Loading

Privacy Policy (UK GDPR Version)

Privacy Policy (UK GDPR Version) | NiamonX LTD.

The original document is in English only. The last date of document revisions and edits was November 15, 2025.

🇬🇧 UK GDPR VERSION UK GDPR + DPA 2018

Privacy Policy (UK GDPR Version)

NiamonX LTD

Last updated: 15 November 2025

Controller: NiamonX LTD

Company number: 16710504 (England & Wales)

Registered address:
71–75 Shelton Street,
Covent Garden, London,
United Kingdom, WC2H 9JQ

Contacts:

This Privacy Policy (UK GDPR Version) explains how NiamonX LTD ("NiamonX", "we", "us", "our") processes personal data in accordance with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018 and any other applicable UK data protection laws.

By using the NiamonX platform while located in the United Kingdom or subject to UK data protection law, you acknowledge that you have read, understood and accepted this Policy.

1. Scope and Services Covered

1.1.

This Policy applies to the processing of personal data carried out by NiamonX in connection with the use of the NiamonX OSINT and cybersecurity platform, including all tools and services made available under domains controlled by NiamonX LTD, for example (non‑exhaustively):

  • Dashboard, Pricing, NiamonX Academy (Academy Dashboard, Courses);
  • Data Breach Search (Public Breaches, ULP, PBS v2);
  • Breach Monitoring (Manage, Reports);
  • OSINT Tools (Visual OSINT, Reverse Image Search 18+, Social Media Search, Brand Reputation, Exif Remover, Flight Info / Schedules / Delay / Tracker);
  • Networks and WiFi (WiFi Map and Data Search, IP Intelligence Search, IP Calculator, IP Explorer, GlobeLine Ping / DNS, GeoPing, GeoDNS, DNS Resolver/Reverse, IP Reverse Lookup, IP Informations, ASN Informations);
  • Website and Host Analysis (Phishing Check, Host Diagnostics, Domain WHOIS, Web Screenshot, Web to PDF, IP WHOIS, Subdomains Check / V2, URL Shortener, DNSSEC Configuration, DMARC Policy & Conf, PageRank, Domain Rank, Microsoft Tenant, SSL/TLS Conf, Security Headers);
  • Email and Accounts (Gmail Generator, Temp Mail);
  • Payment Security (BIN Card Checker, Test Card Generator);
  • Virus Check (Check URL, File Hash, Domain, IP);
  • Cyber Tools (Password Generator, Proxy List / v2, Time Zone, Password Check);
  • CorpData and Vulnerabilities (EntityGraph, VulnAtlas, InfraDB);
  • Crypto and Sanctions (BlockChain Explorer, Sanction Atlas, Cryptocurrency Sanctions Check, IP Sanctions Check);
  • OSINT Maps (Maps Explorer, Airspaces Map, Sea Map, Flight Radar, NASA GIBS, NASA Black Marble);
  • Additional services: AI Chat, WiFi Map, Osint Agent AI, Temp Mail, Password Vault, WiKi (Search Guide), API, FAQ, Data Wells, Limits, Profile Settings, Notification, Category, API Query, Update List, Blog, Support, and similar features.

1.2.

If you do not agree with this Policy, you must cease using our services immediately.

2. Roles under UK Data Protection Law

2.1.

For the purposes of UK GDPR, NiamonX may act as:

Data Controller

When we decide the purposes and means of processing personal data (e.g. account data, limited billing information, security logs, platform administration, fraud prevention).

Data Processor

When we process personal data strictly on the instructions of another controller (e.g. a corporate customer) and only for their purposes, for example, when you use our tools to analyse data regarding third parties.

2.2.

When you use our tools as an individual or on behalf of your organisation to process personal data of third parties (e.g. OSINT data, breach data, domain/IP information linked to individuals, social media identifiers), you or your organisation are generally the controller of that data. NiamonX acts as processor to the extent we merely host, encrypt and technically process such data on your behalf.

2.3.

NiamonX does not verify:

  • whether you have a lawful basis to process such personal data;
  • whether your processing complies with UK GDPR, sectoral legislation, or any professional/confidentiality obligations.

This responsibility lies solely with you and/or your organisation as controller.

