Loading

GDPR Data Processing Notice (EU VERSION)

GDPR Data Processing Notice (EU VERSION) | NiamonX LTD.

The original document is in English only. The last date of document revisions and edits was November 15, 2025.

🇪🇺 GDPR COMPLIANCE NOTICE Regulation (EU) 2016/679

The processing and storage of user data of European users is carried out by the OVH: OVHCloud SBG5 Data Center is located at 9 Rue du Bassin de l'Industrie 6700, Strasbourg, France and in OVHcloud DE1 - data center by OVH in Frankfurt, Germany (Limburger Str. 45, Limburg). In a cryptographically protected form!

GDPR Data Processing Notice

NiamonX LTD — EU / EEA Data Subjects

Last updated: 15 November 2025

Controller: NiamonX LTD

Company number: 16710504 (England & Wales)

Registered address: 71–75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ

Contact details for data protection matters:

This document is intended to provide information required by Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR) to data subjects whose personal data may be processed in connection with the NiamonX platform and its tools.

1. Identity and Contact Details of the Controller

For the processing described in this notice, the controller is:

NiamonX LTD

71–75 Shelton Street,
Covent Garden, London,
United Kingdom, WC2H 9JQ
Company No. 16710504

Contact for GDPR matters: [email protected]

In certain circumstances (e.g. where NiamonX acts pursuant to a contract with an EU corporate customer), we may act as processor instead of controller. In that case, the primary controller is our customer, and our processing is governed by a Data Processing Agreement (DPA).

2. Categories of Personal Data Processed

Depending on your relationship with NiamonX and how the platform is used, we may process:

2.1. Directly collected data (from you)

  • Identification and contact details: name, username/login, email address, associated organization (if provided);
  • Authentication data: hashed password (bcrypt or Argon2id), 2FA or security tokens;
  • Configuration and usage data: tool configuration, language, preferences;
  • Support requests: content of communications with our support or legal team.

2.2. Technical and security data

  • IP address, connection timestamps, session identifiers;
  • Device and browser information (user‑agent, OS, device type) in pseudonymous form;
  • Logs related to security events (login attempts, abnormal usage patterns).

2.3. Data about other individuals processed by our users

When you use NiamonX tools, you may input or analyze data that relates to third parties, such as:

  • email addresses, usernames or identifiers found in breach datasets;
  • domain names and IP addresses associated with natural persons;
  • OSINT‑derived information, including social media references or public profile data;
  • images or documents that may contain personal data.

In such cases:

  • NiamonX typically acts as a processor of this data;
  • You (or your organization) act as the controller responsible for informing data subjects and establishing a legal basis;
  • NiamonX does not contact these individuals and does not independently identify them.

2.4. Payment‑related data

We use third‑party processors for payments:

Stripe (card payments): independent controller. Please see Stripe Privacy Policy.

NOWPayments (cryptocurrency payments): independent controller. Please see NOWPayments Privacy Policy.

NiamonX may receive limited billing metadata from these providers (e.g. payment status, transaction ID, last 4 digits of card, type of asset, timestamp), but does not receive full card numbers or private crypto keys.

3. Purposes of Processing and Legal Bases

When NiamonX acts as controller, we process personal data for the following purposes and legal bases:

1. Account creation and contract performance

Purpose: creating and managing user accounts, providing access to tools and services.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

2. Billing, payments and accounting

Purpose: handling subscription fees, invoicing, financial records.

Legal basis: Art. 6(1)(b) and Art. 6(1)(c) GDPR (contract and legal obligations).

3. Security, fraud prevention and abuse detection

Purpose: protecting systems, detecting suspicious activities, preventing misuse.

Legal basis: Art. 6(1)(f) GDPR (legitimate interests in maintaining the security and integrity of the platform).

4. Compliance with legal obligations

Purpose: responding to lawful requests by competent authorities, maintaining records required by law.

Legal basis: Art. 6(1)(c) GDPR (legal obligation).

5. Optional communications / marketing (if any)

Purpose: sending information about updates or new features, where legally permissible.

Legal basis: Art. 6(1)(a) GDPR (consent) or Art. 6(1)(f) GDPR (legitimate interest), depending on jurisdictional requirements.

When NiamonX acts as a processor, we process personal data only on behalf of the controller (our customer) and in accordance with the DPA. The customer is responsible for the legal basis and informing data subjects.

