Privacy Policy

At IntelFetch, we take your privacy seriously and are committed to full compliance with the General Data Protection Regulation (GDPR) and Swedish data protection laws. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our cybersecurity intelligence and OSINT platform, including our lawful basis for processing personal data.

For comprehensive documentation about our lawful basis for data processing and detailed transparency reports, please visit our Published Documents section, which includes our GDPR Lawful Basis Documentation and other official publications that provide in-depth information about how we process data in compliance with applicable regulations.

Enterprise & B2B: If you need a Data Processing Agreement (GDPR Article 28), see our DPA page and contact [email protected] for an executed copy.

1. Lawful Basis for Processing

IntelFetch processes personal data under the following lawful bases established in GDPR Article 6:

Primary Lawful Bases for Breach Intelligence Services:

• Legitimate Interest (Article 6(1)(f)): We have a genuine and lawful interest in providing cybersecurity threat intelligence, data breach detection services, and OSINT research capabilities. Our services are intended to serve as critical infrastructure for use cases including, but not limited to:
  • Law enforcement and government agencies conducting criminal investigations and fraud detection
  • National security and cybersecurity defense initiatives protecting critical infrastructure
  • Regulatory compliance enabling organizations to meet obligations under GDPR breach notification (Article 33-34) and the NIS2 Directive (EU) 2022/2555
  • Fraud prevention and identity theft protection for vulnerable individuals and organizations
  • Public health and safety through protection of healthcare and essential service providers
  • OSINT research and detective purposes including investigative due diligence, background research, and open-source intelligence gathering

  While IntelFetch does not guarantee that all users will employ the platform exclusively for the above purposes, these represent the intended and legitimate use cases for which the platform is designed. This interest does not override your fundamental rights, as the breach data we process has already been publicly disclosed.

• Public Interest (Article 6(1)(e)): Our processing is necessary for the performance of tasks carried out in the public interest. We acknowledge that it is typically the public sector that conducts processing in the public interest on behalf of or under the authority of competent bodies. At the same time, we consider it important to convey that the general public is interested in and has a genuine need for such services—including individuals and organizations seeking to assess their own exposure to data breaches, protect themselves from identity theft, and understand cybersecurity threats. IntelFetch is intended to provide critical infrastructure for use cases including, but not limited to:
  • Law enforcement and government agencies conducting criminal investigations and fraud detection
  • National security and cybersecurity defense initiatives protecting critical infrastructure
  • Regulatory compliance enabling organizations to meet obligations under GDPR breach notification (Article 33-34) and the NIS2 Directive (EU) 2022/2555
  • Fraud prevention and identity theft protection for vulnerable individuals and organizations
  • Public health and safety through protection of healthcare and essential service providers
  • OSINT research and detective purposes including investigative due diligence, background research, and open-source intelligence gathering

  These represent our intended use cases and are not a guarantee that all processing will be limited to the above purposes.

Our legitimate interest and public interest bases are aligned and complementary, both reflecting the intended role our services play in supporting law enforcement investigations, national security, regulatory compliance, fraud prevention, OSINT research, detective purposes, and public safety. While we do not guarantee that all users will employ the platform exclusively for these purposes, these represent the legitimate use cases for which IntelFetch is designed. Swedish law recognizes cybersecurity as a matter of public interest under the Dataskyddslagen (2018:218) and the Säkerhetsskyddslagen (2018:585) (Security Protection Act).

References: GDPR Regulation (EU) 2016/679 Article 6(1)(e) (public interest), Article 6(1)(f) (legitimate interests), and Recitals 45-47 (public interest and balancing test). Where we rely on consent (e.g., optional communications), we apply Article 6(1)(a) and, for electronic communications and cookies, the ePrivacy Directive 2002/58/EC.

