50% off the first month with code OSINT50Ends in --:--:--

Home

Privacy Policy

Last updated: 2026-06-13

1. Data controller

The controller responsible for the processing of personal data collected through OSINT UI (https://osint-ui.com) is:

  • Operator: Alex Fernández Santos (individual)
  • Contact and privacy email: osint-ui@proton.me

Any communication relating to data protection, as well as the exercise of the rights granted by the GDPR, is handled exclusively through the email address indicated above.

2. Information we collect

We process only the data necessary to provide the service. Depending on your use of the platform, we may process the following categories of data:

2.1. Account data

  • Email address.
  • Password hash (encrypted using bcrypt, cost 12 — we never store passwords in plain text).
  • Name (optional).
  • TOTP secret for two-factor authentication (2FA), stored encrypted with AES-256-GCM.
  • Account creation and update timestamps.

2.2. Subscription and payment data

  • Subscription tier and status (FREE / PRO).
  • Stripe customer ID and subscription ID.
  • Your card data is handled directly by Stripe. The app never stores or has access to card numbers.

2.3. Third-party service API keys

  • The API keys you enter for external OSINT services are stored encrypted at rest with AES-256-GCM. The app cannot use them beyond your session context.

2.4. Password reset tokens

  • Stored hashed (SHA-256) with a limited expiry.

2.5. Tool usage

  • A record of which tool was used and when, for the purpose of applying usage limits and producing internal analytics.

2.6. First-party analytics

  • Usage events (event name + user ID), without additional cookies.

2.7. IP address

  • Used transiently and in memory only, for rate-limiting and abuse prevention. It is not stored long-term.

2.8. Marketing consent

  • A consent flag, stored only if you opt in to receive commercial communications.

2.9. Support messages

  • The subject and message you send through the support form are emailed to the operator.

3. Purposes and legal bases for processing

Purpose Legal basis (GDPR art. 6)
Create and maintain your account and provide the service Performance of a contract (art. 6.1.b)
Manage subscriptions and billing/tax obligations Performance of a contract and legal obligation (art. 6.1.b and 6.1.c)
Platform security, rate-limiting, abuse and fraud prevention Legitimate interest (art. 6.1.f)
First-party analytics to improve the service Legitimate interest (art. 6.1.f)
Sending commercial communications Consent (art. 6.1.a)
Non-essential (analytics) cookies Consent (art. 6.1.a)

Consent is free, specific, informed and revocable at any time, without affecting the lawfulness of processing carried out before its withdrawal.

4. Retention periods

  • Account and subscription data: for as long as the account remains active. After account deletion, data is erased or anonymized, except for data that must be retained by legal obligation.
  • Billing data: for the periods required by applicable tax and commercial regulations.
  • Password reset tokens: until used or expired.
  • Tool usage records and analytics: for the time necessary for limit and analysis purposes, after which they are aggregated or deleted.
  • IP address: transiently, with no long-term retention.
  • Support messages: for the time necessary to handle and keep a record of the request.

5. Recipients and processors

To provide the service we rely on providers acting as data processors, with whom the corresponding data processing agreements (DPAs) have been (or will be) signed:

Provider Purpose Location
IONOS Hosting / VPS EU (Germany)
Stripe Payment processing USA
Resend Transactional email delivery USA
Microsoft Clarity Product analytics / heatmaps (only after cookie consent) USA
Google Google Tag Manager / Analytics (only after cookie consent) USA

International transfers

Some of these providers are located outside the European Economic Area. Such transfers are covered by the European Commission's Standard Contractual Clauses (SCC) and, where applicable, by the EU-US Data Privacy Framework (in the case of Stripe), ensuring an adequate level of protection.

6. Your rights

You may exercise the following rights granted by the GDPR:

  • Access to your personal data.
  • Rectification of inaccurate data.
  • Erasure ("right to be forgotten") — the app includes a "delete account" feature.
  • Objection to processing.
  • Restriction of processing.
  • Portability — the app offers an "export my data" feature.
  • Withdrawal of consent at any time.

To exercise any of these rights, write to osint-ui@proton.me. You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at https://www.aepd.es if you believe the processing does not comply with the regulations.

7. Security measures

We apply appropriate technical and organizational measures, including:

  • Encrypted communications via HTTPS/TLS with HSTS.
  • Passwords protected with bcrypt (cost 12).
  • API keys and TOTP secrets encrypted at rest with AES-256-GCM.
  • JWT sessions and optional 2FA.
  • Rate limiting and admin-gated access control.
  • Data minimization and encrypted secrets management.

8. Changes to this policy

We may update this Privacy Policy to reflect legal, technical or operational changes. The "last updated" date indicates the current version. We recommend reviewing it periodically. Material changes may be communicated through the platform or by email.