Last updated: 2026-04-02
Soap Labs AB, reg. no. 559571-8981, Tulegatan 15, 113 53 Stockholm, Sweden ("Soap Labs", "we", "us") is committed to protecting personal data and ensuring that it is processed in a lawful, transparent and secure manner.
This Privacy Policy explains how we process personal data in connection with our website, our business relationships, and our anti-money laundering (AML) platform.
Soap Labs processes personal data both as a data controller and as a data processor.
When we process personal data relating to our customers' representatives, users of our platform, website visitors, or prospective customers, we act as a data controller. In these cases, we determine the purposes and means of processing.
When we process personal data as part of providing our AML platform to our customers, we act as a data processor on behalf of those customers. In such cases, the customer is the data controller and determines how and why personal data is processed. This processing is governed by a separate data processing agreement.
As a data controller, we process personal data such as contact details, including name, email address, telephone number and professional role. We also process information related to communication with us, for example emails and support interactions, as well as account-related information for users of our platform.
In addition, we may process usage data and analytics data, including information about how users interact with our website and services. Where applicable, we also process marketing-related data, such as newsletter subscriptions and preferences.
As a data processor, we process personal data on behalf of our customers. The scope of this processing depends on the customer's use of the Service but may include identification data such as name, personal identification number and date of birth, transaction data, and information relating to sanctions and politically exposed persons (PEP). We may also process risk classifications, scores and other derived data, as well as system-generated data such as logs, identifiers and metadata.
We collect personal data directly from individuals when they interact with us, for example through our website, communications or use of our services.
In our role as a processor, we receive personal data from our customers, who provide or upload data to the Service.
We may also receive data from third-party providers, such as suppliers of sanctions and PEP information, which are used as part of our AML-related services.
When acting as a controller, we process personal data in order to manage and maintain our business relationships, provide and administer our services, communicate with customers and users, and improve our products and offerings.
Processing may also take place for marketing purposes, such as sending relevant information about our services. Such processing is based either on consent, where required, or on our legitimate interest in promoting our services to relevant business contacts.
Where processing is necessary for the performance of a contract, such as providing access to our platform or managing customer relationships, the legal basis is the performance of that contract.
Where we rely on legitimate interest, we ensure that such interest is balanced against the rights and freedoms of the individual.
When acting as a processor, we process personal data solely on behalf of our customers and in accordance with their instructions. The legal basis for such processing is determined by the customer.
We retain personal data only for as long as necessary in relation to the purposes for which it was collected.
Personal data relating to customer representatives and users is retained for the duration of the business relationship and thereafter only as required for legitimate business purposes or legal obligations.
Personal data processed on behalf of customers is retained in accordance with the customer's instructions and applicable law. In the context of anti-money laundering, data may be retained for a minimum period required by law, typically at least five years.
User accounts are deleted or anonymized when they are no longer required.
We may share personal data with service providers and subcontractors that support the delivery of our services, such as cloud infrastructure providers.
We may also share data with third-party data providers where relevant for AML-related processing, as well as with authorities where required by law.
All such recipients are subject to contractual obligations to protect personal data and ensure appropriate security.
Personal data is primarily processed within the European Union or European Economic Area.
Certain data may be stored in Germany as part of our infrastructure setup. Where personal data is transferred outside the EU/EEA, for example through the use of certain third-party tools, appropriate safeguards are implemented in accordance with applicable law, including the use of Standard Contractual Clauses where relevant.
Soap Labs implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Personal data is protected through a combination of technical safeguards, including encryption in transit and at rest, pseudonymization where appropriate, and strict access control mechanisms. Access to systems and data is restricted based on role and necessity, and multi-factor authentication is used where relevant.
Our infrastructure is deployed in secure cloud environments with network segmentation, including the use of virtual private cloud (VPC) architectures, firewalls and secure communication channels. Additional protections such as VPN access may be applied for administrative functions.
We maintain logging and monitoring capabilities to detect and respond to unauthorized access or anomalies. Regular security assessments, including vulnerability scanning and testing, are conducted to identify and mitigate risks.
Organizational measures include internal policies, governance structures, staff training, and continuous evaluation of our security posture in line with applicable standards and regulatory expectations.
Individuals have the following rights under applicable data protection law:
Requests are handled in accordance with applicable law and within statutory timeframes.
Soap Labs AB is the data controller for the processing described in this Privacy Policy when acting in that role.
For any questions regarding this Privacy Policy or our processing of personal data, please contact:
Soap Labs AB
Tulegatan 15, 113 53 Stockholm, Sweden
Email: info@soaplabs.com
We may update this Privacy Policy from time to time. The latest version will always be available on our website.