Important Distinction: IntelFetch provides two main categories of services: (1) Breach Intelligence Services that involve accessing and processing publicly disclosed breach data to enable security professionals to identify compromised credentials and vulnerabilities, and (2) General OSINT Services including IP address lookups, domain analysis, court record searches, cryptocurrency transaction analysis, and other investigative tools that primarily process non-personal or publicly available technical data not derived from data breaches. For breach intelligence services, we process publicly accessible breach data that has already been disclosed through data breaches. We primarily rely on third-party data providers and APIs for real-time access to breach intelligence. However, we also maintain limited local storage of select breach datasets to ensure service availability and performance. Locally stored data represents a small portion of the total breach intelligence accessible through our platform. This processing serves not only our legitimate business interests but also important public interests including assisting law enforcement and government agencies in criminal investigations, supporting national security and cybersecurity defense efforts, enabling individuals and organizations to comply with legal obligations under GDPR and NIS2 Directive, facilitating fraud prevention and detection, protecting vulnerable individuals from identity theft and account takeover, and advancing cybersecurity research and threat intelligence capabilities. This processing does not override your fundamental rights and freedoms, as the data is already publicly accessible and our processing serves protective purposes for society at large.

For account management, billing, and direct service provision, we rely on contract performance, meaning we process data to fulfill our agreement with you when you sign up for our services. Where we need your permission for specific activities, we rely on your explicit consent, which you can withdraw at any time. For legal compliance matters, we process data under legal obligation when required by Swedish or EU law, such as responding to court orders or regulatory requirements.

Understanding GDPR Legal Bases: Article 6(1)(a) means consent you've given us, Article 6(1)(b) means processing necessary to provide our contracted services, Article 6(1)(c) means compliance with legal requirements, Article 6(1)(e) means processing in the public interest, and Article 6(1)(f) means our legitimate business interest that doesn't harm your rights.

1a. Journalistic, Research, and Archive Exemptions

Certain activities of IntelFetch may benefit from special exemptions under GDPR Article 85 (processing for journalistic purposes) and GDPR Article 89 (processing for archiving, scientific research, and statistical purposes). These exemptions are implemented in Swedish law through Dataskyddslagen (2018:218).

Journalistic Exemption (Article 85): Certain editorial activities of IntelFetch serve journalistic purposes within the meaning of GDPR Article 85 and the Swedish implementation:

• We publish editorial content on our public-facing website about cybersecurity matters of public concern (this content is covered by our publication certificate)
• We support investigative journalists and security researchers who use our tools for their own journalistic work (the exemption applies to their journalistic activity, not to our commercial service provision)
• We operate under a Swedish publication certificate (utgivningsbevis) for our public website content only - this does not extend to the database tools, search results, or authenticated areas

The journalistic exemption under GDPR Article 85 may apply to our published editorial content on the public website, allowing certain GDPR provisions to be derogated to reconcile data protection with freedom of expression. However, this exemption does not apply to the OSINT database services, search functionality, or API access we provide as commercial services.

Research and Archive Exemption (Article 89): IntelFetch conducts cybersecurity research and maintains archives of breach intelligence for the following purposes within the meaning of GDPR Article 89:

• Scientific Research: We support academic and commercial cybersecurity research by providing access to breach data for analyzing attack patterns, credential reuse, password security, and threat evolution
• Archiving in the Public Interest: We archive publicly disclosed breach data to preserve the historical record of cybersecurity incidents for future research, regulatory review, and public accountability
• Statistical Purposes: We generate anonymized and aggregated statistics about breach trends, attack vectors, and security vulnerabilities to inform public policy and industry best practices

Under GDPR Article 89(2)-(3) and Dataskyddslagen (2018:218) Chapter 4, the following derogations may apply to our research and archiving activities:

• Right to Erasure (Article 17): May be limited where erasure would seriously impair the achievement of research or archiving objectives
• Right to Object (Article 21): May be limited where necessary for research or archiving in the public interest
• Storage Limitation: Data may be retained for longer periods where processed solely for archiving, research, or statistical purposes with appropriate safeguards

Safeguards: In accordance with GDPR Article 89(1), we implement appropriate technical and organizational measures to ensure respect for data minimization, including pseudonymization where possible, access controls, and purpose limitation to ensure data is not processed for other purposes.