4. Recipients and Categories of Recipients

We may share personal data with the following categories of recipients:

  • Payment service providers: Stripe, NOWPayments (independent controllers for their part of the processing);
  • Cloud infrastructure providers: hosting, storage and server providers, operating under data processing agreements;
  • Security and antivirus providers: to perform URL, file hash, domain or IP reputation checks, in anonymized or pseudonymous form;
  • OSINT and data suppliers, operators and partners: for the purpose of providing OSINT and breach‑related results, typically receiving only anonymized/aggregated data unless you directly push data to them as part of your query;
  • Professional advisers: legal, tax or cybersecurity consultants bound by confidentiality;
  • Public authorities and courts: where required by law or binding order.

We do not sell personal data to third parties.

5. International Transfers

Personal data may be transferred to and processed in countries outside the EU/EEA, including:

  • United Kingdom;
  • United States;
  • Iceland;
  • other countries where our providers operate.

Where such transfers occur, we implement appropriate safeguards such as:

  • EU Standard Contractual Clauses (SCCs);
  • UK Addendum (IDTA) where relevant;
  • robust encryption, strict access control, and other technical and organizational measures.

You may obtain more information about these safeguards by contacting [email protected].

6. Data Retention Periods

We retain personal data only as long as necessary for the purposes for which it was collected or as required by law.

  • Account and profile data: retained for the duration of the account and a reasonable period thereafter for legal, security and accounting reasons.
  • Security logs: kept for a minimum period necessary to ensure security and to respond to incidents, then deleted or anonymized.
  • Payment‑related metadata: retained in line with statutory obligations (e.g. accounting and tax retention periods).
  • OSINT/breach query contents: not stored server‑side (zero‑log policy); such data resides only on the user's device.

Upon expiration of retention periods, data is deleted or irreversibly anonymized. In the case of encrypted data, deletion or rotation of keys may render data unrecoverable.

7. Your Rights as a Data Subject

Under GDPR, you have the following rights (subject to conditions and legal limitations):

  1. Right of access (Art. 15): obtain confirmation whether we process your data and receive a copy of such data.
  2. Right to rectification (Art. 16): request correction of inaccurate or incomplete data.
  3. Right to erasure (Art. 17): request deletion of your personal data in certain circumstances.
  4. Right to restriction of processing (Art. 18): request restriction of processing under specific conditions.
  5. Right to data portability (Art. 20): receive personal data you provided in a structured, commonly used and machine‑readable format and, where technically feasible, transmit it to another controller.
  6. Right to object (Art. 21): object, on grounds relating to your particular situation, to processing based on our legitimate interests.
  7. Right to withdraw consent (Art. 7): where processing is based on consent, you may withdraw it at any time, without affecting prior lawful processing.

To exercise these rights, please contact us at [email protected] or [email protected]. We may need to verify your identity before acting on your request.

Right to lodge a complaint: If you believe that our processing of your personal data infringes GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.

8. Source of Data (Art. 14 GDPR)

In many cases, personal data we process does not come directly from the data subject, but from:

  • our users (customers) who submit data to our tools;
  • publicly accessible sources, including OSINT sources;
  • previously compromised datasets made available by third parties;
  • our payment providers (for billing metadata);
  • our cloud or security providers (technical/telemetry data).

Where we receive personal data indirectly in our capacity as processor, our customer (the controller) is responsible for providing information to data subjects. Where we act as controller and direct communication with the data subject is impossible or would involve disproportionate effort, we rely on Art. 14(5) GDPR exemptions, where applicable.

9. Automated Decision‑Making and Profiling

We do not engage in automated decision‑making or profiling that produces legal effects concerning you or similarly significantly affects you within the meaning of Art. 22 GDPR.

We use local AI models and analytics primarily for security monitoring and anomaly detection, not for making automated decisions about your rights or access in a purely automated way. Security incident responses may involve automated triggers (such as session blocking), but always within our legitimate interest to protect the platform.

10. No Legal Advice

Nothing in this notice or in the operation of the platform constitutes legal advice. Users are responsible for obtaining their own legal, compliance, or professional advice regarding their use of NiamonX tools and any processing of personal data they perform.

If you have any questions regarding this GDPR notice, please contact: [email protected]

© 2025 NiamonX LTD. All rights reserved.

Company Number: 16710504 (England & Wales)

🇪🇺 GDPR Compliance Notice — Articles 13 & 14

Dashboard

Helpdesk | Support


Support Email

Need assistance with our AI tools, platform, or integrations? Our support team is here to help.

[email protected]

Legal & Compliance

For legal inquiries, compliance questions, or documentation requests, contact our legal team.

[email protected]

Data Removal Requests

To request data removal, takedowns, or privacy-related actions, contact our security desk.

[email protected]