Privacy Policy

Table of Contents

• 1. Introduction
• 2. Data Controller Information
• 3. Data We Collect
• 4. Open Source Intelligence (OSINT) Data
• 5. Legal Basis for Processing
• 6. How We Use Your Data
• 7. Data Sharing & Third Parties
• 8. International Data Transfers
• 9. Data Retention
• 10. Your Rights
• 11. PIPEDA (Canada)
• 12. GDPR & UK GDPR (EU/UK)
• 13. CCPA/CPRA (California, USA)
• 14. LGPD (Brazil)
• 15. Australian Privacy Act
• 16. Other Jurisdictions
• 17. Cookies & Tracking
• 18. Data Security
• 19. Children's Privacy
• 20. Automated Decision-Making & AI
• 21. Changes to This Policy
• 22. Contact Us

1. Introduction

Confidion Consulting & Technologies Inc. ("Confidion," "we," "us," or "our") is committed to maintaining the accuracy, confidentiality, and security of your personally identifiable information ("Personal Information"). As part of this commitment, this Privacy Policy governs our actions as they relate to the collection, use, and disclosure of Personal Information when you use the Confidion Sentry web intelligence platform (the "Service").

Our privacy practices are based upon the values set by the Canadian Standards Association's Model Code for the Protection of Personal Information and are designed to comply with applicable privacy legislation worldwide, including but not limited to:

• Personal Information Protection and Electronic Documents Act (PIPEDA) — Canada's federal privacy law
• European Union General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679
• United Kingdom General Data Protection Regulation (UK GDPR) — as incorporated into UK law
• California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) — California Civil Code §§ 1798.100–1798.199.100
• Lei Geral de Proteção de Dados (LGPD) — Brazil's General Data Protection Law (Law No. 13,709/2018)
• Australian Privacy Act 1988 — including the Australian Privacy Principles (APPs)

This policy applies to all users who access our Service from any jurisdiction. The rights and protections that apply to you are determined by the jurisdiction from which you access the Service, and we honour the most protective applicable standard.

2. Data Controller Information

We are responsible for maintaining and protecting the Personal Information under our control. We have designated individuals who are responsible for compliance with this Privacy Policy.

For the purposes of applicable data protection laws, the data controller is:

Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this Privacy Policy or our privacy practices, please contact our DPO:

Email: dpo@confidion.com

EU/UK Representative

For users in the European Union or the United Kingdom, inquiries may be directed to our DPO at dpo@confidion.com, who serves as our point of contact for data protection authorities in the EU and UK.

3. Data We Collect

3.1 Information You Provide Directly

• Account Information: Name, email address, password (cryptographically hashed — we never store plaintext passwords), and optional profile details
• Payment Information: Billing details processed securely through our payment processor (Stripe, which is PCI-DSS Level 1 compliant). We do not store full credit card numbers on our servers
• Communication Data: Messages, support requests, and feedback you send to us
• Search Queries: Intelligence searches and research activities conducted through our platform
• Saved Content: Entity profiles, dossiers, saved searches, custom data feeds, and alert configurations you create
• Team Data: Team names, member invitations, and shared workspace configurations

3.2 Information Collected Automatically

• Device Information: IP address, browser type and version, operating system, device identifiers, and screen resolution
• Usage Data: Pages visited, features used, search frequency, time spent on pages, and click patterns
• Log Data: Access timestamps, login attempts (successful and failed), session duration, and request identifiers
• Security Data: Failed authentication attempts, suspicious activity patterns, rate limit events, and multi-factor authentication events (for fraud prevention and account security)
• Performance Data: Page load times, server response times, and error events (used to maintain service quality)

3.3 Information from Third-Party Sources

We may receive information from third-party services when you:

• Connect third-party accounts or data sources to your account
• Use integrations with external APIs configured within the platform
• Are referred to us by a business partner or reseller

4. Open Source Intelligence (OSINT) Data

4.1 Nature of OSINT Data

The Service collects and processes information that is publicly available on the internet. This includes data accessible without requiring authentication, credentials, or bypassing access controls. We define "publicly available" as information that:

• Is accessible to the general public without requiring login credentials
• Is published on public websites, forums, or platforms
• Is available through public APIs provided by third-party services
• Has been intentionally made public by the individual or entity that posted it

We do not access private, gated, or restricted content. We do not bypass access controls, paywalls, or authentication mechanisms.