Legal References: GDPR Article 85 (processing for journalistic purposes), GDPR Article 89 (safeguards and derogations for archiving, research, and statistics), Dataskyddslagen (2018:218) Chapter 1 § 7 (journalistic exemption) and Chapter 4 (research exemptions), Yttrandefrihetsgrundlagen (1991:1469) (Swedish Freedom of Expression Act).

2. Information We Collect

We collect information that you provide directly to us when using our service, including:

• Account information (email address, username, password)
• Profile information (name, organization)
• Payment information (processed securely through our payment processors)
• Service usage information (search queries, API usage)
• Communications with us

We also automatically collect certain information when you use our service, such as:

• Log data (IP address, browser type, pages visited, time spent)
• Device information (hardware model, operating system)
• Usage patterns and preferences

2a. Transparency Notice for Breach Intelligence Data (Article 14 Exemption)

A significant portion of the personal data accessible through our breach intelligence services was not obtained directly from the data subjects themselves. Under GDPR Article 14, controllers who obtain personal data from sources other than the data subject are generally required to provide individual notice to each affected data subject. However, GDPR Article 14(5)(b) provides an express exemption where:

• The provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes subject to the conditions and safeguards referred to in Article 89(1).

IntelFetch invokes this exemption for the following reasons:

• Scale: Our platform provides access to data from billions of records across thousands of publicly disclosed breach datasets. Providing individual notice to each data subject whose personal data appears in these datasets is factually impossible and would involve manifestly disproportionate effort relative to any benefit to the data subjects, given that the data has already been publicly disclosed.
• Public Interest Processing: Our processing of breach intelligence data serves archiving in the public interest, cybersecurity research, and statistical analysis of breach trends, all of which fall within the scope of GDPR Article 89 and are subject to appropriate safeguards including access controls, pseudonymization where feasible, and purpose limitation.
• Data Already Public: The breach data we process has already been publicly disclosed through data breaches and is accessible through multiple public sources. The data subjects' information is already in the public domain, and individual notification would not meaningfully alter their awareness of the exposure.
• Contact Information Unavailability: In many cases, we do not possess verified contact details for affected data subjects beyond the compromised data itself (e.g., we may have a breached email address but no verified means to contact the individual, and using compromised contact data for notification would itself raise data protection concerns).

In accordance with GDPR Article 14(5)(b), as an alternative to individual notice, we make the following information publicly available through this Privacy Policy: the categories of personal data processed (breach records including email addresses, usernames, passwords, and associated metadata from publicly disclosed breaches), the purposes of processing (cybersecurity threat intelligence, security research, public interest archiving, and enabling individuals and organizations to assess their own exposure), our lawful bases (legitimate interest under Article 6(1)(f) and public interest under Article 6(1)(e)), and the data subject rights available including the right to request erasure or object to processing as described in Sections 9 and 10 of this policy.

This exemption applies only to breach intelligence data obtained from public sources — not to personal data you provide directly to us (such as your account information), for which we provide full Article 13 transparency at the point of collection.

Legal References: GDPR Article 14(5)(b) (exemption from information obligation where disproportionate effort); GDPR Recital 62 (disproportionate effort where number of data subjects is large, data is old, or appropriate safeguards are in place); GDPR Article 89(1) (safeguards for archiving, research, and statistical processing); Dataskyddslagen (2018:218) Chapter 4 (Swedish implementation of research and archiving derogations).

