Privacy Policy
Last Updated: 3/30/2026
This Privacy Policy describes how OSINTO.ai collects, uses, and protects your personal information.
Effective Date: Dec 2025
Thanks for using OSINTO.ai — our mission is to build and provide a living knowledge environment for Security, Resilience and Defence stakeholders, to promote global Risk & Resilience Management capability via a secure, trusted platform for sharing and sourcing business, operational, and threat intelligence, market insights and associated risk mitigation solutions and opportunities.
This Privacy Policy explains how we collect, use, and protect your personal data when you access or use our websites, software, browser extensions, chat, AI summaries, and related services (collectively, the “Services”). OSINTO.ai acts as the Data Controller for the personal data collected through the Services, meaning we determine the purposes and means of processing your data.
1. What Information We Collect and Why We collect only the personal data necessary to enable you to register, engage with the platform, communicate securely, and comply with legal obligations.
This includes:
● Account Information: Your name, email address, company name, and login credentials.
● Usage Data: Information about your activities on the platform, such as messages posted, groups joined, and interactions with content.
● Technical Data: Device information (like IP address, browser type), and data from cookies and similar technologies to improve and secure the Services.
● Communications Data: Content of your messages, chats, and summaries generated or sent by the platform.
● Billing Data: If applicable, payment information required to process subscriptions or purchases.
We do not collect or store sensitive personal data such as physical addresses, phone numbers, or contact lists unless you explicitly provide them. We do not knowingly collect personal data from individuals under the age of 18, as our services are not directed at children.
2. Legal Bases for Processing Your Data We process your data based on the following legal grounds:
● Performance of Contract: To provide and maintain your account and the Services, including enabling your access to the platform, facilitating communications, and delivering AI summaries and other features as described.
● Consent: For optional communications such as marketing emails, which you can opt out of at any time, and for the use of non-essential cookies.
● Legitimate Interests: To improve, protect, and secure the platform, including fraud prevention and abuse detection. Our legitimate interests include:
o Enhancing the security and functionality of the Services.
o Detecting and preventing fraud, unauthorized access, and other malicious activities.
o Understanding how users interact with our platform to improve user experience and develop new features.
o Conducting analytics and research to optimize our service delivery.
o Ensuring the integrity and stability of our systems.
o Managing our business operations effectively. We ensure that these interests do not override your fundamental rights and freedoms.
● Legal Compliance: To comply with applicable laws and respond to lawful government or judicial requests.
3. How We Use Your Information We use your data to:
● Provide and personalize the Services you use.
● Enable collaboration, sharing, and communications within the intelligence forum.
● Maintain security and detect unauthorized or abusive behaviour.
● Comply with legal requirements and protect our rights.
● Send service-related notices and optional marketing communications (only with your consent).
● Generate AI summaries and insights from communications data to enhance the utility of the platform's intelligence sharing capabilities. When we use AI to process forum content for summaries, we want to be clear that while we exclude direct personal identifiers, the content itself, such as unique opinions, experiences, or specific details you share, may still constitute personal data. This is because such information can indirectly relate to or help identify you within the context of your contributions. We process this data to provide valuable insights and improve the service, always in accordance with this policy. We do not use your individual communications data to train public-facing AI models without explicit, separate consent.
4. Sharing Your Data We do not sell your personal data.
We may share your information with:
● Service Providers: Trusted third-party partners who help us operate and improve the Services (e.g., hosting, security, payment processing). They access your data only to perform specific tasks and must comply with our data protection standards and contractual obligations.
● Other Users: Information you choose to make visible to others within the platform, such as your name and profile details, to facilitate collaboration and communication.
● Legal Authorities: When required by law or to protect safety, prevent fraud, or enforce our rights.
5. Your Rights and Controls Under GDPR and other privacy laws, you have the right to:
● Access: Request a copy of the personal data we hold about you.
● Correction: Update or correct inaccurate or incomplete information.
● Erasure: Delete your personal data, subject to certain legal or operational limitations.
● Restriction: Limit the use of your data in specific situations.
● Data Portability: Receive your data in a commonly used, machine-readable format.
● Object: Object to certain data processing, including marketing communications.
You can exercise these rights by contacting us at [email protected]. You can also manage your communications preferences via links provided in our emails.
6. Data Retention We retain your personal data only as long as necessary to provide the Services and fulfil legal obligations.
If you delete your account, we will securely erase your data within 30 days, except where retention is required by law or for legitimate business purposes (such as dispute resolution).
7. Security of Your Data We implement appropriate technical and organizational measures to protect your data from unauthorized access, loss, or misuse, including:
● Encryption of data in transit and at rest where applicable.