4.2 OSINT Data Sources

The Service may collect publicly available data from the following categories of sources:

• Public Web Search Engines: Results from web search APIs (e.g., Google, Bing, DuckDuckGo) that index publicly accessible content
• Public Social Media Posts: Content posted publicly on social media platforms (e.g., Twitter/X, Reddit, public Facebook pages, public Instagram posts, YouTube, LinkedIn public posts)
• News Sources & Media: Publicly available news articles, press releases, and media reports from news aggregation services
• Public Records & Government Sources: Information from government databases, court records, regulatory filings, and other public records made available by authorities
• RSS Feeds & Blogs: Publicly syndicated content feeds
• Public Forums & Discussion Boards: Content posted on publicly accessible online forums

4.3 OSINT Data May Contain Personal Information

Because the Service aggregates publicly available data, the results may contain personal information about third parties (individuals who are the subjects of searches but are not users of our Service). This may include:

• Names and professional affiliations
• Public social media profiles and posts
• Professional contact information found in public sources
• Information from public news articles or media reports
• Public corporate filings and regulatory records

4.4 Lawful Basis for OSINT Data Processing

We process OSINT data under the following legal bases depending on the applicable jurisdiction:

• GDPR/UK GDPR: Legitimate interests (Article 6(1)(f)) — the provision of open source intelligence services for lawful purposes such as due diligence, risk assessment, journalistic research, and security. We conduct legitimate interest assessments and balance these against data subjects' rights
• PIPEDA: Publicly available information exemption (PIPEDA §7(1)(d) and Regulations Specifying Publicly Available Information) for data that is publicly available as defined under PIPEDA
• CCPA/CPRA: Publicly available information is excluded from the definition of "personal information" under CCPA §1798.140(v)(2)
• LGPD: Legitimate interests (Article 7, X) and processing of data made manifestly public by the data subject (Article 7, §4)
• Australian Privacy Act: APP 3.4 exemption for publicly available information as permitted under applicable Commonwealth or State laws

4.5 Rights of Data Subjects in OSINT Results

If you are an individual whose personal information appears in OSINT search results on our platform and you are not a user of the Service, you may still exercise certain rights under applicable privacy laws:

• Right to Know: You may request information about what data we hold about you
• Right to Erasure/Deletion: You may request removal of your personal data from our platform, subject to applicable legal exceptions
• Right to Object: You may object to the processing of your personal data

To exercise these rights, please contact us at privacy@confidion.com with sufficient detail for us to identify the relevant data. We will respond in accordance with the timelines required by applicable law.

4.6 User Responsibilities for OSINT Data

Users of the Service are responsible for ensuring that their use of OSINT data complies with all applicable laws in their jurisdiction, including privacy, data protection, anti-discrimination, and employment laws. The Service is a tool; the lawfulness of any particular use depends on the user's purposes and local legal requirements. See our Terms of Service for detailed acceptable use requirements.

5. Legal Basis for Processing

The legal basis under which we process your personal data depends on your jurisdiction and the purpose of processing. Below is a summary of our legal bases for processing your account and usage data (for OSINT-specific legal bases, see Section 4.4).

Purpose	Legal Basis (GDPR/UK GDPR)	Legal Basis (PIPEDA)
Account creation & management	Contract performance (Art. 6(1)(b))	Implied consent
Payment processing	Contract performance (Art. 6(1)(b))	Implied consent
Service delivery & intelligence searches	Contract performance (Art. 6(1)(b))	Implied consent
Security & fraud prevention	Legitimate interests (Art. 6(1)(f))	Without consent (§7(1)(a))
Service improvement & analytics	Legitimate interests (Art. 6(1)(f))	Implied consent
Tax & legal compliance	Legal obligation (Art. 6(1)(c))	Without consent (§7(1)(b))
Marketing communications	Consent (Art. 6(1)(a))	Express consent (opt-in)

6. How We Use Your Data

We use collected data for the following purposes:

6.1 Service Delivery

• Providing access to the Confidion Sentry platform and its features
• Processing and executing intelligence searches across public data sources
• Managing your account, subscription, and team configurations
• Delivering data feeds, alerts, and notifications you configure
• Generating entity profiles, dossiers, and threat assessments

