Polityka prywatności

1. Introduction

1.1.

This Privacy Policy (hereinafter referred to as the "Policy") governs the processing of personal data and other information when using the international OSINT and cybersecurity platform NiamonX (hereinafter referred to as the "Platform" or "Service"), operated by NiamonX LTD (hereinafter referred to as the "Company", "we", "us", "our").

1.2.

The Platform includes, in particular, access to the following functional modules and tools (including, but not limited to):

Dashboard, Pricing, NiamonX Academy (Academy Dashboard, Courses)
Data Breach Search (Public Breaches, ULP, PBS v2)
Breach Monitoring (Manage, Reports)
OSINT Tools (Visual OSINT, Reverse Image Search 18+, Social Media Search, Brand Reputation, Exif Remover, Flight Info / Schedules / Delay / Tracker)
Networks and WiFi (WiFi Map and Data Search, IP Intelligence Search, IP Calculator, IP Explorer, GlobeLine Ping / DNS, GeoPing, GeoDNS, DNS Resolver/Reverse, IP Reverse Lookup, IP Informations, ASN Informations)
Website and Host Analysis (Phishing Check, Host Diagnostics, Domain WHOIS, Web Screenshot, Web to PDF, IP WHOIS, Subdomains Check / V2, URL Shortener, DNSSEC, DMARC, PageRank, Domain Rank, Microsoft Tenant, SSL/TLS Conf, Security Headers)
Email and Accounts (Gmail Generator, Temp Mail)
Payment Security (BIN Card Checker, Test Card Generator)
Virus Check (Check URL, File Hash, Domain, IP)
Cyber Tools (Password Generator, Proxy List / v2, Time Zone, Password Check)
CorpData and Vulnerabilities (EntityGraph, VulnAtlas, InfraDB)
Crypto and Sanctions (BlockChain Explorer, Sanction Atlas, Cryptocurrency Sanctions Check, IP Sanctions Check)
OSINT Maps (Maps Explorer, Airspaces Map, Sea Map, Flight Radar, NASA GIBS, NASA Black Marble)
Services: AI Chat, WiFi Map, Osint Agent AI, Temp Mail, Password Vault
Other / Documentation: WiKi (Search Guide), API, FAQ, Data Wells, Limits, Profile Settings, Notification, Category, API Query, Update List, Blog, Support, and others

1.3.

By using the Platform, you (hereinafter referred to as "User", "you") confirm that you:

have carefully read this Policy;
understand and unconditionally accept its terms;
agree that all responsibility for the methods of using the Platform, data entered, information analyzed, and search queries performed lies exclusively with you.

1.4.

If you do not agree with this Policy in whole or in part, you must immediately cease using the Platform and refrain from further access to NiamonX tools.

2. Role of the Company (Controller / Processor)

2.1.

Depending on the specifics of data processing, the Company may act as:

Data Controller – when processing data necessary for the operation of the Platform itself, including: registration, user accounts, billing, security, support, and analytics.
Data Processor – when the User initiates search, analysis, monitoring, file uploads, images, URLs, IP addresses, domain names, and other data through the Platform's tools.

2.2.

The Company does not conduct legal verification of the legitimacy of requests made by the User and does not verify whether the User has legal grounds to process, view, analyze, or verify data that the User:

enters manually;
uploads;
requests through the Platform's tools;
otherwise submits for processing.

2.3.

The User independently and fully bears responsibility for compliance with applicable legislation (including, but not limited to, GDPR, UK-GDPR, CPRA, local criminal, administrative, and civil legislation of their jurisdiction) when using the Platform.

2.4.

Under no circumstances does the fact that the Platform provides technical capabilities for searching, analyzing, monitoring, visualizing, or verifying data mean that the Company:

confirms the legality of such User actions;
assumes any control, guarantee, or responsibility for the legal consequences of such actions.

3. Categories of Processed Data

3.1. Data Provided by the User

3.1.1.

During registration, use, and account configuration, the following may be processed, in particular:

name (or pseudonym), login, email address;
password (subjected to strong hashing using bcrypt or Argon2id before storage);
data necessary for invoicing and payment processing (processed and/or stored only by verified third-party payment providers);
materials uploaded by the User: images, files, URLs, domains, IP addresses, cryptocurrency addresses, text queries, and other information;
queries to OSINT tools;
profile settings and user preferences.

3.1.2.

All specified data and information transmitted by the User are encrypted at the application level using the scheme AES-256-GCM → Envelope Encryption → KMS → HSM, whereby:

encryption is applied to data both in transit and at rest;
unique IVs/nonces are used for different fields;
encryption keys (DEK) are themselves encrypted with higher-level keys (KEK) and are not stored together with the data.

3.2. Technical and Telemetry Data

3.2.1.

