Legal
Privacy Notice
Last updated: May 2026 · Parrot Systems Ltd · hello@aml.business
1. Who We Are
This privacy notice explains how Parrot Systems Ltd collects, uses, and protects personal data when you use AML Checker, our AML risk scanning and SAR filing tool, available at aml.business.
Parrot Systems Ltd is the data controller for the purposes of UK GDPR and the Data Protection Act 2018.
Questions about this notice: hello@aml.business
2. What Data We Collect
AML Scan (Standard - £10)
- The name or entity name you enter for screening
- Your email address (collected by Stripe at payment and used to deliver your access token)
- Payment information (processed directly by Stripe - we do not store card details)
AML + SAR Report (Premium - £15)
- All of the above
- Identity documents you upload (e.g. passport scans) - special category biometric data under UK GDPR Article 9
- Financial documents you upload (e.g. bank statements)
3. How We Use Your Data
- To perform AML risk screening against publicly available OSINT sources
- To generate a Suspicious Activity Report (SAR) narrative based on submitted information and documents
- To process your payment and deliver your access token via email
- To manage your access credits and prevent misuse of the service
4. Legal Basis for Processing
- Contract (Article 6(1)(b)): Processing your name, email, and payment information is necessary to provide the service you have purchased.
- Legitimate interests (Article 6(1)(f)): Running OSINT queries against publicly available information to generate risk assessments is necessary for the functioning of the tool.
- Special category data (Article 9): For passports and biometric data, we rely on explicit consent given when you voluntarily upload documents to the SAR tool. You are not required to upload documents - the SAR tool functions without them.
5. How Your Data Flows Through AML Checker
| System |
Role |
Retention |
| Your browser |
Documents and names submitted directly from your browser |
Session only |
| Cloudflare Workers |
Validates your token, manages rate limits, forwards data to Anthropic. Does not retain document content. |
None |
| Anthropic API |
Processes your submitted name and uploaded documents to perform OSINT searches and generate the compliance narrative. Does not use commercial API data for model training. |
Up to 30 days |
| Cloudflare KV |
Stores only your access token, credit balance, and email address. No scan results or document content stored. |
Active account |
| Resend |
Sends your access token to the email address provided at payment. No document content transmitted. |
Email delivery only |
| Stripe |
Processes your payment and provides your email to us for token delivery. Governed by Stripe's own privacy policy. |
Per Stripe policy |
6. Data Retention
- Scan results and SAR outputs: Not stored by Parrot Systems Ltd. You must save your results yourself.
- Uploaded documents: Not stored by Parrot Systems Ltd. Transmitted transiently to Anthropic's API and not retained on our systems.
- Anthropic API logs: Retained by Anthropic for up to 30 days before automatic deletion. We have requested a reduction in this retention period.
- Access tokens and email addresses: Stored in Cloudflare KV for as long as your account remains active. Contact us at hello@aml.business to request deletion.
- SAR records (reference numbers only): Retained in Cloudflare KV for 90 days for audit trail purposes, in accordance with MLR 2017 obligations.
7. Third-Party Data Processors
| Processor |
Purpose |
Location |
| Anthropic |
AI model and web search processing. API logs retained up to 30 days. |
USA |
| Cloudflare |
Serverless infrastructure and token storage. Subject to Cloudflare's Data Processing Addendum. |
USA/EU |
| Stripe |
Payment processing. Subject to Stripe's Data Processing Agreement. |
USA/EU |
| Resend |
Transactional email delivery. Processes your email address only. |
USA |
Data may be transferred outside the UK/EEA to the United States. These transfers are made under standard contractual clauses or equivalent adequacy mechanisms.
8. Your Rights
Access
Request a copy of the personal data we hold about you.
Erasure
Request deletion of your personal data, subject to legal obligations.
Rectification
Request correction of inaccurate data.
Restriction
Request that we limit how we use your data.
Object
Object to processing based on legitimate interests.
Portability
Receive your data in a portable format where applicable.
To exercise any of these rights, contact us at hello@aml.business. We will respond within one calendar month.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
9. Changes to This Notice
We may update this privacy notice from time to time. The current version will always be available at aml.business/privacy. Material changes will be communicated to active users by email.