Privacy Policy
Last updated: 27 May 2026 · Effective: 27 May 2026
1. Who we are
Embargo is a trading name of Pintu Holdings Ltd, a company registered in England and Wales (“we”, “us”, “our”). We operate the export control compliance intelligence service available at getembargo.com(the “Service”).
For questions about this policy or your personal data, contact us at privacy@getembargo.com.
2. Data we collect
Name, email address, and organisation name collected when you register. Managed via Clerk (our authentication provider).
Payment card details are processed directly by Stripe and are never stored on our servers. We retain only a Stripe customer ID and your subscription status.
Jurisdiction preferences and email delivery settings you configure in your dashboard.
Standard server logs including IP address, browser type, pages visited, and timestamps. Retained for up to 90 days.
3. How we use your data
- ▸Providing the Service: Delivering regulatory alerts and digest emails to you based on your jurisdiction preferences.
- ▸Billing: Processing subscription payments and managing your plan via Stripe.
- ▸Communications: Sending service notifications, account alerts, and product updates. You may opt out of marketing emails at any time.
- ▸Security & fraud prevention: Detecting and preventing unauthorised access and abuse.
- ▸Legal compliance: Meeting our obligations under applicable law.
4. Legal basis for processing (UK GDPR)
We process your personal data under the following legal bases:
- ▸Contract (Article 6(1)(b)): Processing necessary to deliver the Service you have subscribed to.
- ▸Legitimate interests (Article 6(1)(f)): Security monitoring, fraud prevention, and product improvement.
- ▸Legal obligation (Article 6(1)(c)): Where required by law.
5. Sub-processors and third parties
We use the following sub-processors to deliver the Service. Each is bound by data processing agreements and industry-standard security practices.
| Provider | Purpose | Location |
|---|---|---|
| Clerk | User authentication and session management | United States |
| Supabase | Database hosting and storage | United States |
| Stripe | Payment processing | United States |
| Resend | Transactional email delivery | United States |
| Anthropic | AI-powered regulatory text summarisation | United States |
| Vercel | Application hosting and CDN | United States |
All US-based sub-processors operate under Standard Contractual Clauses (SCCs) or equivalent safeguards for international data transfers under UK GDPR.
6. Data retention
We retain your personal data for as long as your account is active. On account closure:
- ▸Account and preference data is deleted within 30 days.
- ▸Billing records are retained for 7 years to comply with UK financial regulations.
- ▸Server logs are deleted after 90 days.
7. Your rights under UK GDPR
As a UK data subject you have the right to:
Request a copy of the personal data we hold about you.
Ask us to correct inaccurate or incomplete data.
Request deletion of your personal data ("right to be forgotten").
Receive your data in a structured, machine-readable format.
Ask us to limit how we process your data in certain circumstances.
Object to processing based on legitimate interests.
To exercise any of these rights, email privacy@getembargo.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).
8. Cookies
We use essential cookies only — for authentication sessions (via Clerk) and security. We do not use tracking or advertising cookies. No cookie consent banner is required for strictly necessary cookies under the UK PECR.
9. Data security
We implement industry-standard technical and organisational measures including TLS encryption in transit, encryption at rest, row-level security on all database tables, and access controls limiting data access to authorised personnel only.
10. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified by email to registered users at least 14 days before taking effect. Continued use of the Service after that date constitutes acceptance of the updated policy.
11. Contact
Pintu Holdings Ltd (trading as Embargo)
Data privacy enquiries: privacy@getembargo.com
Registered in England and Wales