6.2 Communication

• Sending transactional emails (account verification, password resets, payment receipts)
• Providing technical support and responding to inquiries
• Notifying you about service changes, security issues, or policy updates
• Sending alerts and digest notifications you configure in your account settings

6.3 Security & Fraud Prevention

• Detecting and preventing fraudulent activity and unauthorized access
• Monitoring for suspicious login attempts and brute-force attacks
• Enforcing rate limits and acceptable use policies
• Maintaining security audit logs for incident response

6.4 Service Improvement

• Analysing aggregated, de-identified usage patterns to improve features
• Troubleshooting technical issues and monitoring performance
• Developing new features and improving search accuracy

6.5 AI-Assisted Analysis

We use artificial intelligence services to assist with threat correlation and analysis of OSINT data. AI processing is conducted within controlled environments, and your data is not used to train third-party AI models. See Section 20 for details on automated decision-making.

7. Data Sharing & Third Parties

7.1 Service Providers (Sub-processors)

We share data with trusted third-party service providers who assist in operating our platform. All sub-processors are contractually bound to protect your data, use it only for specified purposes, and meet equivalent data protection standards:

• Stripe, Inc.: Payment processing (PCI-DSS Level 1 compliant)
• Cloud Infrastructure Providers: Secure hosting and data storage with encryption at rest
• Anthropic (Claude API): AI-powered analysis of OSINT data — data is processed in isolated sessions and not used to train models
• Email Service Providers: Transactional email delivery (e.g., account verification, alerts)
• Search API Providers: Web search and social media APIs used to retrieve publicly available data

7.2 Legal Requirements

We may disclose your information when required by law or in response to:

• Valid legal processes (subpoenas, court orders, warrants)
• Requests from law enforcement agencies with proper legal authority
• Protection of our legal rights, safety of users, or prevention of fraud
• Investigation of potential violations of our Terms of Service

Where legally permitted, we will notify you before disclosing your information in response to legal process.

7.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. You will be notified via email and/or prominent notice on our website prior to any change in ownership or use of your personal data, and you will have the opportunity to request deletion of your data.

7.4 With Your Consent

We may share your information for other purposes with your explicit consent.

8. International Data Transfers

Confidion Consulting & Technologies Inc. is based in Canada. Your personal data may be transferred to and processed in Canada and other jurisdictions where our service providers operate.

8.1 Transfer Safeguards

When we transfer data internationally, we ensure appropriate safeguards are in place as required by applicable law:

• Adequacy Decisions: Canada has been recognized by the European Commission as providing an adequate level of data protection. For transfers from the UK, similar adequacy recognition applies
• Standard Contractual Clauses (SCCs): For transfers to countries without adequacy decisions, we use EU and UK approved Standard Contractual Clauses
• Supplementary Measures: Where required, we implement additional technical measures (such as encryption) and organizational safeguards
• Data Processing Agreements: All sub-processors are bound by data processing agreements that include international transfer provisions

8.2 Jurisdiction-Specific Transfer Provisions

EU & UK to Canada

Canada has an adequacy finding from the European Commission, meaning personal data may flow from the EU/EEA and UK to Canada without additional transfer mechanisms.

Brazil

Under the LGPD, international data transfers are permitted where the recipient country provides an adequate level of protection or where Standard Contractual Clauses are in place.

Australia

Under the Australian Privacy Act (APP 8), before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient complies with the APPs or equivalent protections.

United States

For data processed through US-based sub-processors, we rely on Standard Contractual Clauses and the EU-US Data Privacy Framework where applicable.

9. Data Retention

Personal Information will only be retained for the period of time required to fulfill the purpose for which we collected it or as may be required by law. Below are our specific retention periods:

Data Type	Retention Period
Account data (email, profile)	Active account lifetime + 30 days after deletion request
OSINT investigation results	2 years or until deleted by user, whichever is sooner
Entity profiles & dossiers	2 years or until deleted by user, whichever is sooner
Search queries & history	1 year
Data feed items	Per feed configuration (user-controlled)
Transaction & billing records	7 years (tax and legal compliance)
Security audit logs	1 year minimum
Security alerts	1 year minimum
Session data	Session lifetime (cleared on logout or after a user-configurable idle period — 30 minutes to 12 hours, default 8 hours)
Support communications	3 years after resolution
Rate limit records	24 hours

Upon expiration of retention periods, data is securely deleted or irreversibly anonymized. You may request earlier deletion of your data at any time, subject to legal retention requirements.

