Privacy Policy

1. Data Controller

Sandstorm OSINT is the data controller for personal data collected through this Service.

Contact: hello@sandstormosint.com

2. Data We Collect

2.1 Account Data

• Email address
• Password (stored as bcrypt hash)
• Telegram username (optional)

2.2 Subscription Data (via Stripe)

• Stripe Customer ID
• Subscription ID, status, plan, payment history

Note: We never see or store card details.

2.3 Usage Data

• Login timestamps
• IP address
• Browser type
• Pages accessed
• Session duration

2.4 Communication Data

• Feedback messages
• Support emails

2.5 Telegram Data (Pro only)

• Username
• Numeric user ID
• Channel membership status
• Verification code (temporary)

3. Why We Collect Data

3.1 To provide the Service (Contract performance)

Registration, subscription management, paid features, alerts, and Telegram access.

3.2 Security and fraud prevention (Legitimate interests)

Rate limiting, brute force prevention, and unauthorised access detection.

3.3 Improve the Service (Legitimate interests)

Feature usage analysis, technical issue identification, and performance monitoring.

3.4 Legal compliance (Legal obligation)

Payment records and responding to lawful authority requests.

4. How Long We Keep Data

Data Type	Retention Period
Account data	Account duration + 12 months
Payment records	7 years
Usage logs	90 days
IP addresses	30 days
Support communications	2 years
Telegram data	Deleted within 24 hours of cancellation

5. Who We Share Data With

5.1 Stripe

Payment processing. Location: USA (with adequacy decision).

5.2 Telegram

Channel access. Location: UAE/USA.

5.3 Anthropic

AI analysis. No personal data is ever sent.

5.4 DigitalOcean

Hosting. Location: Frankfurt, Germany (EU).

5.5 What we do not do

• We do not sell your data
• We do not share data with advertisers
• We do not use data for targeted advertising
• We do not share data with government agencies except where legally required

6. Your Rights Under UK GDPR

You have the right to:

• Access your personal data
• Rectification of inaccurate data
• Erasure of your data (processed within 30 days)
• Restriction of processing
• Data Portability — receive your data in a structured format
• Object to processing
• Withdraw consent at any time

To exercise any of these rights, email hello@sandstormosint.com. We will respond within 30 days.

You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

7. Cookies

7.1 Cookies we use

• Session cookie (required) — maintains your login session
• Remember Me cookie (30 days) — keeps you logged in

7.2 Cookies we do not use

No advertising cookies, tracking cookies, analytics cookies, or social media cookies.

8. Data Security

8.1 Security measures

• Passwords hashed with bcrypt
• HTTPS encryption for all connections
• SSH key authentication for server access
• Regular encrypted backups
• Rate limiting on all endpoints
• No payment card data stored on our servers

8.2 Limitations

No system is completely secure. We cannot guarantee absolute security of your data.

8.3 Breach notification

In the event of a data breach, we will notify affected users and the ICO within 72 hours.

9. International Transfers

Our servers are located in Frankfurt, Germany. Stripe processes payments in the USA with appropriate safeguards in place. We do not transfer personal data to any country without adequate data protection.

10. Children

The Service is not intended for anyone under the age of 18. We do not knowingly collect personal data from children.

11. Changes to This Policy

We will notify registered users by email of any material changes to this Privacy Policy. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

12. Contact

Email: hello@sandstormosint.com

Website: sandstormosint.com

We aim to respond to all enquiries within 5 working days.