Privacy policy

1. The data controller is JDG ALEXSOFT Alexander Kolesnikov, registered office at 55-100 Brochocin 16/2, NIP 9521934827, REGON 526448288 (the "Controller").
2. You can reach the Controller at:
   1. email — contact@sanqto.com,
   2. for matters related to personal data — privacy@sanqto.com,
   3. postal mail — at the registered office above.

The Sanqto application runs fully locally on the customer's premises. That means:

1. the customer installs the application on their own hardware (computer, workstation, server in the customer's premises);
2. data of natural persons screened in the application (first names, last names, tax IDs, dates of birth, ultimate beneficial owners and so on) are processed locally only, on the customer's side;
3. this data is never copied, transferred, or otherwise made available to Sanqto — there is no "Sanqto cloud" that would receive it;
4. communication between the application and Sanqto's servers is one-way: Sanqto server → customer application. Only application updates and the Reference Lists (public sanctions lists) are pulled, as digitally signed files.

Consequently, in respect of customer data screened in the application:

1. the data controller is the customer (the business installing the application) — they decide on the purposes and means of processing,
2. Sanqto is not a processor within the meaning of GDPR Art. 28 — it has no access to the data and provides no processing service in respect of it,
3. no data-processing agreement between the customer and Sanqto is required,
4. no transfer to third countries within the meaning of GDPR Art. 44 takes place.

This Privacy Policy covers only the personal data Sanqto actually processes, described in the sections below.

Sanqto processes personal data for the following purposes:

1. Concluding and performing the contract with a customer (B2B).
   1. Categories of data: contact-person first and last name, work email, work phone, role, company details (name, tax ID, registered address).
   2. Legal basis: GDPR Art. 6(1)(b) (performance of a contract) — for natural persons running a sole proprietorship or Consumers; GDPR Art. 6(1)(f) (legitimate interest — contact with persons representing a corporate customer).
   3. Retention: the term of the contract plus the limitation period for claims (3 years for business-related claims; 6 years for the rest — Art. 118 of the Polish Civil Code).
2. Issuing and archiving invoices.
   1. Categories: company details, tax ID, registered address, amounts.
   2. Legal basis: GDPR Art. 6(1)(c) (legal obligation — tax law, in particular the Polish Accounting Act and the VAT Act).
   3. Retention: 5 years from the end of the financial year in which the invoice was issued (Art. 70 §1 of the Polish Tax Ordinance).
3. Handling enquiries via the contact form and email correspondence.
   1. Categories: first name, last name, email, company tax ID, industry, content of the enquiry.
   2. Legal basis: GDPR Art. 6(1)(f) (legitimate interest — answering an enquiry).
   3. Retention: 12 months from last contact, unless the enquiry leads to a contract.
4. Direct marketing of our own services (newsletter, information about new features).
   1. Categories: email, first name.
   2. Legal basis: GDPR Art. 6(1)(f) (legitimate interest) and, where required, Art. 10 of the Polish Act on the provision of services by electronic means and Art. 172 of the Polish Telecommunications Act — consent of the data subject.
   3. Retention: until consent is withdrawn or an objection is filed.
5. Handling complaints and asserting/defending claims.
   1. Legal basis: GDPR Art. 6(1)(b) and (f).
   2. Retention: until the limitation period for claims expires.
6. Site analytics and application telemetry on the customer's side (technical telemetry — within the scope described in §4 and the Cookie Policy only).
   1. Legal basis: GDPR Art. 6(1)(f) (legitimate interest in maintaining and improving product quality) and, for cookies, the user's consent.
   2. Retention: per the cookie configuration (see Cookie Policy).

The Sanqto application sends only non-personal technical data to Sanqto's servers, needed to maintain the licence and product quality:

1. licence identifier (UUID, contains no personal data),
2. application version and operating system (e.g. "Windows 11", "macOS 14"),
3. state of Reference List updates (last sync date),
4. aggregated usage statistics (number of checks per day/week — without the content of screened data).

Telemetry does not include data of natural persons screened in the application — no first name, last name, customer's tax ID, report content, or identifier of the screened entity ever leaves the customer's network.

Telemetry can be disabled in application settings on the Enterprise tier.

Personal data may be shared with the following categories of recipients:

1. email providers and IT infrastructure providers operating Sanqto's servers (hosting in the EU/EEA; providers will be listed in detail in the Controller's Records of Processing Activities),
2. payment processors (where the customer pays online),
3. Sanqto's accounting firm,
4. Sanqto's legal counsel — to the extent needed to assert or defend claims,
5. competent public authorities — only where mandated by law.

Sanqto does not sell personal data to third parties and does not share it with third parties for marketing purposes.

1. Personal data processed by Sanqto is stored on servers within the European Economic Area (EEA).
2. To the extent Sanqto uses IT providers that may be established outside the EEA (e.g. a CDN provider), we put adequate safeguards in place — Standard Contractual Clauses approved by the European Commission (GDPR Art. 46(2)(c)) or the Data Privacy Framework.
3. For data of customers screened in the application — given the on-premise model — GDPR Art. 44 does not apply, because that data does not leave the customer's network.

Every data subject whose data Sanqto processes has the following rights:

1. right of access to their data (GDPR Art. 15),
2. right to rectification (GDPR Art. 16),
3. right to erasure — "right to be forgotten" (GDPR Art. 17),
4. right to restriction of processing (GDPR Art. 18),
5. right to data portability (GDPR Art. 20),
6. right to object to processing based on legitimate interest (GDPR Art. 21),
7. right to withdraw consent at any time (GDPR Art. 7(3)) — for processing based on consent, without affecting the lawfulness of processing carried out before withdrawal,
8. right to lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl).

To exercise the above rights, write to privacy@sanqto.com. Sanqto responds within 1 month of receiving the request (extendable by a further 2 months for complex requests — GDPR Art. 12(3)).

1. Sanqto applies technical and organisational security measures appropriate to the risk, in particular:
   1. encryption in transit (TLS 1.3) and at rest,
   2. digital signing of application updates and Reference List packages,
   3. least-privilege access control,
   4. regular backups and restore tests,
   5. data-protection and cybersecurity training for the team,
   6. periodic security audits.
2. Sanqto maintains an incident register under an internal response procedure. In the event of a personal-data breach posing high risk to data subjects, Sanqto notifies the supervisory authority within 72 hours (GDPR Art. 33) and the affected data subjects (GDPR Art. 34).

1. Sanqto does not make decisions producing legal effects on data subjects (or similarly significant effects) based solely on automated processing (GDPR Art. 22).
2. In particular, the result of a screening run in the application (e.g. "hit" or "no match") supports the customer's decision — the final assessment, including whether to refuse a service, always rests with the customer and involves a human.

The website sanqto.com uses cookies. See the separate Cookie policy.

1. Sanqto may amend this Policy when laws change, when our processing practices change, or when new application or website functionality is introduced.
2. For material changes we notify the customer's contact person by email and post a highlighted notice on the website, at least 14 days before the changes take effect.
3. The current version is in force from 3 May 2026.