10. Your Rights

Depending on the jurisdiction from which you access our Service, you have specific rights regarding your Personal Information. The sections below (Sections 11–16) detail the rights available under each applicable privacy framework. In general, all users have the following baseline rights:

• Access: Request what personal data we hold about you
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your data (subject to legal exceptions)
• Withdrawal of Consent: Withdraw consent at any time where processing is based on consent
• Complaint: Lodge a complaint with the relevant supervisory authority in your jurisdiction

To exercise any of these rights, contact us at privacy@confidion.com. We will verify your identity before processing requests and respond within the timeframe required by applicable law.

11. PIPEDA — Canada

This section applies to users accessing the Service from Canada. Our privacy practices are based on the ten fair information principles set out in the Canadian Standards Association's Model Code and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

11.1 Accountability

We are responsible for maintaining and protecting the Personal Information under our control. We have designated individuals who are responsible for compliance with this Privacy Policy. Our Data Protection Officer can be reached at dpo@confidion.com.

11.2 Identifying Purposes

We collect, use, and disclose Personal Information to provide you with the services you have requested and for the purposes identified in Section 6 of this policy. The purposes for which we collect Personal Information will be identified before or at the time we collect the information. In certain circumstances, the purposes for which information is collected may be clear and consent may be implied, such as where your name and email address are provided as part of the account registration process.

11.3 Consent

Knowledge and consent are required for the collection, use, or disclosure of Personal Information except where required or permitted by law. Providing us with your Personal Information is always your choice. However, your decision not to provide certain information may limit our ability to provide you with our services. We will not require you to consent to the collection, use, or disclosure of information as a condition to the supply of a service, except as required to be able to supply the service.

11.4 Limiting Collection

The Personal Information collected will be limited to those details necessary for the purposes identified by us. With your consent, we may collect Personal Information from you electronically through the Service interface.

11.5 Limiting Use, Disclosure & Retention

Personal Information may only be used or disclosed for the purpose for which it was collected unless you have otherwise consented, or when it is required or permitted by law. Personal Information will only be retained for the period of time required to fulfill the purpose for which we collected it or as may be required by law (see Section 9 for specific retention periods).

11.6 Accuracy

Personal Information will be maintained in as accurate, complete, and up-to-date form as is necessary to fulfill the purposes for which it is to be used.

11.7 Safeguarding Customer Information

Personal Information will be protected by security safeguards that are appropriate to the sensitivity level of the information. We take all reasonable precautions to protect your Personal Information from any loss or unauthorized use, access, or disclosure (see Section 18 for details).

11.8 Openness

We will make information available to you about our policies and practices with respect to the management of your Personal Information. This Privacy Policy and our Terms of Service are always available on our website.

11.9 Customer Access

Upon request, you will be informed of the existence, use, and disclosure of your Personal Information, and will be given access to it. You may verify the accuracy and completeness of your Personal Information and may request that it be amended, if appropriate. However, in certain circumstances permitted by law, we will not disclose certain information to you. For example, we may not disclose information relating to you if other individuals are referenced or if there are legal, security, or commercial proprietary restrictions.

11.10 Handling Customer Complaints & Suggestions

You may direct any questions or enquiries with respect to our privacy policy or our practices by contacting our Privacy Office at privacy@confidion.com. If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.

11.11 Response Timelines

We will respond to access and correction requests within 30 days of receiving the request, as required by PIPEDA.

12. GDPR & UK GDPR — European Union & United Kingdom

This section applies to users accessing the Service from the European Economic Area (EEA) or the United Kingdom.

