Privacy Policy
Last updated: December 2025
1. Data Controller
Robyn Klesing
Krähenfeld 2
45479 Mülheim an der Ruhr
Germany
Email: privacy@osintcheckbox.com
2. Overview of Data Processing
We only process personal data to the extent necessary for providing our OSINT platform. This overview summarizes the types of data processed and their purposes.
2.1 Types of Data Processed
| Category | Data | Purpose |
|---|---|---|
| Account Data | Email address, name, password (encrypted) | User account & authentication |
| Search Queries | Names, emails, phone numbers, usernames | OSINT research on behalf of user |
| Search Results | Found profiles, links, public information | Display & temporary storage |
| Technical Data | IP address, browser type, timestamps | Security & error diagnosis |
| Payment Data | Payment token (via Stripe) | Subscription billing |
2.2 Data Subjects
- Platform users: Persons who create an account and use the service
- Researched persons: Persons for whom search queries are conducted (primarily: users themselves to check their own online presence)
3. Legal Basis for Processing
We process your data on the following legal bases under Art. 6 GDPR:
| Legal Basis | Use Case |
|---|---|
| Contract Performance (Art. 6(1)(b)) | Provision of OSINT service, account management, search queries |
| Legitimate Interest (Art. 6(1)(f)) | IT security, abuse prevention, server logs |
| Legal Obligation (Art. 6(1)(c)) | Retention of billing data (tax law) |
| Consent (Art. 6(1)(a)) | Newsletter, optional features (if applicable) |
4. Data Processing Agreement
Processing on Behalf
OSINTCHECKBOX acts as a data processor under Art. 28 GDPR when conducting OSINT research. The user (controller) remains responsible for the lawfulness of processing.
The platform primarily serves to allow users to check their own digital presence to exercise their rights under Art. 17 GDPR (Right to Erasure).
5. Recipients and Third-Party Providers
We use the following third-party providers to deliver our services:
| Service | Provider | Purpose | Location |
|---|---|---|---|
| AI Analysis | xAI Corp. (Grok) | Intelligent analysis and summarization of search results | USA |
| Hosting | IONOS SE | Server infrastructure | Germany |
| Payment | Stripe, Inc. | Secure payment processing | USA (SCCs) |
6. Data Transfers to Third Countries
Notice Regarding USA Transfers
When using the AI analysis function, search results are transmitted to xAI (Grok) in the USA. The transfer is based on:
- EU-US Data Privacy Framework (where applicable)
- Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR
Alternative for sensitive data: Government agencies and enterprise customers can use a local AI model where no data leaves their own infrastructure.
7. Use of Artificial Intelligence
In accordance with the EU AI Act, we inform you:
- AI used: xAI Grok for OSINT data analysis
- Purpose: Automatic categorization, verification, and summarization ("Personagram")
- Risk classification: Not a high-risk system under EU AI Act
- Transparency: AI-generated content is labeled as such
- No automated decisions: AI does not make legally binding decisions
8. Storage Duration
| Data Type | Storage Period |
|---|---|
| Account data | Until account deletion |
| Search results | 30 days, immediately deletable upon request |
| Server logs | 7 days |
| Billing data | 10 years (legal retention requirement) |
9. Cookies and Tracking
We only use technically necessary cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| Session Cookie | Authentication and login status | Session end / 30 days |
No tracking: We do not use analytics or tracking tools like Google Analytics.
10. Your Rights
You have the following rights under GDPR:
- Right of access (Art. 15): Information about your stored data
- Right to rectification (Art. 16): Correction of inaccurate data
- Right to erasure (Art. 17): Deletion of your data ("Right to be Forgotten")
- Right to restriction (Art. 18): Restriction of processing
- Right to data portability (Art. 20): Receive your data in machine-readable format
- Right to object (Art. 21): Object to processing
- Right to withdraw consent (Art. 7(3)): Possible at any time
Email: privacy@osintcheckbox.com
We will process your request within 30 days.
11. Right to Complain
You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is:
Kavalleriestraße 2-4
40213 Düsseldorf, Germany
Phone: +49 211 38424-0
Email: poststelle@ldi.nrw.de
Web: www.ldi.nrw.de
12. Data Security
We implement technical and organizational measures under Art. 32 GDPR:
- Encryption: TLS/SSL for all data transmissions
- Password hashing: Secure storage with bcrypt
- Access control: Role-based permissions
- Backups: Regular encrypted data backups
- Updates: Timely security updates
13. Changes to this Privacy Policy
We reserve the right to update this Privacy Policy to reflect changes in law or service modifications. The current version is always available on this page.