Privacy Policy

AML Shield Pro ("we", "us", "our") is an Australian-based software company providing automated anti-money laundering (AML) and counter-terrorism financing (CTF) compliance screening tools for small and medium enterprises, accountants, financial institutions, and fintechs.

This Privacy Policy applies to all users of our website at amlshieldpro.com and our SaaS platform. It complies with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and to the extent applicable, the General Data Protection Regulation (GDPR) for users in the European Economic Area.

Account information: When you create an account, we collect your name, email address, company name, and country. We use this to identify you, provide the service, and communicate with you.

Billing information: If you subscribe to a paid plan, payment processing is handled entirely by Stripe. We never see, receive, or store your full card number, CVV, or banking details. We only receive a tokenised reference and the last 4 digits of your card from Stripe.

Usage data: We collect anonymised data about how you use the platform (pages visited, features used, scan counts) to improve the product. This does not include the content of your transaction files.

Support communications: If you contact us via the contact form or email, we retain those communications to respond to you and improve our service.

Your transaction files never leave your device.

All AML screening, rule execution, anomaly detection, sanctions screening, and report generation occurs entirely within your browser using client-side JavaScript. When you upload a CSV or Excel file:

• The file is parsed locally in your browser's memory
• All 15+ AML rules run entirely on your device
• Transaction records are never transmitted to our servers
• Transaction records are never stored in our database
• No transaction data appears in our server logs

The only data saved to our database are aggregate scan statistics (e.g. "100 transactions scanned, 3 alerts generated") — never individual transaction records.

If you choose to save individual alerts or cases to Supabase for investigation workflow purposes, that data is stored under your account with full row-level security, meaning only you can access it.

All payments are processed by Stripe, Inc., a PCI-DSS Level 1 certified payment processor. When you enter payment details:

• Card details are submitted directly to Stripe via their secure iframe
• We never receive or store your full card number, expiry, or CVV
• We store only your Stripe customer ID and subscription status
• Stripe processes payments under their own Privacy Policy (stripe.com/privacy)

We take security seriously and implement the following measures:

• Encryption at rest: All data stored in Supabase (PostgreSQL) is encrypted using AES-256
• Encryption in transit: All connections use TLS 1.3
• Row Level Security: Every database table enforces Supabase RLS — you can only access your own data
• Authentication: Secure password hashing via bcrypt; optional 2FA
• Infrastructure: Hosted on Vercel (edge network) and Supabase (AWS-backed)
• API security: API keys are hashed (SHA-256) before storage — we cannot recover your key

Despite these measures, no system is 100% secure. Please use a strong, unique password for your account.

We use only essential cookies required for the service to function:

• Authentication cookie: Set by Supabase to maintain your login session (sb-access-token, sb-refresh-token). Expires after 1 hour; refreshed automatically.
• Preference cookies: Used for storing UI preferences (e.g. demo data loaded flag) in localStorage

We do not use advertising cookies, third-party tracking cookies, or sell your data to advertisers. We do not use Google Analytics or similar tracking services.

Under the Australian Privacy Act and GDPR, you have the following rights:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your account and all associated data
• Portability: Request your data in a machine-readable format (JSON/CSV)
• Objection: Object to processing of your personal data
• Withdraw consent: Cancel your subscription and delete your account at any time from Settings

To exercise these rights, contact us at privacy@amlshieldpro.com. We will respond within 30 days.

We retain your personal data for as long as your account is active or as needed to provide the service:

• Account data: Retained until account deletion
• Scan statistics: Retained for 24 months after last activity
• Alerts and cases: Retained until you delete them or your account
• Audit logs: Retained for 7 years to support your AML/CTF compliance obligations
• Billing records: Retained for 7 years as required by Australian tax law
• Support communications: Retained for 2 years

Upon account deletion, all personal data is permanently deleted within 30 days, except where required by law.

We share data with the following trusted third parties only to the extent necessary to provide the service:

We do not sell your data to any third party.

Our primary infrastructure is located in Australia (AWS ap-southeast-2). Some service providers (Vercel, Stripe) may process data in other countries including the United States. All transfers are protected by appropriate safeguards including Standard Contractual Clauses (SCCs) for GDPR compliance.

For privacy inquiries or complaints: