Alert!
Effective Date: 26 March 2026
1. Introduction
AML Watcher.com LLC, incorporated in Delaware, United States, together with its affiliated entities (“AML Watcher”, “we”, “us”, or “our”), provides compliance and risk management services globally.
In the course of providing these Services, AML Watcher processes Personal Data on behalf of its Clients, who act as Data Controllers and determine the purposes and means of processing. In this context, AML Watcher acts as a Data Processor and processes Personal Data in accordance with Client instructions.
AML Watcher may also process Personal Data as an independent Data Controller where necessary to operate, secure, and improve its services, including for analytics, fraud prevention, and product development, in accordance with applicable data protection laws.
This Privacy Policy explains how Personal Data is collected, used, disclosed, and protected when processed through AML Watcher’s platforms and services. It also describes the rights available to individuals whose Personal Data is processed in connection with those services.
This Policy applies to all Personal Data processed by AML Watcher in connection with its services, including data processed on behalf of Clients and data processed independently as a Controller. It is designed to comply with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR) and UK GDPR for data subjects in the European Economic Area (EEA) and United Kingdom, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) for California residents, and other relevant laws such as those in the UAE, Pakistan, or other jurisdictions where Clients or data subjects are located. Where conflicts arise between laws, AML Watcher will apply the strictest applicable standard to protect Personal Data.
2. Scope and Governing Law
This Privacy Policy governs the processing of Personal Data by AML Watcher across all its platforms, services, websites, and applications, regardless of the location of the data subject, Client, or end-user. It applies to Personal Data collected directly from individuals, from Clients, or from third-party sources in the course of providing AML compliance services.
The Policy is governed by the data protection laws applicable to the processing activities, determined by factors such as the location of data subjects, the territory of Clients, and the nature of data transfers. For EEA and UK data subjects, GDPR and UK GDPR apply in full. For California residents, CCPA/CPRA obligations are met where AML Watcher acts as a "business" or "service provider." For other jurisdictions, equivalent local laws (e.g., UAE Federal Decree-Law No. 45/2021 on Personal Data Protection) are observed. In cases of international transfers, safeguards such as Standard Contractual Clauses (SCCs), the EU-US Data Privacy Framework (if eligible), or Binding Corporate Rules (BCRs) are implemented as detailed in Section 8.
AML Watcher maintains a dedicated Data Protection Officer (DPO) to oversee compliance. The DPO can be contacted at dpo@amlwatcher.com for any inquiries related to this Policy or data protection matters.
While the privacy rights of Data Subjects are governed by their respective local and international laws (such as the GDPR or CCPA), any legal disputes, claims, or arbitration arising between AML Watcher and its Clients regarding this Privacy Policy shall be governed exclusively by the laws of the State of Delaware, USA, and resolved via binding arbitration as strictly detailed in our Terms & Conditions.
3. Role of AML Watcher
AML Watcher processes Personal Data in different capacities depending on the context of processing.
When providing services to its Clients, AML Watcher acts as a Data Processor, processing Personal Data solely on behalf of and in accordance with the documented instructions of its Clients, who act as Data Controllers. In this capacity, AML Watcher does not determine the purposes or means of processing. All processing activities are governed by Data Processing Agreements (DPAs) with Clients, incorporating requirements from GDPR Article 28, including confidentiality, security, and audit rights.
In limited circumstances, AML Watcher acts as an independent Data Controller, including where Personal Data is processed for service improvement, platform security, fraud prevention, internal analytics, and the development of proprietary technologies. In such cases, AML Watcher determines the purposes and means of processing in accordance with applicable law. Examples include aggregated analytics for model training or security logs for threat detection. Even as a Controller, AML Watcher minimizes data use and applies privacy-by-design principles.
4. Categories and Sources of Personal Data
AML Watcher processes Personal Data as necessary to deliver its services. The categories of data processed depend on the configuration selected by Clients and may include identification data such as names, dates of birth, and identification numbers; financial and transactional data; compliance-related data such as sanctions status, politically exposed person (PEP) indicators, and adverse media associations; and technical data such as IP addresses, device identifiers, and system interaction data.