3. Categories of Personal Data We Process

3.1. Data you provide directly

We may process the following data that you provide to us:

  • Identification and account data: name or alias, username/login, email address, organisation (if specified);
  • Authentication data: password (stored in hashed form using bcrypt or Argon2id), security tokens, 2FA information;
  • Account configuration: language and regional preferences, tool configuration, notification settings;
  • User content: uploaded files, images, documents, URLs, domain names, IP addresses, blockchain addresses, queries, notes and any other data you submit through the platform;
  • Support and communication data: content of emails or messages sent to Support, Legal, Takedown or other contact addresses.

All such data is protected using strong encryption (see Section 7).

3.2. Technical and security data

We may also process:

  • IP addresses used to access the platform;
  • timestamps and metadata of logins and security events;
  • device and browser information (user‑agent, OS, device type), typically in pseudonymous form;
  • aggregated usage statistics, error logs, and telemetry necessary for security and performance monitoring.

Zero‑log policy for query contents:

The contents of your OSINT or tool queries (i.e. search targets, parameters, specific strings) are not stored on our servers. These are stored only locally on your device or browser (for example via localStorage) under your exclusive control.

3.3. Breach and OSINT‑derived data

We may process breach‑related and OSINT‑derived data obtained from:

  • publicly accessible sources;
  • datasets released following third‑party data breaches;
  • specialised data suppliers, operators and partners.

In this context:

  • we do not create, decrypt or enrich those datasets beyond what is technically necessary;
  • we display only fields that are legally permissible and in line with our internal safety rules;
  • we hide, mask or avoid indexing fields considered sensitive or high‑risk where appropriate;
  • we do not provide access to evidently non‑public elements where doing so would clearly violate applicable law.

We do not independently verify the origin or legal compliance of all external datasets; the responsibility for lawful use lies with the original controllers and with you when you process such data via our tools.

3.4. Payment‑related data (via Stripe and NOWPayments)

We rely on specialist payment service providers:

Stripe for card payments. Stripe acts as an independent controller for processing card details. We do not receive or store full card numbers or sensitive authentication data. For details see the Stripe Privacy Policy.

NOWPayments for cryptocurrency payments. NOWPayments acts as an independent controller for its processing of payment‑related data. For details see the NOWPayments Privacy Policy.

NiamonX may receive limited billing metadata (e.g. transaction ID, payment status, currency, asset type, last 4 digits of card, timestamp, subscription ID), but not full card numbers or private cryptographic keys.

4. Purposes and Legal Bases (UK GDPR)

When NiamonX acts as controller, we process personal data for the following purposes and legal bases under UK GDPR:

1. Account creation and management

Purpose: creating, maintaining and administering user accounts; providing access to the platform and tools; handling customer queries.

Legal basis: performance of a contract or steps taken at your request prior to entering into a contract (UK GDPR Art. 6(1)(b)).

2. Provision of services and platform functionality

Purpose: enabling use of tools, dashboards, analytics, and related services.

Legal basis: performance of a contract (Art. 6(1)(b)).

3. Billing, payments, invoicing and accounting

Purpose: processing subscription payments, managing invoices, maintaining accounting records and tax compliance.

Legal basis: performance of a contract (Art. 6(1)(b)) and legal obligations (Art. 6(1)(c)).

4. Security, fraud prevention and abuse detection

Purpose: protecting our infrastructure and systems, preventing misuse, detecting abnormal or suspicious activities, investigating incidents.

Legal basis: legitimate interests (Art. 6(1)(f)), namely ensuring the security and integrity of our platform and protecting users and third parties.

5. Compliance with legal obligations and enforcement of rights

Purpose: responding to legally valid requests of public authorities or courts, complying with statutory obligations, and defending or exercising legal claims.

Legal basis: legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)).

6. Optional communications and improvements

Purpose: sending information about new features or changes (where permissible), improving services, performing internal analytics (in aggregate/pseudonymous form).

Legal basis: legitimate interests (Art. 6(1)(f)) and, where required, consent (Art. 6(1)(a)).

When NiamonX acts as a processor, we process personal data only on the documented instructions of the controller (e.g. an enterprise customer) in accordance with a Data Processing Agreement, and we rely on the controller's legal basis.

5. User Responsibility and Lawful Use

5.1.

You acknowledge and agree that you are solely responsible for:

  • ensuring that you have a valid lawful basis under UK GDPR (or other applicable law) for processing personal data via our platform;
  • providing all necessary notices to data subjects and, where appropriate, obtaining valid consent;
  • ensuring that your use of NiamonX tools complies with all applicable laws, including but not limited to data protection law, criminal law, professional secrecy, employment law, and sector‑specific regulation.

5.2.