The Platform may collect and process technical information, including but not limited to:

authentication data and login/logout events;
security technical telemetry;
aggregated API statistics;
anonymized device fingerprint and device/browser information.

3.2.2.

Zero-Log Policy. NiamonX implements a zero-log principle for user tool queries:

the content of OSINT searches and tool usage is not stored on the Company's servers;
query history may be stored only locally on the User's device (in the browser, localStorage, or similar) and is not transmitted to the Company.

3.3. Breach Data and Open Source Data (Public Breach Data / OSINT Data)

3.3.1.

The Platform works with:

open, publicly available, and previously compromised databases;
open source intelligence (OSINT) data provided by external suppliers, operators, and partners;
other public or semi-public sources where data access is carried out within the legal frameworks of respective jurisdictions.

3.3.2.

The Company:

does not decrypt, modify, or supplement breach data beyond technically necessary processing;
displays only those fields that are permitted in accordance with applicable law and NiamonX security policy;
hides sensitive fields that may present increased risk and does not index such fields for user search;
does not provide access to closed, non-public, or knowingly illegally obtained information if such access directly contradicts applicable legislation.

3.3.3.

The User acknowledges that:

breach data may be incomplete, outdated, erroneous, or obtained by third parties as a result of security incidents;
the Company is not responsible for the origin of this data and its initial acquisition by third parties;
the use of such data is justified exclusively for cybersecurity purposes, self-verification, account protection, infrastructure protection, risk analysis, and other lawful purposes.

4. Legal Bases and Purposes of Data Processing

4.1.

The Company processes data on the following legal bases (to the extent permitted by applicable legislation, including GDPR, UK-GDPR, CPRA, and similar regulations):

Performance of Contract (Art. 6(1)(b) GDPR) – providing access to the Platform, user account, paid and free services, support, billing, subscription management;
Legitimate Interest (Art. 6(1)(f) GDPR) – ensuring information and cybersecurity, preventing abuse, protecting the rights and interests of the Company, users, and third parties;
User Consent (Art. 6(1)(a) GDPR) – in cases where such consent is required (for example, certain types of marketing or analytical cookies, additional features);
Legal Obligations (Art. 6(1)(c) GDPR) – compliance with legal requirements, regulations, obligations to retain/delete information, and responding to lawful requests from authorized authorities.

4.2.

Data processing is carried out exclusively for the purposes of:

providing Platform functionality;
technical and cryptographic data protection;
preventing and investigating security incidents;
accounting and invoicing;
providing technical support;
compliance with applicable law and legal obligations.

5. User Responsibility

5.1.

The User warrants and represents that they:

have all necessary legal grounds for entering, analyzing, uploading, and processing any data that they use with the Platform (including, but not limited to, personal data of third parties, domain names, IP addresses, images, cryptocurrency wallets, etc.);
use the Platform exclusively within the framework of applicable legislation of their jurisdiction and jurisdictions that may be affected by the processed data;
do not use the Platform for unlawful purposes (including surveillance, stalking, discrimination, fraud, hacking, unauthorized system access, violation of privacy rights, etc.).

5.2.

The User acknowledges and agrees that:

the Company is not the User's legal advisor;
the Company does not verify the lawfulness of the User's data processing and does not guarantee the lawfulness of such processing;
all legal, criminal, civil, and other liability for using the Platform lies exclusively with the User.

5.3.

The User undertakes to:

not enter into the Platform data whose processing is directly prohibited by law;
when necessary – obtain consent from data subjects / other legal grounds before using their data on the Platform;
not attempt to circumvent technical limitations of the Platform, including restrictions on viewing sensitive or hidden fields.

6. Limitation and Exclusion of Company Liability

6.1.

To the maximum extent permitted by applicable law, the Company, its affiliates, directors, employees, contractors, and partners are not liable for:

the accuracy, completeness, timeliness, legality, or quality of any data obtained or displayed through the Platform (including breach data, OSINT data, information from partners and suppliers);
any damage, direct or indirect, tangible or intangible, reputational or otherwise, caused to the User, third parties, or any data subjects as a result of using or inability to use the Platform;
consequences of incorrect interpretation by the User of search or analysis results;
the User's use of data obtained through the Platform outside the framework of lawful and ethically acceptable purposes;
the operation of external services, APIs, antivirus systems, data providers, operators, payment providers, and other third parties.

6.2.

The Platform is provided on an "AS IS" and "AS AVAILABLE" basis. The Company:

does not guarantee continuous, error-free, failure-free, and vulnerability-free operation of the Platform;
does not guarantee that any identified defects will be corrected within specific timeframes;
reserves the right to fully or partially suspend or discontinue providing any features without prior notice if necessary for technical, legal, regulatory, or other reasons.

6.3.

Platform tools may be temporarily unavailable:

due to technical work, updates, migrations;
for reasons beyond the Company's control (failures at providers, data centers, global networks);
due to other force majeure circumstances.