3. How We Use Your Information

We process personal data for the following purposes, each with its corresponding lawful basis under GDPR Article 6:

Breach Intelligence Services: We provide access to publicly disclosed data breach information based on our legitimate interest and the broader public interest to protect the digital ecosystem from cyber threats and security vulnerabilities. This processing serves important societal purposes including assisting law enforcement agencies in criminal investigations and fraud detection, supporting national security and cybersecurity defense initiatives, enabling regulatory compliance with GDPR, NIS2 Directive, and other data protection and security regulations, protecting individuals from identity theft, account takeover, and fraud, facilitating security research and threat intelligence development, and helping organizations implement appropriate security controls. We primarily rely on third-party API providers for real-time breach intelligence access, but also maintain limited local storage of select breach datasets representing a small portion of total accessible data. The breach data we process has already been publicly disclosed and is not created, commissioned, or facilitated by us.

General OSINT Services: We provide investigative and intelligence tools including IP address geolocation and threat analysis, domain DNS and security analysis, public court record searches, cryptocurrency transaction searches on public blockchains, server status lookups, bank identification number analysis, social media username searches, and other publicly available information lookups. These services primarily process non-personal technical data, publicly accessible records, or information that is not derived from data breaches.

Account and Service Management: We manage your account, process payments, and deliver contracted services based on contract performance, ensuring you receive the services you have subscribed to or purchased. We send service-related communications, security alerts, and account notifications based on our legitimate interest in maintaining service security and your account safety. With your explicit consent, we may send marketing communications and product updates, which you can withdraw at any time through your account settings. We respond to your support requests and inquiries as part of our contractual obligations to provide customer service. We monitor system performance and analyze usage patterns based on our legitimate interest in maintaining service quality, preventing abuse, and improving our platform security. We comply with legal obligations, respond to lawful requests from authorities, and enforce our terms of service when required by Swedish or EU law.

New account activation reminders: If you create an account and do not return to the platform shortly afterward (for example, you do not sign in again after registration within our technical detection window), we may send at most one email to the address you provided, inviting you to log in and use the service. This applies only to accounts created within a limited recent period (typically within the first two weeks) and only while you do not hold an active paid subscription tied to that account. The purpose is to help you activate the service you signed up for. We rely on GDPR Article 6(1)(b) (performance of a contract / steps prior to contract at your request) and, where applicable, Article 6(1)(f) (legitimate interest in delivering the service and reducing abandoned sign-ups), balanced against your rights. You may object to this type of email or contact us at [email protected]; we will honor appropriate requests in line with GDPR.

4. Third-Party Services and Data Sources

Breach Intelligence Services: IntelFetch operates as an aggregation and search platform that provides access to publicly disclosed data breach information. We do not perform, commission, facilitate, or conduct data breaches, hacking, or any unauthorized access to systems. We do not create or solicit breach data. Instead, we provide access to breach information that has already been publicly disclosed and made available through legitimate sources. Our service helps security professionals, researchers, law enforcement, and organizations access publicly available breach intelligence for legitimate security and public interest purposes including identifying compromised credentials, conducting threat assessments, implementing protective security measures, assisting in criminal investigations, supporting national security efforts, and enabling GDPR and NIS2 compliance.

General OSINT Services: In addition to breach intelligence, we provide various investigative tools that process publicly accessible information not derived from data breaches, including IP address intelligence (geolocation, ISP, threat data), domain analysis (DNS records, SSL certificates, security headers), public court records searches, cryptocurrency blockchain transaction lookups, server status information, bank identification numbers, social media profile discovery, and other publicly available data lookups. These services primarily process non-personal technical data or information that is publicly accessible through official channels and registries.

Data Storage Practices: We primarily rely on third-party data providers and APIs for real-time access to breach intelligence, which constitutes the vast majority of breach data accessible through our platform. However, we also maintain limited local storage of select breach datasets on our infrastructure to ensure service availability, performance, and redundancy. Locally stored breach data represents a small portion of the total intelligence accessible through our platform. Additionally, we temporarily cache search results and query responses for performance optimization. This storage includes local databases for specific breach datasets to ensure service availability, temporary caching of API responses (typically minutes to hours), minimal retention of query results necessary for immediate service delivery, and temporary storage of specific data subsets required to fulfill your active service requests. All storage is kept to the absolute minimum necessary for service functionality, retained only as long as required for the specified purposes, subject to strict security controls including encryption and access restrictions, covered by automatic deletion policies for temporary/cached data, and never sold or shared with third parties for marketing or non-security purposes. Your search queries and usage patterns are logged temporarily for service improvement, security monitoring, and abuse prevention purposes as described in this policy, but are not permanently retained.

