Data Privacy — VIGILIX

🇨🇭

Data location

100% in Switzerland
(Infomaniak, Geneva)

🚫

Logging

No screening queries stored. No database of names.

🔒

Third parties

No data sold or shared with advertisers or analytics.

⚖️

Legal basis

nLPD (Switzerland) · Legitimate interest

What data is processed

VIGILIX processes only the data you actively provide when performing a screening. No data is collected passively (no tracking, no analytics cookies).

Data element	Purpose	Stored?	Shared?	Retention
First and last name	Sanctions matching, PEP check, adverse news search	No	Partially*	Session only — discarded immediately after response
Date of birth	Improve match accuracy, reduce false positives	No	No	Session only
Nationality / country	Refine adverse news search queries	No	Partially*	Session only
IP address	Web server routing (Nginx standard logs)	Temporarily	No	7 days in Nginx access logs, then deleted
Browser / User-Agent	Standard HTTP header (not analyzed)	Temporarily	No	7 days in Nginx logs, then deleted
Screening results / PDF	Generated on-demand, sent to browser	No	No	Never stored on server

* "Partially shared" means that when performing adverse news screening, the name and country are sent to GDELT (external academic database) and to SearXNG (self-hosted in Switzerland). SearXNG forwards anonymized queries to the configured search engine — see Section 3 for details.

Tools and services involved

VIGILIX is built entirely on self-hosted or open-source components. No commercial SaaS analytics, advertising, or tracking services are used.

🐍

Flask / Python

📍 Switzerland — Infomaniak VPS, Geneva

Core application server. Processes all screening requests, runs the matching engine, generates PDF reports. All computation occurs on Swiss soil.

Data received: Name, DOB, nationality (in memory only)
Data stored: None

📰

GDELT Project

📍 External — USA (academic project)

Global Database of Events, Language, and Tone. Free academic project monitoring international press in real-time. Used for adverse news screening. No personal data stored.

Data sent: Search query (name + risk keywords)
Data stored by GDELT: Standard server logs
Privacy policy: gdeltproject.org

🔍

SearXNG

📍 Switzerland — same server, Geneva

Self-hosted meta-search engine used for adverse news screening. Strips cookies and tracking parameters before forwarding queries to external search engines. No query history is kept. One query per screening.

Data received: Search query (name + risk keywords)
Data stored: None
Forwards to: Configured engine (Qwant/DDG/Brave/Serper) — anonymized

📖

Wikidata API

📍 Wikimedia Foundation (USA/Europe)

Used for PEP (Politically Exposed Person) screening. A name-based query is sent to the public Wikidata API to check whether the person holds or has held a political position.

Data sent: Name only (no DOB, no nationality)
Data stored by Wikidata: Standard server logs (public API)
Privacy policy: wikimediafoundation.org/privacy

🌐

Nginx

📍 Switzerland — Infomaniak VPS, Geneva

Web server and reverse proxy. Standard HTTP access logs are kept for 7 days for security and diagnostic purposes, then automatically purged.

Data logged: IP address, URL path, timestamp, HTTP status
Retention: 7 days
No personal names logged

🏛️

Sanctions list sources

📍 SECO (CH) · EU · UN · OFAC (US)

Official sanctions lists are downloaded nightly from government sources and cached on the Swiss server. No data is sent to these sources during a screening — matching occurs locally.

Data sent: None (one-way download)
Data cached: Official list files on Swiss server
Retention: Renewed every 24h

🐳

Docker / Ubuntu 22.04

📍 Switzerland — Infomaniak VPS, Geneva

Containerized deployment environment. All application components run in isolated Docker containers. No external container registries receive application data.

Data processed: In-memory only
External calls: None beyond listed services

⚠️ Adverse news limitation: When you use the adverse news feature, the searched name is sent to GDELT (global press database) and to external search engines via SearXNG. SearXNG anonymizes queries before forwarding them. The configured search engine (Qwant, DuckDuckGo, Brave, or Serper/Google) processes the query under its own privacy policy. If this is a concern, you may disable adverse news screening.

Data flow diagram

Step	From	To	Data transmitted	Location
1	Your browser	VIGILIX server	Name, DOB, nationality (HTTPS encrypted)	🇨🇭 Switzerland
2a	Flask engine	Local sanctions cache	Name only (in-memory comparison)	🇨🇭 Switzerland
2b	Flask engine	Wikidata API	Name only	🌐 International
2c	Flask engine	GDELT + SearXNG (parallel)	Name + risk keywords (anonymized)	🌐 International
3	VIGILIX server	Your browser	Screening results (HTTPS encrypted)	🇨🇭 Switzerland
4	Your browser	Your device only	PDF report (generated server-side, never stored)	🇨🇭 → Your device

Legal basis (nLPD)

VIGILIX processes personal data under the following legal bases, pursuant to the Swiss Federal Act on Data Protection (nLPD, revised version in force since September 1, 2023):

Sanctions & PEP screening

Legal basis: Legitimate interest (Art. 31 nLPD). Financial intermediaries subject to the Anti-Money Laundering Act (LBA/AMLA) have a legal obligation to screen clients against sanctions lists. Processing names for this purpose constitutes a legitimate interest that overrides the data subject's interest in privacy.

Adverse news screening

Legal basis: Legitimate interest (Art. 31 nLPD). Identifying negative media coverage related to financial crime, corruption, or sanctions is a recognized component of enhanced due diligence (EDD) under FATF recommendations.

Server logs (IP address)

Legal basis: Legitimate interest (Art. 31 nLPD) — security monitoring and abuse prevention. Logs are retained for 7 days only.

Your rights under nLPD

As a data subject, you have the following rights under Swiss law. Note that because VIGILIX does not store screening queries or results, most rights can only be exercised in relation to server log data (IP address, timestamp).

Right of access (Art. 25)

You may request information about what personal data we hold about you.

Right to rectification (Art. 32)

You may request correction of inaccurate data we hold about you.

Right to erasure (Art. 32)

You may request deletion of data we hold. Server logs are deleted after 7 days automatically.

Right to object (Art. 30)

You may object to processing based on legitimate interest.

Right to data portability

Not applicable — we do not store your personal data in a structured format.

Right to lodge a complaint

You may file a complaint with the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch.

Security measures

HTTPS/TLS encryption planned — currently accessible via HTTP on development server
Server hosted by Infomaniak (ISO 27001 certified, Geneva, Switzerland)
Docker containerization — application components isolated from each other
No screening data written to disk at any point
Server access restricted to SSH key authentication (no password login)
Automatic security updates enabled on Ubuntu 22.04 LTS
Nginx access logs purged automatically after 7 days

Data Protection Contact

For any privacy-related request or question, contact us at:

vigil.swiss@pm.me

We will respond within 30 days as required by the nLPD.

Data Privacy & Processing

What data is processed

Tools and services involved

Data flow diagram

Legal basis (nLPD)

Sanctions & PEP screening

Adverse news screening

Server logs (IP address)

Your rights under nLPD

Security measures

Data Protection Contact