The Company is not liable for access interruptions and related consequences.

7. Technical Architecture and Security (Multi-Layer Protection Model)

7.1. Layer 01 — Secure Authentication & Identity Layer

7.1.1.

Authorization and identity management are carried out through Zitadel IAM via secure channels hosted in Reykjavik, Iceland.

7.1.2.

The following are applied:

AES-256-GCM within the ZITADEL Storage Encryption Layer;
secure storage of passwords (bcrypt or Argon2id), refresh and ID tokens, private keys, OAuth credentials;
strict password policies, secret rotation, mandatory 2FA/multi-factor authentication (where applicable);
automatic anomaly detection (session hijacking, unusual geolocation, abnormal behavior) and account isolation;
NiamonX employee access to administrative environments exclusively through signed corporate VPN endpoints and trusted hardware keys.

7.2. Layer 02 — Encrypted Data Processing & Storage

7.2.1.

All user information transmitted during registration, login, account management, and feature usage is protected by:

Application-Level Encryption using AES-256-GCM;
Envelope Encryption (DEK → KEK → KMS → HSM);
additional protection in the form of Transparent Data Encryption (TDE) at the database level.

7.2.2.

Personal data and other PII are anonymized or pseudonymized where possible.

7.2.3.

API keys and other sensitive secrets:

are hashed using SHA-256 or equivalent/stronger schemes;
are never displayed in clear text after initial generation;
are not subject to recovery in their original form.

7.2.4.

When transmitting data to third-party services (including at the User's request):

data is anonymized and de-identified where possible;
requests are cryptographically signed using secure keys;
interaction is carried out only via encrypted protocols (e.g., TLS 1.2+), with appropriate consent and within lawful grounds.

7.2.5.

The Company adheres to a zero-log principle regarding query content: queries generated by the User through Platform tools are not stored on servers and are stored only locally in the User's browser.

7.3. Layer 03 — Personnel Access Control & AI Oversight

7.3.1.

All actions of Company employees in administrative consoles and service interfaces are:

subject to mandatory logging;
analyzed by local AI security models in near real-time.

7.3.2.

Principle of Least Privilege:

each employee is granted only those rights strictly necessary to perform their functional duties;
data access is limited by department, role, and operational context.

7.3.3.

Any anomalous actions (suspicious behavior in HelpDesk, administrative panels, access to atypical data segments) result in:

automatic or manual suspension of access until verification is complete;
isolation of the relevant node or cluster if confidentiality breach is suspected.

7.3.4.

Company employees by default see the minimum possible volume of data, typically in anonymized or aggregated form, exclusively for support and technical troubleshooting purposes.

7.4. Layer 04 — Confidential Data & Public Leak Protection

7.4.1.

All sensitive and breach-related data are protected by:

field-level encryption using AES-256-GCM with unique IV/nonce;
envelope encryption (each DEK is encrypted with KEK stored in dedicated KMS/HSM);
regular key rotation and prohibition of co-storage of keys and data.

7.4.2.

Developers, operators, DevOps, and other technical specialists do not have access to:

original PII values;
private cryptographic materials;
unencrypted breach datasets.

7.4.3.

Confidential Computing environments are used for critically sensitive operations, providing:

data protection in memory at the processor level;
hardware isolation of computing environments;
minimization of the risk of clear data appearing outside protected perimeters.

7.4.4.

Data received from partners and external suppliers:

undergo anonymization and integrity verification procedures;
are delivered to the client directly where possible, bypassing excessive transit storage and processing.

8. Data Transfer to Third Parties

8.1.

The Company may transfer a limited volume of data to third parties exclusively in the following cases and within the following limits:

Payment Providers – for processing transactions, billing, refunds, and related financial operations;
Antivirus Companies and Verification Tool Providers – upon User requests (checking URLs, files, hashes, domains, IP addresses) – anonymized and de-identified data sufficient to perform the check are transferred, without transferring PII;
Data Providers, Operators, OSINT Partners – receive only anonymized, de-identified, aggregated, or otherwise limited data, except in cases where the User independently and knowingly directs data directly to a third-party service as part of their request;
Government Authorities and Courts – exclusively upon receipt of a lawful, properly executed, and mandatory requirement, to the minimum extent necessary to fulfill such requirement.

8.2.

The Company does not transfer:

original, unencrypted breach databases;
raw identifying personal data of the User to third parties, except as expressly provided by law or necessary for contract performance (e.g., payment operations).

8.3.

All external suppliers and data processors are required to comply with levels of protection comparable to NiamonX levels and to enter into appropriate data protection agreements (Data Processing Agreements, SCCs, IDTA, etc.) where required.

9. Data Retention Periods

9.1.