12.1 Your Rights Under GDPR/UK GDPR

• Right of Access (Art. 15): Request a copy of all personal data we hold about you
• Right to Rectification (Art. 16): Correct inaccurate or incomplete personal data
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten") where there is no compelling reason for continued processing
• Right to Restriction of Processing (Art. 18): Request limitation of processing in certain circumstances (e.g., while accuracy is contested)
• Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV)
• Right to Object (Art. 21): Object to processing based on legitimate interests, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds
• Right to Withdraw Consent (Art. 7): Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing
• Right Related to Automated Decisions (Art. 22): Not be subject to decisions based solely on automated processing that produce legal effects or similarly significant effects (see Section 20)

12.2 Response Timelines

We will respond to data subject requests within 30 days of receipt. This may be extended by up to 60 additional days for complex or numerous requests, in which case we will inform you of the extension and reasons.

12.3 Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to the rights and freedoms of individuals, including our OSINT data aggregation activities.

12.4 Supervisory Authorities

You have the right to lodge a complaint with a supervisory authority:

• EU: Your local Data Protection Authority (a full list is available at edpb.europa.eu)
• UK: Information Commissioner's Office (ICO) — ico.org.uk

13. CCPA/CPRA — California, USA

This section applies to California residents as defined under the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA").

13.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

• Identifiers: Name, email address, IP address, account name
• Commercial Information: Subscription plans, payment history, transaction records
• Internet or Electronic Network Activity: Browsing history on our platform, search history, interaction with our Service
• Geolocation Data: Approximate location derived from IP address
• Professional Information: Job title or organization (if provided)

13.2 Your CCPA Rights

As a California resident, you have the following rights:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose, and the categories of third parties with whom we share it
• Right to Delete: Request deletion of your personal information, subject to certain exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale/Sharing: We do not sell your personal information and do not share it for cross-context behavioural advertising. No opt-out is necessary
• Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes beyond those permitted under the CCPA
• Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA rights

13.3 Exercising Your CCPA Rights

To submit a verifiable consumer request, contact us at privacy@confidion.com. We will verify your identity by confirming information associated with your account. You may also designate an authorized agent to make a request on your behalf.

13.4 Response Timelines

We will acknowledge your request within 10 business days and provide a substantive response within 45 calendar days. This may be extended by an additional 45 days where reasonably necessary, with notice.

13.5 Sale and Sharing Disclosure

We do not sell personal information as defined by the CCPA. We do not share personal information for cross-context behavioural advertising. We do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age.

13.6 Financial Incentives

We do not offer financial incentives or price differences in exchange for the retention or sale of personal information.

13.7 Opt-Out Preference Signals

We honour Global Privacy Control (GPC) and other opt-out preference signals as required by California law. When we detect a valid opt-out signal, we treat it as a valid request to opt out of the sale or sharing of personal information.

14. LGPD — Brazil

This section applies to users accessing the Service from Brazil. Processing of personal data is governed by the Lei Geral de Proteção de Dados (LGPD, Law No. 13,709/2018).

14.1 Legal Bases for Processing

We process personal data of Brazilian users under the following legal bases provided in Article 7 of the LGPD:

• Performance of a contract (Art. 7, V): Processing necessary to execute or perform a contract with the data subject
• Legitimate interests (Art. 7, IX): Processing necessary for legitimate interests, provided fundamental rights and freedoms are not overridden
• Consent (Art. 7, I): Where we rely on your consent, such as for marketing communications
• Legal or regulatory obligation (Art. 7, II): Processing required by applicable Brazilian or Canadian law
• Data made manifestly public (Art. 7, §4): For OSINT data that has been made manifestly public by the data subject

14.2 Your Rights Under the LGPD

As a data subject in Brazil, you have the following rights under Article 18 of the LGPD:

• Confirmation & Access: Confirm whether we process your data and access it
• Correction: Request correction of incomplete, inaccurate, or outdated data
• Anonymization, Blocking, or Deletion: Request anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in non-compliance with the LGPD
• Data Portability: Request portability of your data to another service provider
• Deletion of Consent-Based Data: Request deletion of data processed on the basis of consent
• Information on Sharing: Request information about public and private entities with whom your data has been shared
• Consent Withdrawal: Be informed of the consequences of denying or withdrawing consent
• Opposition: Object to processing that does not comply with LGPD provisions
• Review of Automated Decisions: Request review of decisions made solely on the basis of automated processing

14.3 Data Protection Officer (Encarregado)

Our Data Protection Officer serves as the Encarregado for purposes of the LGPD. Contact: dpo@confidion.com

14.4 Response Timelines

We will respond to data subject requests within 15 days as required by the LGPD.

