τiso-compliant
Get an API key

Privacy Policy

Effective 3 June 2026Version 2026.06.01

iso-compliant operates the ISO 20022 compliance engine at api.iso-compliant.com. This policy describes what personal data we collect, why we collect it, how long we retain it, and the rights you have over it.

This page summarises our processing posture at a level suitable for the homepage. For the binding commitments we make to enterprise customers — including controller/processor designation, sub-processor list, transfer mechanism, and data-subject-request procedures — see the Data Processing Agreement.

What we collect

Account data — name, email, organisation name, billing address, tax ID. Collected when you sign up or upgrade.

Authentication data — API key prefix and SHA-256 of the secret, Ed25519 public key fingerprint, login session tokens, last-used timestamps. We never store the raw API key secret.

Usage events — endpoint called, ruleset version, MsgId, response status, latency, timestamp. Used for billing and dashboard analytics.

Audit attestations — SHA-256 of canonical request/response bodies, hash-chained per tenant. Used for tamper-evident compliance evidence.

Payment payloads — the actual contents of the ISO 20022 / SEPA / QR-bill payloads you submit to the API. These are processed in-memory and discarded; only the SHA-256 hash is retained.

What we do not collect

  • We do not train machine-learning models on your payment payloads. Frontier model usage is offline, batched, and runs against bank-IG PDFs — never against customer transaction data.
  • We do not sell, rent, or otherwise share personal data with advertisers or data brokers.
  • We do not place advertising or analytics cookies on the marketing site beyond first-party, anonymised page-view counters.

Retention

  • Idempotency records and audit attestations: seven (7) years, for replay protection and compliance evidence.
  • Plaintext payment payloads: evicted from the request-render cache within five (5) minutes of response.
  • Account and billing data: for the life of the customer relationship plus seven (7) years for tax-record purposes.
  • Login session tokens: 14 days from last use, or until you sign out.

Where it lives

Postgres is hosted with Supabase in the customer's elected region (default EU-Frankfurt (eu-central-1); additional regions on request — see the DPA for the current supported region list). The compute layer is Cloudflare Workers, with traffic terminating at the PoP closest to the calling region and data-localisation enforced for tenants whose order form pins a specific residency. Email is sent via a Customer-elected SMTP relay; iso-compliant does not retain a copy of dispatched email bodies. Full sub-processor list at the DPA.

Your rights

Under GDPR, the Swiss nFADP, the UK Data Protection Act 2018, and analogous applicable data-protection law in your jurisdiction, you have rights to access, rectification, deletion, restriction, portability, and objection. Exercise any of these by emailing privacy@iso-compliant.com. We respond within thirty (30) days.

Contact

Privacy queries: privacy@iso-compliant.com
Data Protection Officer: dpo@iso-compliant.com