NiamonX does not verify or guarantee:

  • that your processing activities are lawful;
  • that you have satisfied any transparency or accountability obligations towards data subjects.

5.3.

You must not use our platform to:

  • stalk, harass, discriminate against or unlawfully monitor individuals;
  • engage in hacking, illegal intrusion, system compromise or unauthorised access;
  • unlawfully obtain or misuse personal data from breaches or OSINT sources.

All legal, civil and criminal responsibility for your use of the platform remains with you.

6. Disclaimers and Limitation of Liability

6.1.

To the fullest extent permitted by UK law, NiamonX LTD and its affiliates, directors, officers, employees and agents shall not be liable for:

  • any inaccuracies, omissions, or delays in breach datasets, OSINT sources, or external feeds displayed via our platform;
  • any loss or damage, whether direct, indirect, incidental, consequential or punitive, resulting from your reliance on data or results obtained through the platform;
  • any unlawful or non‑compliant use of personal data by you or by third parties using your credentials;
  • any non‑availability or malfunction of external services, APIs, data providers, antivirus companies, operators or payment processors (including Stripe and NOWPayments);
  • any unavailability or degradation of the NiamonX platform due to maintenance, technical issues, or force majeure events.

6.2.

The platform is provided on an "AS IS" and "AS AVAILABLE" basis. While we aim for high availability and security, we do not warrant that:

  • the platform will be uninterrupted, timely, secure or error‑free;
  • any defects will be corrected within a specific timeframe;
  • the platform meets your specific legal or compliance requirements.

6.3.

Nothing in this Policy seeks to exclude or limit any liability that cannot be excluded or limited under applicable UK law (for example, liability for death or personal injury caused by negligence, or for fraud).

7. Security Architecture and Encryption

We operate a multi‑layered security model:

7.1. Layer 01 – Secure Authentication & Identity

  • Identity management and authentication are performed via Zitadel IAM in Reykjavík, Iceland;
  • All communication is encrypted in transit;
  • Storage encryption uses AES‑256‑GCM;
  • Passwords are hashed with bcrypt or Argon2id; refresh tokens, ID tokens, private keys and OAuth credentials are secured;
  • Mandatory 2FA may be enforced;
  • Automated detection and isolation of anomalous sessions (session theft, unusual geo‑logins);
  • Staff access only via company‑controlled VPN endpoints and hardware security keys.

7.2. Layer 02 – Encrypted Data Processing & Storage

  • Application‑level encryption using AES‑256‑GCM, combined with envelope encryption (DEK/KEK) and management through KMS and HSM;
  • Transparent Data Encryption (TDE) on database level;
  • Personal data is anonymised or pseudonymised where possible;
  • API keys are hashed using SHA‑256 and cannot be retrieved in plaintext;
  • We operate a zero‑log policy for query contents – requests generated by tools are not stored on our servers, only on your local device.

7.3. Layer 03 – Personnel Access Control & AI Oversight

  • All staff actions within administrative and support interfaces are logged;
  • Access rights are granted strictly on a "least privilege" basis and restricted by function and department;
  • Local AI‑driven monitoring detects anomalous staff or system activities, leading to immediate access suspension where required;
  • Servers and infrastructure are continuously monitored, and suspicious nodes or clusters can be isolated pending investigation.

7.4. Layer 04 – Confidential & Breach Data Protection

  • Sensitive fields in breach‑related datasets are encrypted at the field level using AES‑256‑GCM with unique IV/nonce pairs;
  • Each Data Encryption Key (DEK) is encrypted by a Key Encryption Key (KEK) stored within dedicated KMS/HSM;
  • Keys are regularly rotated and are never co‑located with the data;
  • Developers and operators have no access to raw PII or cryptographic material;
  • Confidential Computing environments are used for critical operations to protect data even in memory;
  • Partner‑provided data is anonymised and integrity‑signed before being delivered to clients, bypassing unnecessary transit servers.

8. Sharing Personal Data with Third Parties

We may share limited personal data, where necessary, with:

  • Payment processors:
  • Cloud and infrastructure providers: hosting and storage providers engaged under appropriate data processing agreements;
  • Security and antivirus vendors: to check URLs, file hashes, domains and IPs, generally using anonymised or pseudonymised data;
  • OSINT and data suppliers, operators and partners: who may receive anonymised or aggregated data, unless you directly push identifiable data to them as part of your query;
  • Professional advisers: lawyers, auditors, cybersecurity consultants bound by confidentiality obligations;
  • Public authorities and courts: where we are under a legal obligation to disclose data or to defend/exercise legal claims.

