your data.