Skip to main content
Legal

Privacy Policy

Last updated: 25 June 2026  ·  Effective: 25 June 2026

1. Who we are

Embargo is a trading name of Pintu Holdings Ltd, a company registered in England and Wales (“we”, “us”, “our”). We operate the export control compliance intelligence service available at getembargo.com(the “Service”).

For questions about this policy or your personal data, contact us at privacy@getembargo.com.

2. Data we collect

Account data

Name, email address, and organisation name collected at registration. Authentication is managed by Clerk. Google Sign-In users: we receive name and email from Google via Clerk only — no Google password or other account data is accessed.

Screening data

Entity names, company names, and identifiers submitted for screening — individually, via bulk CSV, or added to your counterparty watchlist. Screening sessions, matched outcomes, and your compliance audit trail are stored in your account.

Product profile data

ECCN classifications and product descriptions entered in Settings (Products You Ship). Used to generate product-specific screening context. Stored in your account only.

Preference data

Jurisdiction preferences, watchlist entries, keyword alert terms, Slack webhook URL (if configured), and email delivery settings.

Billing data

Payment card details are processed directly by Stripe and never stored on our servers. We retain only a Stripe customer ID and subscription status.

Usage data

Standard server logs: IP address, browser type, pages visited, timestamps. Retained for 90 days.

3. How we use your data

  • Providing the Service: Delivering regulatory alerts, email digests, and The Embargo Brief based on your jurisdiction preferences; running entity screening checks on names you submit; continuously re-screening your counterparty watchlist and alerting you to changes; generating AI-powered entity intelligence notes using Anthropic's Claude models; resolving ownership chains and 50%-affiliate relationships using GLEIF data and AI inference.
  • Compliance audit trail: Recording screening sessions, bulk upload outcomes, and watchlist re-screen results in your compliance journal so you can generate evidence reports.
  • Billing: Processing subscription payments and managing your plan via Stripe.
  • Communications: Sending service notifications, account alerts, and product updates. You may opt out of marketing emails at any time.
  • Security & fraud prevention: Detecting and preventing unauthorised access and abuse.
  • Legal compliance: Meeting our obligations under applicable law.

4. Legal basis for processing (UK GDPR)

We process your personal data under the following legal bases:

  • Contract (Article 6(1)(b)): Processing necessary to deliver the Service you have subscribed to.
  • Legitimate interests (Article 6(1)(f)): Security monitoring, fraud prevention, and product improvement.
  • Legal obligation (Article 6(1)(c)): Where required by law.

5. Sub-processors and third parties

We use the following sub-processors to deliver the Service. Each is bound by data processing agreements and industry-standard security practices.

ProviderPurposeLocation
ClerkUser authentication, session management, and Google OAuth sign-inUnited States
GoogleOAuth identity provider for Google Sign-In via Clerk. We receive name and email only. No other Google account data is accessed or stored.United States
SupabaseDatabase hosting, storage, and row-level-secure data accessUnited States
StripePayment processing and subscription managementUnited States
ResendTransactional and digest email deliveryUnited States
AnthropicAI-powered entity intelligence notes, regulatory text summarisation, and ownership chain inference (Claude models)United States
GLEIFLegal Entity Identifier (LEI) data for ownership chain resolution We query publicly available corporate registry data only. No personal data is sent to GLEIF.Switzerland
VercelApplication hosting, CDN, and edge functionsUnited States

All US-based sub-processors operate under Standard Contractual Clauses (SCCs) or equivalent safeguards for international data transfers under UK GDPR.

6. Data retention

We retain your personal data for as long as your account is active. On account closure:

  • Account and preference data is deleted within 30 days.
  • Screening history, watchlist data, and compliance audit trail records are deleted within 30 days of account closure.
  • Billing records are retained for 7 years to comply with UK financial regulations.
  • Server logs are deleted after 90 days.

7. Your rights under UK GDPR

As a UK data subject you have the right to:

Access

Request a copy of the personal data we hold about you.

Rectification

Ask us to correct inaccurate or incomplete data.

Erasure

Request deletion of your personal data ("right to be forgotten").

Portability

Receive your data in a structured, machine-readable format.

Restriction

Ask us to limit how we process your data in certain circumstances.

Object

Object to processing based on legitimate interests.

To exercise any of these rights, email privacy@getembargo.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

8. Cookies

We use essential cookies only — for authentication sessions (via Clerk) and security. We do not use tracking or advertising cookies. No cookie consent banner is required for strictly necessary cookies under the UK PECR.

9. Data security

We implement industry-standard technical and organisational measures including TLS encryption in transit, encryption at rest, row-level security on all database tables, and access controls limiting data access to authorised personnel only.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified by email to registered users at least 14 days before taking effect. Continued use of the Service after that date constitutes acceptance of the updated policy.

11. Contact

Pintu Holdings Ltd (trading as Embargo)

Data privacy enquiries: privacy@getembargo.com

Registered in England and Wales

© 2026 Pintu Holdings Ltd. Embargo is a trading name of Pintu Holdings Ltd.