We rely on reputable third-party data providers and APIs to fulfill the majority of search requests and deliver intelligence services. These third parties operate under their own privacy policies and terms of service. We encourage you to review the privacy practices of any third-party services you access through our platform. We are not responsible for the privacy practices, data retention policies, or accuracy of third-party data sources, though we make reasonable efforts to work with trustworthy and legitimate providers who maintain appropriate security standards.

5. Third-Party Service Providers

IntelFetch uses select third-party services to provide and improve our platform. These services process certain data on our behalf under strict data processing agreements. We use Sentry for error monitoring and performance tracking to identify and resolve technical issues, which may collect anonymized error logs and performance metrics. Payment processing is handled by Stripe and CoinGate, our payment processors, and we do not store credit card numbers, bank account details, or cryptocurrency wallet information on our servers. For customer support, we integrate Tawk.to live chat on certain pages, which may collect chat messages and basic visitor information when you initiate a conversation. Our platform is hosted on self-managed servers located in the United States, which process standard server logs and connection data necessary for service delivery. We use PostgreSQL database services with encryption at rest and in transit to store your account information securely. All third-party processors are selected based on their GDPR compliance and security standards, and data processing agreements are in place to ensure your data is handled appropriately.

References: GDPR Article 28 (processors) and Article 28(3) (mandatory data processing clauses in DPAs).

We do not sell your personal information to third parties. Data is only shared with service providers to the extent necessary to deliver our services, and these providers are contractually obligated to maintain data confidentiality and security.

6. Information Sharing and Disclosure

Beyond our service providers mentioned above, we may share your information only in the following limited circumstances when required by legitimate business or legal needs. We share data to comply with legal obligations such as court orders, subpoenas, or regulatory requirements from competent authorities. We may disclose information to protect the rights, property, or safety of IntelFetch, our users, or others, including enforcing our terms of service or investigating suspected fraud, abuse, or security incidents. In connection with a business transaction such as a merger, acquisition, or sale of assets, your information may be transferred subject to continued privacy protections. We will share data with your explicit consent or at your direction when you authorize specific disclosures. We may share anonymized, aggregated data that does not identify individual users for research, analytics, or public reporting purposes.

7. Data Security and Technical Measures

We implement comprehensive technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. User passwords are stored using industry-standard bcrypt hashing with cryptographic salt rounds, ensuring we never store passwords in plain text or reversible formats. All data transmission between your browser and our servers is encrypted using TLS/SSL protocols. Our database implements encryption at rest for sensitive fields, and we enforce strict access controls limiting data access to authorized personnel only. We employ CSRF protection tokens to prevent cross-site request forgery attacks, implement rate limiting to prevent abuse and brute force attempts, and use secure session management with JWT tokens for authentication. IP addresses are logged for security monitoring purposes including abuse prevention, fraud detection, DDoS protection, and investigation of security incidents. We conduct regular security monitoring and maintain audit logs to detect and respond to potential security threats. However, no method of transmission over the Internet or electronic storage is absolutely secure, and while we strive to use commercially acceptable means to protect your personal data, we cannot guarantee complete security against all possible threats.

8. Search History and Query Logging

IntelFetch does not permanently store user search queries or maintain a searchable search history database. Search queries submitted through our platform are processed in real-time and temporarily logged for essential operational purposes including service improvement, security monitoring, abuse prevention, fraud detection, and investigation of potential terms of service violations. These temporary logs are retained only as long as necessary for these legitimate security and operational purposes, typically no longer than required by our retention policy. Individual search queries cannot be reconstructed or reviewed by users after submission, and we do not create user search profiles for advertising or marketing purposes. This approach ensures your research activities remain private while allowing us to maintain platform security and prevent misuse.

