Privacy Policy
Last updated: April 2026
Overview
OsintGo is designed from the ground up with privacy as a core principle, not an afterthought. We collect the minimum data required to operate the service and never sell, share, or monetise your personal information. This policy explains exactly what we collect, why, and how long we keep it.
What we collect
Account data
No identity verification or KYC is required at any point. Email address is optional: you can register and use OsintGo entirely anonymously. If you provide an email, it is stored solely for API key recovery and is never used for marketing. Lawful basis: consent (you choose to provide it; the service operates without it by default).
API usage logs
Every query is logged with: timestamp, query type, response time, status, and a truncated IP address (last octet removed). Query parameters (the actual data you search for) are stored in sanitised form for billing and abuse-prevention purposes and are automatically purged after 90 days. Lawful basis: legitimate interest (billing accuracy, abuse prevention).
Payment data
OsintGo accepts Bitcoin and Monero via a self-hosted BTCPay Server instance. We never have access to your payment card details. For crypto payments we store only the transaction hash, invoice ID, amount, and currency. No wallet addresses that can be linked to you are retained beyond invoice settlement. Lawful basis: legal obligation (financial record-keeping requirements).
Technical data
We collect standard server logs (IP addresses, HTTP method, path, response code) for security and debugging. These logs are retained for 30 days and are not linked to your account. Lawful basis: legitimate interest (service security and stability).
What we do not collect
- No browser fingerprints or device identifiers
- No tracking pixels or third-party analytics scripts
- No advertising profiles or behavioural data
- No IP-to-identity linking beyond rate limiting
- No social login: no OAuth providers with access to your profile
Data retention
| Data type | Retention |
|---|---|
| Account (email) | Until account deletion request |
| API key hash | Until key is rotated or account deleted |
| Query parameters | 90 days, then purged |
| Server logs | 30 days rolling |
| Payment records | 7 years (legal requirement) |
Your rights
You have the right to access, correct, export, or delete any personal data we hold about you. To exercise these rights, submit a Privacy Request. We will respond within 30 days. For deletion requests, note that payment records may be subject to legal retention obligations.
Third-party services
OsintGo uses the following sub-processors. We do not share personal data beyond what is strictly necessary for each service to function:
- Supabase: database hosting (EU region), processed under a GDPR-compliant DPA.
- Cloudflare: edge routing and DDoS protection. IP addresses transit Cloudflare infrastructure.
- Resend: transactional email for key recovery only. Your email address is transmitted only when you request a recovery.
- Upstash Redis: rate limiting counters. No personal data stored, only anonymous counters keyed by truncated IP.
Security
All data in transit is protected by TLS 1.3. API keys are stored as high-entropy random values and are not reversible to your identity without access to the database. We conduct regular security reviews and follow responsible disclosure for vulnerabilities.
Changes to this policy
Material changes to this policy will be announced via the dashboard notification and, if you provided an email, by email. Continued use of the service after the effective date constitutes acceptance of the updated policy.
Contact
Questions about this policy? Contact us via the support form.