To provide further transparency, the following detailed categories are processed where relevant:
- Identity Data: Full names, aliases, dates of birth, nationality, gender, passport numbers, national ID numbers, driver's license details, and other government-issued identification.
- Contact Data: Email addresses, phone numbers, postal addresses, and social media handles.
- Financial Data: Bank account numbers (masked), transaction histories, wallet addresses (crypto), payment details, and credit scores where integrated.
- Compliance Data: Sanctions/PEP/watchlist matches, adverse media reports, risk scores, beneficial ownership structures, and source-of-funds declarations.
- Biometric Data: Facial images, templates derived from facial recognition (e.g., liveness detection scores), voice biometrics if enabled—processed only with Client authorization and explicit legal basis.
- Technical and Usage Data: IP addresses, browser types, device IDs, operating systems, session logs, API call data, page views, and interaction timestamps.
- Aggregated/Anonymized Data: Non-personal statistical outputs from analytics, which fall outside this Policy's scope once anonymized.
Where identity verification services are used, AML Watcher may process biometric data derived from facial recognition technologies. Such processing is subject to enhanced safeguards and is performed only where permitted under applicable law, including explicit consent or substantial public interest for AML/CFT purposes. Biometric data is encrypted at rest and in transit, stored separately, and access-logged.
Personal Data processed by AML Watcher is obtained from multiple sources. These include data provided directly by Clients, publicly available sources such as government registers and official sanctions lists, licensed third-party data providers, blockchain analytics providers, and open-source intelligence, including global media publications. Clients upload data via secure APIs or portals; third-party sources are vetted for compliance (e.g., SOC 2 certified).
5. Purposes of Processing
AML Watcher processes Personal Data primarily to enable its Clients to comply with legal and regulatory obligations relating to financial crime prevention. This includes customer due diligence, sanctions and watchlist screening, adverse media analysis, transaction monitoring, and risk assessment.
In addition, AML Watcher processes Personal Data to support crypto compliance use cases, including blockchain transaction analysis, wallet screening, and facilitating regulatory requirements such as Travel Rule data exchange between Virtual Asset Service Providers (VASPs). Specific examples include tracing crypto flows across chains, identifying mixer/tumbler usage, and generating Travel Rule-compliant reports.
Where AML Watcher acts as a Data Controller, Personal Data may also be processed to maintain and improve services, enhance detection models, ensure system security and integrity, prevent misuse, and perform internal analytics. All such processing is conducted in a manner that is proportionate and limited to what is necessary. For clarity, the table below maps key purposes to data categories and legal bases:
| Purpose | Data Categories | Legal Basis |
| Customer due diligence & screening | Identity, Financial, Compliance | Legal obligation (e.g., AML/CFT regs), Contract performance |
| Transaction monitoring | Financial, Technical | Legitimate interests (fraud prevention), Legal obligation |
| Blockchain analysis & Travel Rule | Financial, Wallet data | Contract (VASP obligations), Legal obligation |
| Service improvement & analytics | Technical, Usage (aggregated) | Legitimate interests (balanced assessment conducted) |
| Security & fraud prevention | All relevant | Legitimate interests, Vital interests if applicable |
6. Legal Basis for Processing
Where AML Watcher acts as a Data Controller, it relies on one or more lawful bases for processing Personal Data. These include compliance with legal obligations, particularly those relating to AML/CFT requirements; the performance of tasks carried out in the public interest, such as the detection and prevention of financial crime; and legitimate interests pursued by AML Watcher, including service improvement and system security, provided that such interests are not overridden by the rights and freedoms of individuals. Legitimate interests assessments (LIAs) are documented for each activity, weighing AML Watcher's needs against data subject rights (e.g., anonymization where possible).
