Skip to content
OSINT Tradecraft
OSINT Tradecraft
Investigation skills · Vol. 8
Free starter
Doc · PRIV-001Effective · 2026-05-24Version · 2026.5Distribution · Public

Privacy Policy

The short version: we collect the minimum needed to deliver the product (email, billing record, license + download metadata). We do not sell your data, we do not run third-party advertising, and we do not read the investigations you conduct with the Skills.

1. What we collect

Account information

  • Email address (required for login + license delivery)
  • Display name (optional)
  • Account creation date and last-login timestamp
  • Authentication metadata managed by Clerk (session tokens, MFA settings)

Billing information

  • Purchase history (bundle name, amount, date)
  • Stripe customer ID
  • Subscription status and renewal date
  • Billing country (for tax purposes)

We do not store payment card numbers, CVCs, or bank account numbers. Stripe handles all card data and is PCI-DSS Level 1 certified.

License + download metadata

  • License IDs and the bundles or subscription they belong to
  • Download timestamps, IP address at time of download (for rate limiting and abuse detection)
  • Per-issued-file SHA-256 hash (for leak tracing — see Skill License Agreement §5)

Service usage

  • Page views and route navigation (aggregated, no per-user profiling)
  • Server logs (request URL, status, response time, anonymized IP)

2. What we do not collect

  • The contents of the investigations you conduct using the Skills. The Skills run inside your AI agent on your machine. Your inputs and outputs never reach our servers.
  • Your browsing activity outside osint-tradecraft.com.
  • Biometric, location, or device-fingerprint data beyond what is contained in standard server logs.
  • Marketing trackers from third-party ad networks. We do not embed Facebook Pixel, Google Ads, TikTok Pixel, or similar.

3. Why we collect it

  • To deliver the Service — accounts, downloads, licenses, support.
  • To process payments — via Stripe.
  • To enforce licenses — including the leak-tracing workflow described in the Skill License Agreement.
  • To prevent abuse — rate limiting, fraud detection.
  • To improve the Service — aggregated usage analytics, never per-user profiling.
  • To comply with the law — tax, financial reporting, legal process.

4. Third parties (data processors)

We share data only with the processors below, only for the purposes listed, and only under data-processing agreements that bind them to confidentiality and security:

  • Stripe, Inc. — payment processing. Their privacy policy applies to payment data.
  • Clerk, Inc. — authentication and session management.
  • Supabase, Inc. — database hosting for accounts, licenses, and download metadata.
  • Cloudflare, Inc. — file storage (R2) and edge CDN.
  • Vercel, Inc. — application hosting.
  • Resend — transactional email delivery (purchase confirmations, password resets, license delivery).

We do not sell, rent, or share your data with any party not listed above, except as required by law or as needed to enforce our rights under the Terms or License.

5. Cookies and similar technologies

We use the minimum cookies necessary to operate the Service:

  • Session cookies (set by Clerk) to keep you logged in.
  • CSRF tokens to protect against forgery.
  • Privacy-preserving analytics cookies (anonymized, no cross-site tracking) to measure aggregate usage.

We do not use cookies for advertising or for cross-site behavioral profiling.

6. Data retention

  • Account data — retained while your account is active, plus 24 months after closure (for legal and audit purposes).
  • Billing records — retained for 7 years to comply with tax and accounting law.
  • License + issuance registry — retained indefinitely so we can continue to verify the authenticity of any leaked file that surfaces, including after your account is closed. The registry contains license IDs and file hashes only — not your email or any other PII.
  • Server logs — retained for 30 days, then deleted or anonymized.

7. Your rights

GDPR (European Economic Area, UK, Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request erasure (subject to our retention obligations)
  • Restrict or object to processing
  • Data portability (export in a structured format)
  • Withdraw consent at any time where processing is based on consent
  • Lodge a complaint with your supervisory authority

CCPA / CPRA (California)

If you are a California resident, you have the right to know what personal information we collect, to delete it (subject to our retention obligations), to correct it, and to opt out of any "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under the CCPA.

How to exercise your rights

Email privacy@osint-tradecraft.com from the address on your account. We will verify your identity and respond within 30 days (45 for complex requests under GDPR).

8. International data transfers

Our infrastructure is hosted primarily in the United States. If you access the Service from outside the US, you consent to your data being transferred to and processed in the US. Our processors maintain appropriate safeguards (Standard Contractual Clauses, EU-US Data Privacy Framework adherence where applicable).

9. Children

The Service is not directed to anyone under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact privacy@osint-tradecraft.com and we will delete it.

10. Security

We implement reasonable technical and organizational measures to protect your data — encryption in transit (TLS 1.3), encryption at rest, principle-of-least-privilege access controls, MFA for administrative access, and routine security review. No system is perfectly secure, and we cannot guarantee absolute security.

If we discover a breach of personal data that affects you, we will notify you and the relevant supervisory authorities within the timeframes required by applicable law.

11. Changes to this policy

We may update this Privacy Policy from time to time. The Effective and Version stamps at the top reflect the current version. Material changes will be announced via email to account holders at least 14 days before they take effect.

12. Contact

For privacy questions, requests, or complaints, write to privacy@osint-tradecraft.com.

End of PRIV-001·TermsPrivacyRefundLicense
Privacy Policy · OSINT Tradecraft