User Accounts and Profile: account data is stored until the account is deleted by the User themselves or until further storage becomes unreasonable or prohibited by applicable legislation.

9.2.

Security Logs and Service Telemetry: stored for the minimum necessary period determined by security purposes, troubleshooting, legal compliance requirements, and internal security policies.

9.3.

Tool Queries and OSINT Search Content: not stored on NiamonX servers and stored only locally on the User's device (in their browser or other local environment).

9.4.

Partner and External Supplier Data: stored exclusively in encrypted form and no longer than necessary for the purposes for which they were provided or within legal requirements.

9.5.

When deleting data, including account:

the corresponding cryptographic keys used to access the data are subject to deletion or rotation;
key deletion makes recovery of encrypted data technically impossible.

10. Data Subject Rights (GDPR / UK-GDPR / CPRA and Similar)

10.1.

Within the scope of applicable legislation (in particular, GDPR, UK-GDPR, CPRA, and similar regulations), the User and, where appropriate, other data subjects have the right to:

request confirmation of the fact of processing and obtain a copy of their personal data;
demand correction of inaccurate or incomplete data;
in certain cases – demand deletion of data ("right to be forgotten");
restrict data processing;
object to certain types of processing;
request data portability in a structured machine-readable format;
file complaints with the competent data protection supervisory authority.

10.2.

Requests to exercise data subject rights should be sent to: [email protected] or [email protected].

10.3.

Upon request, the Company may request additional information necessary to verify identity and prevent unauthorized access to data.

10.4.

Data deletion, when there are legal grounds, is carried out as completely as possible and includes, when necessary, irreversible destruction of cryptographic keys, making further data recovery impossible.

11. International Data Transfers

11.1.

Data processing and storage may be carried out in data centers and infrastructure located in:

the European Union (EU);
Iceland;
the United Kingdom (Great Britain);
the United States of America and other countries where trusted infrastructure providers are located.

11.2.

In case of data transfer to third countries (outside the EU/EEA or the United Kingdom), the Company:

uses secure communication channels (TLS and other modern protocols);
applies Standard Contractual Clauses (SCCs), UK IDTA, or other recognized transfer mechanisms;
takes necessary technical and organizational measures to ensure a level of data protection comparable to GDPR/UK-GDPR requirements.

12. Cookies, Local Storage, and Similar Technologies

12.1.

The Platform may use:

strictly necessary (functional) cookies – to ensure website operation, authentication, saving basic settings;
security cookies – to prevent fraud, protect sessions, and detect abnormal activity;
localStorage mechanism or similar local storage to save query history and user settings on the User's device.

12.2.

OSINT search and tool query history:

is not transmitted to NiamonX servers;
is stored and controlled exclusively by the User on their device.

12.3.

The User may limit or disable the use of cookies and localStorage in their browser, however, this may result in partial or complete unavailability of Platform functionality.

13. Service Availability and Technical Interruptions

13.1.

The Company strives to ensure high availability of the Platform and maximum possible continuity of service provision.

13.2.

However, the User acknowledges and agrees that:

tools and services may be temporarily unavailable due to technical maintenance, updates, migration, provider outages, external attacks, or other circumstances;
the functionality of certain features depends on the operation of external APIs, services, data providers, and operators, for the quality and availability of which the Company is not responsible.

13.3.

The Company does not guarantee:

one hundred percent service availability (100% uptime);
absence of delays, interruptions, speed/volume request limitations.

13.4.

NiamonX LTD is not liable for any damage, direct or indirect, caused by inability or difficulty accessing the Platform, response delays, or technical failures.

14. Protection of Minors

14.1.

The Platform is intended exclusively for Users who have reached 18 years of age or other age of full legal capacity according to the law of the relevant jurisdiction.

14.2.

By using the Platform, the User warrants that they have sufficient legal capacity and the right to enter into contractual relations with the Company.

15. Relationship to Legal Advice

15.1.

Neither this Policy, nor any interfaces, search results, reports, or conclusions obtained through the Platform constitute legal advice and may not be considered as such.

15.2.

The User bears independent responsibility for obtaining independent legal, compliance, or other professional advice regarding the lawfulness of their actions and use of data.

16. Updates to this Policy

16.1.

The Company reserves the right to unilaterally amend and supplement this Policy at any time if required:

to comply with applicable legislation and regulatory requirements;
in connection with Platform development and the emergence of new features;
to enhance security and data protection levels.

16.2.

The updated version of the Policy enters into force from the moment of its publication on the relevant website/domain controlled by NiamonX LTD, unless otherwise expressly stated.

16.3.

By continuing to use the Platform after changes enter into force, the User expresses consent to the updated Policy. If the User does not agree with the new terms, they must cease using the Platform and, if necessary, request deletion of their account.

Privacy Policy

Privacy Policy | NiamonX LTD.