Where special categories of Personal Data are processed, including biometric data, AML Watcher relies on explicit consent where required, or other lawful bases permitted under applicable law, including substantial public interest grounds related to financial crime prevention. Consent is obtained via granular, withdrawable mechanisms; for public interest, reliance is on GDPR Art. 9(2)(g) or equivalents.
7. Automated Processing and Profiling
AML Watcher employs advanced analytical systems, including artificial intelligence and machine learning models, to support the identification of financial crime risks. These systems analyse patterns across transactional data, sanctions lists, adverse media, and other relevant datasets to generate risk indicators and match scores. Models are trained on historical compliance data, with regular bias audits and explainability features (e.g., SHAP values for key decisions).
Such processing may involve profiling individuals for compliance risk purposes. However, AML Watcher does not make decisions that produce legal or similarly significant effects solely by automated means. Final decisions, including onboarding or account restrictions, are made by the Client acting as Data Controller. Risk scores are advisory, with thresholds configurable by Clients.
Where applicable, individuals have the right to request human intervention, express their views, and contest decisions affecting them. Requests are handled within 72 hours, involving senior compliance review. Transparency notices explain model logic at a high level (e.g., "Risk based on transaction velocity, geo-IP mismatch, PEP status").
8. Data Retention
AML Watcher retains Personal Data only for as long as necessary to fulfil the purposes for which it was processed, including compliance with legal, regulatory, and contractual obligations.
While regulatory frameworks may require data to be retained for up to 5 years for AML/CFT compliance, upon the termination of a Client Agreement, AML Watcher will retain Client Data for a maximum of six (6) months post-termination without incurring additional charges, after which it will be permanently deleted unless the Client provides specific written instructions or pays for extended retention, in accordance with our Terms & Conditions. Transaction logs: 7 years; biometrics: max 30 days post-verification unless legally required.
Where AML Watcher processes Personal Data as a Data Controller, retention periods are determined based on the nature of the data, the purpose of processing, and applicable legal requirements. Technical logs: 12 months; analytics data: anonymized after 24 months.
Upon expiration of applicable retention periods, Personal Data is securely deleted or irreversibly anonymised using industry-standard methods. Biometric data is subject to stricter retention controls and is deleted in accordance with applicable legal requirements. Deletion logs are maintained for audit. Clients can request early deletion subject to legal holds.
9. International Data Transfers
Given the global nature of its operations, AML Watcher may transfer Personal Data to jurisdictions outside the European Economic Area or the United Kingdom, including the United States and other countries in which it operates. Transfers occur for service delivery (e.g., US servers), sub-processor support, or group reporting.
Where such transfers occur, AML Watcher implements appropriate safeguards to ensure that Personal Data is protected in accordance with applicable data protection laws. These safeguards include the use of Standard Contractual Clauses, recognised data transfer mechanisms where applicable, and supplementary technical and organisational measures. UK extension to EU SCCs or IDTA/Addendum used for UK adequacy. If eligible, EU-US Data Privacy Framework (DPF) self-certification applies.
AML Watcher conducts transfer risk assessments where required to evaluate and mitigate risks associated with cross-border data transfers. Transfer Impact Assessments (TIAs) are performed annually or on changes, documented per Schrems II. Data is stored primarily in US (AWS/GCP with EU options), UAE, or Client-specified regions.
10. Data Security
AML Watcher maintains a comprehensive information security program designed to protect Personal Data against unauthorised access, disclosure, alteration, and destruction.
This includes the use of encryption, pseudonymisation, role-based access controls, continuous system monitoring, and incident response procedures. Security measures are regularly reviewed and updated to address evolving risks and industry standards. Specifics: Data transmitted over Secure Sockets Layer (SSL), stored in SSAE compliant/ISO certified data centers, encrypted using AES 256-bit or SHA-256 cryptographic hash algorithms, with TLS encryption employed for data in transit; MFA for all access; SIEM tools (e.g., Splunk); annual pentests; ISO 27001/SOC 2 Type II certified; DPIAs for high-risk processing.