We do not sell personal data to third parties.

9. International Data Transfers (from the UK)

9.1.

Personal data may be transferred or accessed from outside the UK, including:

  • EU/EEA states;
  • Iceland;
  • United States;
  • other countries where our service providers operate.

9.2.

Where such transfers involve countries without an adequacy regulation, we implement appropriate safeguards, such as:

  • the UK International Data Transfer Addendum (IDTA) or UK‑approved Standard Contractual Clauses;
  • contractual obligations on recipients to apply equivalent protections;
  • strong encryption and technical measures limiting access.

You may request further details of these safeguards by contacting [email protected].

10. Data Retention

We retain personal data only as long as necessary for the purposes described in this Policy or as required by UK law.

  • Account data: kept for as long as your account is active and for a reasonable period thereafter where necessary for legal, tax or security reasons.
  • Security and system logs: retained for the minimum period required for security monitoring, incident response and compliance, after which they are deleted or anonymised.
  • Payment‑related metadata: retained in accordance with statutory accounting and tax retention obligations.
  • OSINT/breach query contents: not stored on our servers; they exist only locally on your device.

Upon expiry of retention periods, data is securely deleted or irreversibly anonymised. Where data is encrypted, destruction of cryptographic keys may render the data technically unrecoverable.

11. Your Rights under UK GDPR

Under UK GDPR, you have the following rights (subject to conditions and legal limitations):

  1. Right to be informed – to receive clear, transparent information about how we use your data.
  2. Right of access – to obtain confirmation of whether we process your personal data and access to such data.
  3. Right to rectification – to request correction of inaccurate or incomplete data.
  4. Right to erasure ("right to be forgotten") – to request deletion of your personal data in certain circumstances.
  5. Right to restrict processing – to request restriction where, for example, you contest accuracy or object to processing.
  6. Right to data portability – to receive your personal data in a structured, commonly used and machine‑readable format and transmit it to another controller, where technically feasible.
  7. Right to object – to object to processing based on our legitimate interests, on grounds relating to your particular situation.
  8. Right to withdraw consent – where processing is based on consent, you can withdraw it at any time, without affecting the lawfulness of processing prior to withdrawal.

To exercise your rights, please contact us at [email protected] or [email protected]. We may require additional information to verify your identity.

Right to lodge a complaint

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

We encourage you to contact us first so we can attempt to resolve any concerns.

12. Cookies and Local Storage

We may use:

  • Strictly necessary cookies – required for authentication and essential functionality;
  • Security cookies – used to prevent fraudulent activity and secure sessions;
  • Local storage technologies (e.g. localStorage) – used to store your OSINT query history and preferences locally on your device.

We do not upload your local OSINT query history from your device to our servers.

You may configure your browser to block or delete cookies and local storage. However, this may impair the functionality of the platform or render some services unusable.

13. Minors

Our services are intended exclusively for individuals aged 18 or over or, where higher, the age of majority in the relevant jurisdiction.

We do not knowingly process personal data of children. If you believe that a child's data has been provided to us, please contact [email protected] so that we can investigate and, where appropriate, delete such data.

14. No Legal Advice

Nothing in this Policy, nor any output, report or result generated by the platform, constitutes legal advice. You remain solely responsible for obtaining your own legal or professional advice regarding your use of our tools and your processing of personal data.

15. Changes to this UK GDPR Privacy Policy

We may update this Policy from time to time to reflect:

  • changes in UK data protection law or regulatory guidance;
  • changes in our services, infrastructure or security practices.

The updated Policy will be published on our website with a revised "Last updated" date. Your continued use of the platform after any such update constitutes acceptance of the updated Policy.

If you do not agree with the updated Policy, you must discontinue use of our services and, where desired, request deletion of your account and data (subject to any legal retention obligations).

© NiamonX LTD. All rights reserved.

Company Number: 16710504 (England & Wales)

🇬🇧 UK GDPR Version — UK GDPR + Data Protection Act 2018

ICO: https://ico.org.uk/ | Phone: 0303 123 1113

Dashboard

Helpdesk | Support


Support Email

Need assistance with our AI tools, platform, or integrations? Our support team is here to help.

[email protected]

Legal & Compliance

For legal inquiries, compliance questions, or documentation requests, contact our legal team.

[email protected]

Data Removal Requests

To request data removal, takedowns, or privacy-related actions, contact our security desk.

[email protected]