1. Scope of this Policy

1.1.

This Privacy Policy applies to the processing of personal data carried out by NiamonX LTD ("NiamonX", "we", "us", "our") in connection with:

• the use of the NiamonX OSINT and cybersecurity platform,
• all tools and services made available under domains controlled by NiamonX LTD, including but not limited to:

1.2.

2. Roles under EU Data Protection Law

2.1.

For the purposes of the GDPR, NiamonX acts as:

2.2.

2.3.

The fact that NiamonX technically allows particular queries or operations does not constitute a legal authorization, endorsement or validation of such activities.

3. Categories of Personal Data

3.1. Data you provide to us

We may process the following categories of data you provide:

• Identification data: name (or alias), username/login, email address;
• Authentication data: password (stored in hashed form using bcrypt or Argon2id);
• Account configuration: preferences, tool configuration, notification settings;
• Uploaded content: images, files, URLs, domains, IP addresses, blockchain addresses, text queries, descriptions and other user‑provided material;
• Support communications: messages you send to our support or legal team.

3.2. Technical and security data

We may collect technical information including:

• authentication logs and events (successful/failed logins, session identifiers);
• security telemetry, including IP addresses used to access the service, approximate geolocation, device identifiers (in pseudonymous form), browser or client data;
• aggregated usage statistics for APIs and tools.

3.3. Breach / OSINT data from external sources

We may process breach‑related datasets and OSINT data that:

• originate from publicly accessible or previously compromised datasets made available by third parties;
• are provided by data suppliers, operators, and partners acting in their own capacity as controllers.

In this context:

• NiamonX does not create, decrypt or augment such datasets beyond what is technically required for search and display;
• NiamonX exposes only fields that are permitted by applicable law and our internal safety policies;
• sensitive fields with elevated risk are masked, hidden or not indexed for search;
• we do not give access to non‑public elements if this would evidently contravene applicable legal provisions.

4. Legal Bases and Purposes of Processing (GDPR)

We rely on the following legal bases under Article 6 GDPR (and equivalent provisions) when acting as a controller:

5. User Responsibility and Lawfulness of Use

5.1.

5.2.

NiamonX does not provide legal advice and does not verify whether:

• you have sufficient legal grounds to process certain data;
• your processing respects local criminal, administrative, employment, financial, professional‑secrecy or sector‑specific rules.

All such responsibility is exclusively yours.

6. Limitation of Liability

6.1.

6.2.

The platform and all services are provided on an "AS IS" and "AS AVAILABLE" basis. We do not warrant:

• uninterrupted or error‑free operation;
• full compatibility with all devices or software;
• absence of vulnerabilities, attacks or external disruptions.

6.3.

7. Security Architecture and Encryption

7.1. Layer 01 — Authentication & Identity (Zitadel IAM)

• Authentication is provided via Zitadel IAM hosted in Reykjavík, Iceland;
• All communication occurs over encrypted channels;
• Storage encryption uses AES‑256‑GCM within the Zitadel Storage Encryption Layer;
• Passwords are stored using bcrypt or Argon2id; refresh tokens, ID tokens, private keys and OAuth credentials are secured;
• Strict password policies, mandatory 2FA (where applicable), and automated detection of anomalous sessions (e.g. session theft, unusual geo‑logins);
• Staff access to authentication systems is restricted to corporate VPN endpoints and hardware‑based security keys.

7.2. Layer 02 — Encrypted Data Processing & Storage

• Application‑level encryption: AES‑256‑GCM with envelope encryption;
• Transparent Data Encryption (TDE) at the database layer;
• Pseudonymization and anonymization techniques used for PII where feasible;
• API keys hashed with SHA‑256 and not retrievable in plaintext;
• Requests generated by your tools are not logged server‑side (zero‑log policy for query contents);
• Browser‑side storage (e.g. localStorage) is used to maintain local query history, controlled by you.

7.3. Layer 03 — Personnel Access & AI Oversight

• All staff actions in administrative and support tools are logged and monitored;
• Access rights are granted on a strict "need‑to‑know" and "least privilege" basis;
• AI‑based security models analyze staff interactions and can trigger immediate access suspension;
• Any irregular server or administrative activity is treated as a potential privacy breach, with isolation of the affected node or cluster.

7.4. Layer 04 — Confidential & Breach Data Protection

• Field‑level encryption (AES‑256‑GCM) with unique IV/nonce per field;
• Envelope encryption for data keys; keys stored separately in KMS/HSM;
• Regular rotation of cryptographic keys;
• No developer or operator access to raw PII or cryptographic material;
• Confidential computing environments for highly sensitive operations;
• Partner data undergoes additional anonymization and integrity checks and, where possible, is delivered directly to the client without passing through unnecessary transit servers.

8. Payment Processing (Stripe and NOWPayments)

8.1. Card payments – Stripe

8.2. Cryptocurrency payments – NOWPayments

8.3.

To the extent NiamonX receives or stores any related billing data (e.g., billing contact details, transaction IDs, timestamps, subscription metadata), such data is processed only for:

• contract performance,
• accounting and tax compliance,
• fraud prevention and security.

We do not store card numbers or private cryptocurrency keys.

9. Sharing of Data with Third Parties

We may share data (to the minimum extent necessary) with:

• Payment providers (Stripe, NOWPayments) as described above;
• Antivirus companies, reputation services or security vendors in anonymized or pseudonymous form when you request URL/file/hash/domain/IP checks;
• OSINT and data suppliers, operators and partners, who typically receive only anonymized/aggregated data unless you directly send data to them as part of your query;
• Cloud and infrastructure providers hosting our systems;
• Legal, tax, or cybersecurity advisors (bound by professional or contractual confidentiality);
• Public authorities and courts where required by law.

10. Data Retention

• Account data: retained for as long as your account is active, and for a limited period thereafter if necessary for legal, accounting or security purposes.
• Security logs: retained for the minimum period necessary to fulfil security and compliance purposes.
• Tool/query contents: not stored server‑side; only locally on your device.
• Partner data: encrypted and retained solely for the purpose and duration necessary to provide the services or comply with legal obligations.

11. Your Rights under GDPR

12. International Data Transfers

Data may be processed in or transferred to:

• EU/EEA Member States;
• Iceland;
• United Kingdom;
• United States and other third countries.

13. Cookies and Local Storage

We may use:

• strictly necessary cookies for authentication and basic functionality;
• security cookies for anti‑fraud and session protection;
• localStorage or similar technologies to store your query history and preferences locally on your device.

You may configure your browser to block cookies or localStorage; however this may impair or block the use of parts of our platform.

14. Minors

15. Changes to this Privacy Policy (EU Version)

We may update this EU Version of the Privacy Policy from time to time to reflect:

• changes in law or regulatory guidance;
• changes in our services, infrastructure or security practices.

The updated version will be published on our website with a revised "Last updated" date. Continued use of the platform after such updates constitutes your acceptance of the modified Policy.