11. Sharing and Disclosure of Personal Data
AML Watcher may disclose Personal Data to trusted third-party service providers that support the delivery of its services. These sub-processors are contractually bound to implement appropriate safeguards and to process Personal Data only on documented instructions.
AML Watcher is not responsible for any data breaches, security incidents, privacy violations, or other liabilities arising from Third-Party Services (including but not limited to Client-selected integrations, APIs, plugins, widgets, or external platforms) that Clients choose to connect or integrate with AML Watcher Cloud Services.
Clients assume full responsibility for:
Security and privacy compliance of their chosen Third-Party Services
Any data breaches originating from Third-Party Services
Contractual arrangements and liability limitations with their Third-Party providers.
Personal Data may also be disclosed to competent public authorities where required by applicable law, regulation, or legal process. Disclosures to authorities (e.g., FinCEN SARs) are logged and minimized.
12. Cookies and Similar Technologies
AML Watcher uses cookies, pixels, SDKs, and similar technologies on its websites and platforms to enhance functionality, analytics, and security.
- Essential Cookies: Strictly necessary for site operation (e.g., session management); no consent required.
- Analytics Cookies: Track usage (e.g., Google Analytics, anonymized IPs); legitimate interests basis.
- Functional/Advertising: Personalization or retargeting; consent-based via banner.
Users can manage preferences via [Cookie Settings] tool. Full details in our Cookie Policy at https://amlwatcher.com/privacy-policy/#aml-cookies-policy .
13. Children’s Privacy
AML Watcher does not knowingly collect Personal Data directly from children. However, in the course of providing services to its Clients, AML Watcher may process Personal Data relating to minors where this is necessary for compliance with legal or regulatory obligations. Responsibility for ensuring lawful collection and appropriate safeguards in such cases rests with the Client acting as Data Controller. Age verification gates are recommended for Clients; processing minors' data triggers enhanced DPIAs.
14. Your Rights
Subject to applicable data protection laws, individuals have rights in relation to their Personal Data. These may include the right to access, correct, or delete Personal Data; to restrict or object to processing; to request data portability; and to withdraw consent where processing is based on consent.
Individuals also have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
Requests to exercise these rights may be submitted using the contact details below. Where AML Watcher acts as a Data Processor, such requests may be redirected to the relevant Client acting as Data Controller. We respond within one month (extendable by two months for complexity), free of charge unless manifestly unfounded/excessive (reasonable fee applies). Verification (e.g., ID copy) may be required. Use our web form at https://amlwatcher.com/contact-us/ For EU/UK: ICO (ico.org.uk), CNIL (cnil.fr), etc.; lodge complaints post-internal review.
15. Third-Party Links
AML Watcher platforms may contain links to third-party sites (e.g., sanctions lists, Client portals). We disclaim liability for their privacy practices—review their policies separately. Embeds (e.g., maps) do not share Personal Data without consent.
16. Data Breaches
In the event of a Personal Data Breach, AML Watcher will respond in accordance with applicable legal requirements. This includes notifying affected Clients without undue delay and cooperating with them to meet regulatory obligations, including notification to supervisory authorities where requirel.
17. Glossary of Key Terms
- Personal Data: Any information relating to an identified or identifiable natural person (GDPR Art. 4).
- Client: Entity acting as Data Controller using our services.
- Services: AML compliance platforms for screening, monitoring, etc.
- Processing: Any operation on Personal Data (collect, store, analyze, etc.).
18. Updates to this Policy
AML Watcher may update this Privacy Policy from time to time to reflect changes in legal requirements, regulatory guidance, or business practices. Any updates will be published with a revised effective date. Material changes (e.g., new purposes) trigger platform notices to Clients/users; continued use post-30 days implies acceptance. Historical versions archived on request.
19. Contact Information
For questions about this Privacy Policy or to exercise your rights, please contact:
General Inquiries: info@amlwatcher.com
Legal & Privacy: legal@amlwatcher.com
Data Protection Officer: dpo@amlwatcher.com
Website: https://amlwatcher.com/contact-us/