9. Content Removal and Data Subject Requests

As an aggregation platform that processes publicly available information, we respect data subject rights under GDPR Article 17 (Right to Erasure) and Article 21 (Right to Object). Data subjects may submit removal requests for personal data that appears in cached search results or temporary storage by contacting [email protected] with specific details about the data in question. Removal requests will be evaluated on a case-by-case basis considering GDPR requirements and legitimate public interest factors. We will approve removal requests when personal data is no longer necessary for the original purpose for which it was collected, was processed unlawfully, or where the data subject's privacy rights clearly override our legitimate interest in processing. Removal may not be granted in cases where there is a legitimate public interest that overrides individual privacy rights, such as information concerning public figures, public institutions, matters of genuine public concern, or where we have a legal obligation to retain the information. Redaction of specific personal data elements shall be considered equivalent to removal where appropriate. We will respond to all removal requests within one month of receipt and provide clear reasoning for our decision. Data subjects dissatisfied with our response retain the right to lodge a complaint with their local data protection authority.

10. Your Rights Under GDPR

References: GDPR Articles 12–22 (transparency and data subject rights) and Article 77 (right to lodge a complaint with a supervisory authority).

As a data subject under the GDPR, you have comprehensive rights regarding your personal data. You have the right to access your personal information and receive a copy of the data we process about you, which you can exercise through our automated data export feature in your account settings. You have the right to correct any inaccurate or incomplete personal data, which you can do by updating your profile information or contacting our support team. You can exercise your right to erasure, also known as the "right to be forgotten," by using our account deletion feature, which permanently removes all your personal data from our systems. You have the right to restrict how we process your data in certain circumstances, such as when you contest the accuracy of your data or object to how we're using it. Where we rely on your consent for processing, you have the right to withdraw that consent at any time through your account settings, though this will not affect any processing we did before you withdrew consent. You have the right to data portability to receive your personal data in a structured, commonly used format that you can transfer to another service provider, available through our data export function. You may object to processing based on our legitimate interests, and we will evaluate whether our business needs override your rights and interests. You have the right not to be subject to decisions made solely by automated systems without human involvement, which does not significantly apply to our current service offerings. Finally, you have the right to file a complaint with the Swedish Authority for Privacy Protection or your local data protection authority if you believe we have not handled your personal data properly.

Understanding Your Rights: Article 15 is your right to know what data we have, Article 16 lets you fix incorrect data, Article 17 lets you delete your account, Article 18 lets you pause certain processing, Article 7 lets you change your mind about consent, Article 20 lets you take your data elsewhere, Article 21 lets you object to our legitimate interest processing, and Article 22 protects you from unfair automated decisions.

To exercise any of these rights, you can use the automated features in your account settings, or contact us at [email protected]. We will respond to your request within one month, or inform you if we need additional time due to the complexity of your request.

11. Additional Rights for Users Outside the EU/EEA

In addition to GDPR rights, we recognize and respect privacy rights granted under other international privacy frameworks. If you are located outside the EU/EEA, the following laws may grant you additional or equivalent rights depending on your jurisdiction. We will comply with valid requests from consumers and law enforcement in these jurisdictions.

United Kingdom

Following Brexit, the UK operates its own data protection regime. If you are a UK resident, your personal data is protected under the UK Data Protection Act 2018 and the UK GDPR (retained EU law). Your rights under UK law are substantially similar to EU GDPR rights, including the right to access, rectification, erasure, restriction, data portability, and objection. The supervisory authority for the UK is the Information Commissioner's Office (ICO).

References: UK Data Protection Act 2018; UK GDPR (as retained under the European Union (Withdrawal) Act 2018).

