Privacy Policy

What We Collect

Charlie AI collects the following data to provide KYC/AML compliance automation services:

• Account information (name, email) collected during signup via Google or Microsoft authentication
• Client compliance documents uploaded by users for processing
• Document metadata and AI-extracted text for compliance analysis
• Email data accessed via Gmail or Outlook integration (with user consent)
• Usage data including feature interactions and pipeline runs

How We Use Your Data

We use your data solely to provide and improve our compliance automation services:

• Processing and categorising uploaded compliance documents
• Running sanctions, PEP, and adverse media screening checks
• Generating compliance reports (CDD forms, risk assessments)
• Providing AI-powered compliance guidance via Ask Charlie
• Sending document request emails on your behalf

Data Storage and Security

• All data is stored in Supabase (PostgreSQL) with row-level security
• Data is encrypted at rest and in transit
• Documents are stored in Google Drive or OneDrive (based on your authentication provider)
• API keys and credentials are stored as encrypted environment variables
• We implement security headers, input validation, rate limiting, and error sanitisation

Third-Party Services

We use the following third-party services:

• Google Cloud (OAuth, Drive, Vision OCR)
• Microsoft Azure (OAuth, OneDrive, Outlook)
• OpenAI (document text extraction)
• Google Gemini (AI compliance assistant)
• OpenSanctions (sanctions and PEP screening)
• Serper (adverse media web search)

Data Sharing

We do not sell your data to third parties. Data is only shared with the third-party services listed above as required to provide our services.

Data Retention

Your data is retained for as long as your account is active. Upon account deletion, all associated data is removed within 30 days.

Your Rights

You may request access to, correction of, or deletion of your personal data at any time by contacting us.