14.5 Supervisory Authority

You may file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.

15. Australian Privacy Act

This section applies to users accessing the Service from Australia. Our processing of personal information is governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

15.1 Collection of Personal Information (APP 3)

We only collect personal information that is reasonably necessary for, or directly related to, our functions and activities as described in this policy. We collect personal information by lawful and fair means, and where reasonable and practicable, directly from you.

15.2 Notification of Collection (APP 5)

At or before the time we collect your personal information (or as soon as practicable afterwards), we notify you of the matters required by APP 5, including the purposes of collection, the consequences of not collecting the information, and the entities to which we typically disclose such information. This Privacy Policy serves as that notification.

15.3 Use and Disclosure (APP 6)

We will only use or disclose personal information for the primary purpose for which it was collected, or for a secondary purpose where:

• You have consented to the use or disclosure
• You would reasonably expect us to use or disclose the information for the secondary purpose
• The use or disclosure is required or authorized by law
• A permitted general situation or permitted health situation exists

15.4 Cross-Border Disclosure (APP 8)

Before disclosing personal information to an overseas recipient (including our Canadian servers and service providers), we take reasonable steps to ensure the overseas recipient does not breach the APPs. Our data processing agreements with overseas recipients require compliance with privacy protections substantially equivalent to the APPs.

15.5 Your Rights Under the APPs

• Access (APP 12): Request access to the personal information we hold about you
• Correction (APP 13): Request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading
• Complaints: Lodge a complaint about our handling of your personal information

15.6 Automated Decision-Making Transparency

In compliance with the Privacy and Other Legislation Amendment Act 2024, where we use automated decision-making that could significantly affect your rights or interests, we will provide transparency about the use of such systems, the personal information involved, and how to request human review. See Section 20 for details.

15.7 Response Timelines

We will respond to access and correction requests within 30 days as required by the Australian Privacy Act.

15.8 Supervisory Authority

You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

16. Other Jurisdictions

If you access the Service from a jurisdiction not specifically addressed above, the following general provisions apply:

16.1 New Zealand (Privacy Act 2020)

Users in New Zealand have rights similar to those under the Australian Privacy Act, including the right to access, correct, and request deletion of personal information. Complaints may be filed with the New Zealand Office of the Privacy Commissioner at privacy.org.nz.

16.2 South Africa (POPIA)

Users in South Africa have rights under the Protection of Personal Information Act (POPIA), including access, correction, deletion, and the right to object to processing. Complaints may be filed with the Information Regulator at justice.gov.za/inforeg.

16.3 Japan (APPI)

Users in Japan have rights under the Act on the Protection of Personal Information (APPI), including disclosure, correction, cessation of use, and cessation of provision to third parties. Complaints may be directed to the Personal Information Protection Commission (PPC).

16.4 Other US States

In addition to California, privacy laws in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Oregon, Indiana, Kentucky, and other US states may provide you with additional rights. If you are a resident of any of these states, you may exercise rights to access, correct, delete, and opt out of certain processing activities. We honour Global Privacy Control (GPC) signals as an opt-out mechanism where required by state law.

16.5 General Approach

For users in any jurisdiction, we are committed to applying the highest standard of data protection reasonably applicable to your circumstances. If your local law provides rights or protections not specifically addressed in this policy, please contact us at privacy@confidion.com and we will work with you to honour your rights under applicable law.

17. Cookies & Tracking Technologies

17.1 What Are Cookies

A cookie is a small file stored on your device when you visit our website. We may use cookies to improve our website's functionality and, in some cases, to provide you with a customized experience.

17.2 Essential Cookies

We use strictly necessary cookies for:

• Session Management: Maintaining your logged-in state via secure session identifiers
• Security: CSRF protection tokens to prevent cross-site request forgery
• Preferences: Remembering your settings and display preferences

These cookies are essential for the operation of our Service and cannot be disabled. They do not require consent under most privacy frameworks because they are strictly necessary for the service you have requested.