United States – State Privacy Laws

We recognize privacy rights under currently active US state comprehensive privacy laws. While we are a Swedish company and not registered as a data broker in any US state, we will honor valid consumer requests from residents of these states:

• California: The California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), Cal. Civ. Code § 1798.100 et seq., grants California residents the right to know what personal information is collected, request deletion, opt-out of sale/sharing, and non-discrimination. To submit a request, email [email protected] with "California Privacy Request" in the subject line.
• Virginia: The Virginia Consumer Data Protection Act (VCDPA), Va. Code § 59.1-575 et seq., grants Virginia residents similar rights including access, correction, deletion, data portability, and opt-out of targeted advertising.
• Colorado: The Colorado Privacy Act (CPA), C.R.S. § 6-1-1301 et seq., provides Colorado residents with rights to access, correct, delete, and opt-out of data processing for targeted advertising or sale.
• Connecticut: The Connecticut Data Privacy Act (CTDPA), Conn. Gen. Stat. § 42-515 et seq., grants Connecticut residents comparable privacy rights. We honor universal opt-out preference signals from Connecticut residents as required since January 1, 2025.

Note: We do not sell personal information as defined under these laws. We do not use personal information for targeted advertising. We will respond to verified consumer requests within the timeframes specified by each applicable law (typically 45 days, extendable in certain circumstances).

Canada

If you are a Canadian resident, your personal information may be protected under the Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5. PIPEDA grants you the right to access your personal information, challenge its accuracy, and withdraw consent to its collection, use, or disclosure (subject to legal or contractual restrictions). We process personal information in the United States; accordingly, your data may be accessible to US law enforcement and national security authorities under US law. For requests under PIPEDA, contact [email protected].

References: PIPEDA (S.C. 2000, c. 5), Schedule 1 (Principles). Supervisory authority: Office of the Privacy Commissioner of Canada.

Brazil

If you are located in Brazil, your personal data may be protected under the Lei Geral de Proteção de Dados (LGPD), Lei nº 13.709/2018. The LGPD grants Brazilian residents rights substantially similar to GDPR, including confirmation of processing, access, correction, anonymization or deletion of unnecessary data, data portability, and revocation of consent. For LGPD requests, contact [email protected] with "LGPD Request" in the subject line.

References: LGPD (Lei nº 13.709/2018), Articles 17–22 (data subject rights). Supervisory authority: Autoridade Nacional de Proteção de Dados (ANPD).

Australia

If you are an Australian resident, your personal information may be protected under the Privacy Act 1988 (Cth), as amended by the Privacy and Other Legislation Amendment Act 2024. The Australian Privacy Principles (APPs) grant you rights to access and correct your personal information. For APP requests, contact [email protected].

References: Privacy Act 1988 (Cth); Australian Privacy Principles (APPs). Supervisory authority: Office of the Australian Information Commissioner (OAIC).

How to Submit International Privacy Requests

To exercise rights under any of the above frameworks, please email [email protected] specifying: (1) your jurisdiction, (2) the specific right(s) you wish to exercise, and (3) sufficient information to verify your identity and locate your data. We will respond within the timeframe required by the applicable law. We may request additional information to verify your identity or the legitimacy of the request. We reserve the right to decline requests where required or permitted by law.

12. GDPR Compliance Measures

IntelFetch is committed to full compliance with the General Data Protection Regulation and implements comprehensive organizational and technical measures to protect personal data in accordance with GDPR Article 32. We have established a robust data protection framework that includes appointment of data protection responsibilities within our organization, regular privacy impact assessments for new features and data processing activities, documented data processing records as required under GDPR Article 30, and clear data processing agreements with all third-party service providers to ensure they meet GDPR standards. Our technical measures include industry-standard encryption for data in transit using TLS protocols and encryption at rest for sensitive database fields, regular security audits and vulnerability assessments to identify and address potential weaknesses, automated backup systems with encryption to ensure data availability and integrity, network security controls including firewalls and intrusion detection systems, and secure access controls with multi-factor authentication for administrative access to systems containing personal data.

