Privacy Policy

This Privacy Policy explains how Ohmyfin Limited ("we," "us," or "our") collects, uses, and protects the data you provide to us when you visit and use our website ohmyfin.ai and our API and MCP services.

We reserve the right to change this Policy at any time. Any updates will be effective immediately upon posting on this page. This Privacy Policy is effective as of March 19, 2026.

1. What User Data We Collect

When you visit our website or use our services (including via API or MCP), we may collect the following:

• Your IP address
• Your email address or/and phone number
• Your cross-border payment information, including UETR or reference number, date of payment, amount, sender's bank, beneficiary's bank and currency
• Names and entities submitted for sanctions screening
• Data profile regarding your behavior on our website
• Your billing information: name, address, VAT
• API keys and MCP registration data (email address, organization name)
• API and MCP usage logs, including request timestamps, endpoints accessed, and query parameters
• Analytics data through Google Analytics, including pages visited, time on site, and user interactions
• Advertising data through Google Ads conversion tracking, including conversion events and ad interactions

2. Why We Collect It

We collect this data for the following purposes:

• To provide you with the services you requested (e.g., tracking payments, sanctions screening, FX rates)
• To facilitate proper billing
• To better understand your needs and improve our services
• To provide you with up-to-date information about our services
• To detect and prevent fraud, abuse, and unauthorized access
• To comply with legal obligations, including sanctions regulations and financial record-keeping
• To measure advertising effectiveness and optimize our marketing campaigns through Google Ads conversion tracking
• To analyze user behavior and website performance to enhance user experience

2A. Legal Basis for Processing

Under the UK General Data Protection Regulation (UK GDPR), we process your personal data on the following legal bases:

• Contract performance (Article 6(1)(b)): Processing necessary to provide our services to you, including payment tracking, sanctions screening, API access, and account management.
• Legitimate interests (Article 6(1)(f)): Processing necessary for our legitimate business interests, including security, fraud prevention, service improvement, and analytics, where these interests are not overridden by your rights.
• Consent (Article 6(1)(a)): Processing based on your explicit consent, including non-essential cookies, marketing communications, and Google Analytics/Ads tracking (for UK/EU users).
• Legal obligation (Article 6(1)(c)): Processing necessary to comply with legal obligations, including financial record-keeping, sanctions compliance, and responding to lawful requests from authorities.

3. Third-Party Services and Sub-Processors

We share your data with the following third-party service providers who process data on our behalf or as independent controllers:

Anthropic (Claude AI)

We use Anthropic's Claude AI technology for:

• Document analysis (e.g., extracting information from uploaded payment documents such as MT103 scans)
• Customer support assistance
• Processing certain API and MCP queries

Anthropic does not retain your data after processing and does not use your data to train AI models. Documents and queries are processed in real-time and are not stored by Anthropic beyond the duration of the processing request.

Stripe

We use Stripe for payment processing. When you make a payment, your payment details (card information, billing address) are processed directly by Stripe. We do not store your full card details. Stripe's processing is governed by their own privacy policy and data processing agreement.

Amazon Web Services (SES)

We use Amazon Simple Email Service (SES) to send transactional and service emails. Your email address and email content are processed by Amazon SES for delivery purposes.

Google Analytics

We use Google Analytics to understand how visitors interact with our website. This service:

• Collects information about pages you visit and how long you spend on them
• Tracks user interactions and navigation patterns
• Helps us improve our website and user experience

Google Ads

We use Google Ads conversion tracking to measure the effectiveness of our advertising campaigns. This service:

• Places cookies on your device to track conversions and user interactions
• Collects information about your visits to our website and interactions with our ads
• Helps us understand which marketing campaigns are most effective
• Allows Google to show you personalized ads based on your website visits

You can opt out of Google Analytics and Ads personalization by visiting Google's Ad Settings or by using Google's Analytics Opt-out Browser Add-on.

Transaction Validation Services

We use third-party APIs to validate transaction routing, SWIFT/BIC codes, and banking data. Transaction data you submit (such as SWIFT codes, currencies, and amounts) may be shared with these validation services for processing purposes.

4. Your Data Rights

Under the UK GDPR, you have the following rights regarding your personal data:

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may request correction of inaccurate or incomplete personal data.
• Right to erasure: You may request deletion of your personal data, subject to our legal retention obligations. You can delete your account at any time using the Delete Account feature in your profile.
• Right to restriction: You may request that we restrict the processing of your personal data in certain circumstances.
• Right to data portability: You may request a copy of your data in a structured, commonly used, machine-readable format.
• Right to object: You may object to processing based on legitimate interests or for direct marketing purposes.
• Rights related to automated decision-making: You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. Our services do not make automated decisions with legal effect about individuals.

To exercise any of these rights, please contact us via our contact page or by mail at the address below. We will respond to your request within 30 days. If we need more time (up to a further 60 days for complex requests), we will inform you of the reason and the expected timeframe.

If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

5. International Data Transfers

Some of our third-party service providers are based outside the United Kingdom. When your data is transferred internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the ICO
• Adequacy decisions where the receiving country provides adequate data protection
• Service provider data processing agreements with appropriate security measures

6. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including encryption of data in transit, access controls, and regular security reviews. However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.

7. Contact Us

If you have any questions or concerns about our Privacy Policy, the data we collect, or wish to exercise your data rights, please contact us:

• By visiting this page on our website: Contact Us
• By mail: Ohmyfin Limited, 275 New North Road, Islington Suite 1422, London, England, N1 7AA