17.3 Cookie Characteristics

Our essential cookies:

• Do not track you across other websites
• Do not collect marketing data or facilitate advertising
• Expire at the end of your session or when you log out
• Are transmitted over secure (HTTPS) connections only
• Are set with HttpOnly and SameSite=Strict flags for security

17.4 Third-Party Resources

We load resources from the following third parties:

• Google Fonts: Typography resources (subject to Google's Privacy Policy). We do not use Google Analytics or other Google tracking services

17.5 Managing Cookies

Cookies are widely used and most web browsers are configured to accept cookies automatically. You may change your browser settings to prevent your computer from accepting cookies or to notify you when you receive a cookie so that you may decline its acceptance. Please note that if you disable cookies, you may not be able to use certain features of our Service, particularly those requiring authentication.

18. Data Security

We implement comprehensive security measures to protect your Personal Information from loss, unauthorized use, access, or disclosure.

18.1 Technical Measures

• 256-bit TLS/SSL encryption for all data in transit (HSTS with preload)
• AES-256-GCM encryption for sensitive data at rest (API keys, MFA secrets)
• Secure password hashing using Argon2id (industry-leading algorithm)
• CSRF protection on all state-changing operations
• Content Security Policy (CSP), X-Frame-Options, and other security headers
• Rate limiting to prevent brute-force and denial-of-service attacks
• Multi-factor authentication (MFA/TOTP) available for all accounts
• Secure session management with idle timeouts, fingerprinting, and concurrent session limits

18.2 Organizational Measures

• Access controls limiting data access to authorized personnel on a need-to-know basis
• Comprehensive security audit logging for all state-changing operations
• Employee training on data protection and information security
• Documented incident response procedures
• Regular security reviews, vulnerability assessments, and penetration testing
• Vendor risk management for all third-party service providers

18.3 Breach Notification

Unfortunately, no data transmission over the Internet can be guaranteed to be 100% secure. As a result, while we make commercially reasonable efforts to protect your data, you transmit information at your own risk.

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• GDPR/UK GDPR: Notify relevant supervisory authorities within 72 hours of becoming aware of the breach
• PIPEDA: Report to the Office of the Privacy Commissioner of Canada and notify affected individuals as soon as feasible
• CCPA: Notify affected California residents as required under California Civil Code §1798.82
• LGPD: Notify the ANPD and affected individuals within a reasonable timeframe
• Australian Privacy Act: Notify the OAIC and affected individuals of eligible data breaches under the Notifiable Data Breaches (NDB) scheme
• Notify affected individuals without undue delay if there is high risk to their rights
• Document the breach and all remedial actions taken

19. Children's Privacy

Our Service is not intended for individuals under the age of 18 (or the applicable age of majority in your jurisdiction). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at privacy@confidion.com. We will take steps to delete such information promptly.

20. Automated Decision-Making & AI

20.1 How We Use AI

The Service uses artificial intelligence for the following purposes:

• Threat correlation analysis of OSINT data
• Automated threat scoring and risk assessment of collected intelligence
• Pattern detection across data feeds and search results
• Sentiment analysis of publicly available content

20.2 Limitations

AI-generated analysis and threat scores are provided as decision-support tools. They do not constitute final determinations and are not used to make decisions that produce legal effects or similarly significant effects on individuals without human review. Users are responsible for independently evaluating all information before making decisions.

20.3 Your Rights Regarding Automated Decisions

• GDPR/UK GDPR (Art. 22): You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant effects. You may request human review of automated decisions
• LGPD (Art. 20): You have the right to request review of decisions made solely on the basis of automated processing
• Australian Privacy Act: We will provide transparency about the use of automated decision-making systems as required by applicable law

20.4 AI Data Handling

AI analysis is conducted in isolated sessions. Your data is not used to train third-party AI models. We use commercially available AI services under data processing agreements that prohibit the use of input data for model training purposes.

21. Changes to This Policy

We may update this Privacy Policy from time to time. Our website will always contain the most up-to-date version. When we make material changes:

• We will update the "Last Updated" date at the top of this policy
• We will notify you by email for significant changes affecting your rights
• We will provide at least 30 days' notice before material changes take effect
• We will provide prominent notice on our website

Your continued use of the Service after the effective date of changes constitutes acceptance of the updated policy. If you do not agree to the changes, you must stop using the Service and may request deletion of your account.

22. Contact Us

You may direct any questions, concerns, or requests regarding this Privacy Policy or our data practices by contacting:

Additional Resources

• Terms of Service — Governing terms for use of the Service
• Security — Our security practices and measures