We implement privacy by design and by default principles throughout our platform development, ensuring that data protection is integrated into all new features and processing activities from the earliest stages. This includes data minimization practices to collect only the personal data necessary for specified purposes, pseudonymization techniques where appropriate to reduce privacy risks, automatic deletion mechanisms for temporary data and expired sessions, granular access controls ensuring employees can only access data necessary for their specific roles, and comprehensive logging and monitoring of all access to personal data for security and accountability purposes. We maintain incident response procedures to promptly detect, investigate, and respond to any personal data breaches, including notification to the Swedish Authority for Privacy Protection within 72 hours when required under GDPR Article 33. Our staff receives regular training on GDPR requirements, data protection best practices, and secure handling of personal information to ensure ongoing compliance across our organization.

We conduct regular reviews of our data protection practices to ensure continued compliance with GDPR and adapt to evolving regulatory guidance. Our data processing activities are designed to respect the principles of lawfulness, fairness, and transparency, ensuring that data subjects understand how their data is being used. We maintain detailed documentation of all processing activities, including the purposes of processing, categories of data subjects and personal data, recipients of personal data, and international data transfers. This documentation is available for review by supervisory authorities upon request and demonstrates our commitment to accountability under GDPR Article 5(2).

13. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. User account data is retained for the duration of your active account relationship. Upon account deletion using our automated deletion feature, your personal data is permanently and irreversibly removed from our systems. Request logs, usage analytics, and security logs are retained for up to three years for security monitoring, fraud prevention, abuse detection, and potential contractual claim purposes as permitted under GDPR. When determining retention periods, we consider the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorized use or disclosure, our legitimate business needs, and whether we can achieve our purposes through other means.

References: GDPR Article 5(1)(e) (storage limitation principle).

14. International Data Transfers

IntelFetch operates as a Swedish company under Cintel Solutions AB, but our primary infrastructure is hosted on self-managed servers located in the United States. This means personal data collected from users in the European Union and European Economic Area is transferred to and processed in the United States, which is considered a third country under GDPR. We implement appropriate safeguards to ensure your personal data remains protected in accordance with European data protection standards. These safeguards include strict technical and organizational security measures as described in this policy, contractual commitments to maintain GDPR-equivalent data protection standards, encryption of data in transit and at rest, access controls limiting data access to authorized personnel only, and regular security audits of our infrastructure and processing activities.

We recognize that the United States may not benefit from an adequacy decision under GDPR Article 45. In the absence of such an adequacy decision, we rely on appropriate safeguards under GDPR Article 46, including standard contractual clauses (SCCs) and supplementary measures to ensure the protection of transferred personal data. We monitor developments in international transfer rules and guidance from the European Data Protection Board. Where we use third-party service providers that process data outside the EU/EEA, we ensure they are subject to GDPR-compliant data processing agreements and appropriate transfer mechanisms.

References: GDPR Articles 45–46 (adequacy and appropriate safeguards, including SCCs).

By using our services, you acknowledge and consent to the transfer of your personal data to the United States and other jurisdictions where our service providers operate. If you have concerns about international data transfers, please contact us at [email protected] to discuss your options, though this may limit certain functionalities of our service.

15. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without parental consent, we will take immediate steps to delete that information.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. We encourage you to review this Privacy Policy periodically for any changes.

17. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us via Telegram or reach out to our Data Protection Officer at [email protected].

18. Data Controller and Company Information

Cintel Solutions AB (conducting business primarily under the brand name IntelFetch) is the data controller for personal data processed in connection with this service. Cintel Solutions AB is a Swedish aktiebolag registered with organisation number 559532-7023, with registered office at Hällestadsvägen 94, 247 50 Dalby, Sweden.

Data Protection Officer (DPO):
Email: [email protected]

For privacy inquiries under GDPR and Swedish law, data subject rights requests, or data protection matters, you may contact our Data Protection Officer at [email protected] or our legal department at [email protected].

Supervisory Authority: If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at www.imy.se, email [email protected], or phone 08-657 61 00.