Skip to content

Privacy Policy — OpenAleph

This document covers the service running at search.openaleph.org.

1. Controller and Contact

The controller responsible for data processing on the website search.openaleph.org within the meaning of the General Data Protection Regulation (GDPR) is:

Data and Research Center – DARC
IDIO Daten Import Export GmbH
Gottschedstr. 4, 13357 Berlin
legal@dataresearchcenter.org

If you have questions about data protection, you can reach us via email.

2. Overview

OpenAleph is a platform that makes publicly available data on sanctioned entities, politically exposed persons (PEPs), and company registries searchable and accessible. The data published on OpenAleph is sourced exclusively from public sources, including OpenSanctions, the European Commission, and other governmental or supranational bodies.

This privacy policy explains how we process personal data in the course of operating OpenAleph, both with respect to users of the platform and individuals whose data appears in the published datasets.

3. Data in the OpenAleph Database

3.1 What data is processed

OpenAleph aggregates and re-publishes data from publicly available sources. This data may include:

  • Names, aliases, and titles
  • Dates and places of birth
  • Nationalities and citizenships
  • Addresses
  • Identification document numbers (e.g., passport numbers)
  • Positions and political roles
  • Corporate roles and affiliations
  • Sanctions designations and listing reasons
  • Source references and identifiers

OpenAleph does not collect this data directly from the individuals concerned. All data originates from official governmental, supranational, or international public sources, or from licensed data providers (such as OpenSanctions) who aggregate these public sources.

We process this data on the basis of:

  • Art. 6(1)(f) GDPR — Legitimate interests. There is a substantial public interest in making sanctions lists, PEP databases, and company registries searchable and accessible. This data is already published by the relevant authorities and data providers. Our processing — aggregating and presenting this already-public data in a searchable format — does not meaningfully increase the privacy intrusion beyond the original publication. The legitimate interest in transparency, anti-corruption, anti-money laundering, and journalistic research outweighs the interests of the data subjects in this context.

  • Art. 85 GDPR in conjunction with §19 Berliner Datenschutzgesetz (BlnDSG) — Processing for journalistic purposes. OpenAleph is operated by a journalism organization. The platform serves investigative journalism, public accountability, and research purposes. §19 BlnDSG implements the exemptions and derogations provided for by Art. 85 GDPR for processing carried out for journalistic purposes, which apply to our processing activities.

3.3 Retention

Data in the OpenAleph database is retained for as long as it remains present in the corresponding published source. When data is removed from the original source (e.g., when a person is delisted from a sanctions list), it is removed from OpenAleph in due course following our regular data update cycle.

3.4 Rights of listed individuals

If you are an individual whose data appears in the OpenAleph database and you believe that the data is inaccurate or that your listing is unjustified, we encourage you to contact the official governmental, supranational, or international body that maintains the relevant source list. Since OpenAleph re-publishes data from these authorities, corrections and delistings at the source will be reflected in OpenAleph through our regular update process.

You may also contact us directly (see Section 1). We will review your request and, where appropriate, annotate, correct, or remove the data in question. However, we note that in most cases, the appropriate remedy is to seek correction or delisting from the original publishing authority.

4. Non-Public Data and Authenticated Access

Certain datasets available on OpenAleph are accessible only to authenticated (logged-in) users. These may include data that is not available in public sources elsewhere.

Access to non-public data is restricted and granted on the basis of a legitimate research or journalistic purpose. The legal basis for processing this data is Art. 6(1)(f) GDPR (legitimate interests in supporting investigative journalism and research) and, where applicable, Art. 85 GDPR.

5. Website Access and Server Logs

When you visit OpenAleph, our servers automatically collect:

  • IP address
  • Date and time of access
  • Pages visited and resources requested
  • Browser type and operating system
  • Referring URL

This data is processed on the basis of Art. 6(1)(f) GDPR (legitimate interests in ensuring the security, stability, and proper functioning of the website). Server logs are retained for 7 days and then deleted.

6. User Accounts

User accounts are managed through a self-hosted Keycloak identity provider. If you create an account on OpenAleph, we process:

  • Email address
  • Name (if provided)
  • Password (stored as a cryptographic hash by Keycloak)

This data is processed on the basis of Art. 6(1)(b) GDPR (performance of a contract / provision of the service you requested). Account data is retained for the duration of your account and deleted upon request.

7. Cookies and Tracking

OpenAleph uses only technically necessary cookies required for the functioning of the platform (e.g., session management and authentication cookies set by the application and the Keycloak identity provider). We do not use tracking cookies, advertising cookies, or analytics services.

8. Email Contact

If you contact us by email, we process your email address, name (if provided), and the content of your message for the purpose of handling your inquiry. The legal basis is Art. 6(1)(f) GDPR (legitimate interests in responding to inquiries) or, where your inquiry relates to a contract, Art. 6(1)(b) GDPR. We delete this data once your inquiry has been fully resolved, unless legal retention obligations apply.

9. Hosting and Processors

OpenAleph is hosted on our own physical servers located in a colocation facility within the European Union. All data processing takes place exclusively within the EU/EEA. No personal data is transferred to third countries.

All processors are bound by data processing agreements in accordance with Art. 28 GDPR.

10. Content Delivery Network

Static assets (stylesheets, logos) are served from our own content delivery infrastructure at cdn.investigativedata.org. No third-party CDN providers are used.

11. Security

Communication with OpenAleph is encrypted via TLS (HTTPS). We take appropriate technical and organizational measures to protect your data against unauthorized access, loss, or manipulation.

12. Automated Decision-Making

We do not use automated decision-making or profiling as defined by Art. 22 GDPR.

13. Your Rights

Under the GDPR, you have the following rights with respect to your personal data:

  • Right of access (Art. 15 GDPR) — You may request information about whether and what personal data we process about you.
  • Right to rectification (Art. 16 GDPR) — You may request correction of inaccurate personal data.
  • Right to erasure (Art. 17 GDPR) — You may request deletion of your personal data, subject to legal exceptions.
  • Right to restriction of processing (Art. 18 GDPR) — You may request that we restrict the processing of your data in certain circumstances.
  • Right to data portability (Art. 20 GDPR) — You may request to receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21 GDPR) — You may object to processing based on legitimate interests at any time. We will then review whether our compelling legitimate grounds override your interests.
  • Right to lodge a complaint (Art. 77 GDPR) — You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.

To exercise your rights, contact us at the address provided in Section 1. We will respond within one month as required by Art. 12(3) GDPR, and aim to respond sooner where possible.

Note regarding data in the OpenAleph database: For data sourced from public sanctions lists, PEP databases, or company registries, please see Section 3.4 above. The right to erasure under Art. 17 GDPR is subject to exceptions, including processing for journalistic purposes (Art. 17(3)(a) GDPR) and processing in the public interest (Art. 17(3)(d) GDPR).

14. Changes to This Policy

We may update this privacy policy from time to time. The current version is always available on this page. Material changes will be noted with an updated revision date.

Version 1.0 | 2026-03-17 | legal@dataresearchcenter.org