● Regular security assessments and vulnerability testing.
● Two-factor authentication options to secure your account.
● Monitoring for abusive or suspicious behaviour to protect our community.
● Access controls to ensure data is only accessed by authorized personnel on a need-to-know basis.
8. Cookies and Tracking Technologies We use cookies and similar technologies to:
● Remember your preferences and login details.
● Analyse usage to improve and secure the platform.
● Provide relevant marketing content (with your consent).
You can control cookie settings through your browser, but disabling cookies may limit some functionalities. For a detailed explanation of the types of cookies we use, their purpose, and how to manage your preferences, please refer to our separate Cookie Policy.
9. International Data Transfers Your data may be processed and stored in the UK and other countries where OSINTO.ai or its service providers operate.
● Transfers to the UK: The European Commission has adopted an adequacy decision for the UK, meaning personal data can be transferred from the European Economic Area (EEA) to the UK without needing additional specific safeguards, as the UK's data protection laws are considered to provide an adequate level of protection.
● Transfers to other countries outside the UK or European Economic Area (EEA): When transferring data to countries without an adequacy decision, we use legally approved safeguards such as Standard Contractual Clauses (SCCs) to ensure your data remains protected. These clauses require data importers to adhere to EU/UK data protection standards. We also conduct transfer impact assessments where required, to ensure that the laws in the recipient country do not undermine the protections provided by the SCCs.
10. Handling Government Requests We respect your privacy and apply principles of transparency and user protection when responding to government or law enforcement requests for data. We will challenge overly broad or unlawful requests where possible and notify you unless prohibited by law.
11. Changes to This Policy We may update this Privacy Policy from time to time. If we make material changes affecting your rights, we will notify you via email or prominent notice on the platform.
12. Contact Us If you have questions or concerns about this Privacy Policy or your data, please contact our Data Protection Officer at:
Data Protection Officer OSINTO.ai [email protected]
13. Chrome Browser Extension
Our OSINTO Chrome extension is designed to keep you connected to your Security, Resilience & Defence Intelligence Forum without requiring you to keep a tab open. The extension does **NOT** read, scan, analyse, or access any content from webpages you visit. It operates independently and only communicates with OSINTO-owned services.
Page Access & Content Injection
The extension injects a floating action button and side panel into webpages you visit using isolated Shadow DOM technology. This ensures the extension UI is completely separate from the page's content.
The extension is designed **not to access, read, or process any content from webpages**, and its content scripts do not include any functionality to inspect, extract, or modify page data. This includes text, inputs, forms, and DOM elements.
The extension may run on all webpages solely to render its interface (floating action button and panel), but it does **not access, read, or process any content** from those pages.
Data Transmission
The extension only sends data to our backend when you actively use it to interact with the OSINTO platform. This includes:
Authentication tokens for secure login
API requests to fetch your forum feed and notifications
Data you explicitly submit (e.g. posts, messages, search queries)
The extension does **NOT** send:
URLs of pages you visit
Page content
Browsing history
Any information about websites outside of OSINTO services
No Tracking or Monitoring
We do **NOT** track your browsing history, pages you visit, time spent on websites, or general web activity.
The extension has **no analytics or tracking capabilities related to browsing behaviour** and only operates when you explicitly interact with the OSINTO interface or when required for core functionality (such as authentication refresh or notifications).
Local Storage & Authentication
The extension uses Chrome's secure storage API to store:
Authentication tokens (access and refresh tokens)
User preferences
This allows you to remain logged in and maintain your settings.
Tokens are stored securely using Chrome's storage APIs and are **never exposed to content scripts or third-party websites**. Authentication uses industry-standard JWT (JSON Web Tokens) via Supabase Auth, with secure token refresh approximately every 45 minutes.
Permissions Explained
The extension requests only the minimum permissions necessary for its core functionality:
storage: Stores authentication tokens and user preferences locally
notifications: Allows desktop alerts for new forum activity (e.g. replies, messages)
alarms: Schedules background tasks such as periodic authentication token refresh
offscreen: Enables audio playback for notification sounds
host permissions: Restricted exclusively to OSINTO-owned domains (e.g. osinto.ai, api.osinto.ai, and Supabase infrastructure) for secure communication
Background Service Worker
The extension's background service worker performs only essential tasks:
Refreshes authentication tokens periodically
Routes messages between extension components
Displays notifications for forum activity
It does not perform analytics, user tracking, or unnecessary data processing.
API Calls & Data
All API calls are made exclusively to OSINTO-owned endpoints over secure HTTPS connections.
Only the data required for the feature you are using is transmitted. For example:
Posting → sends your post content
Searching → sends your query
We do **not** collect or log browsing activity outside of interactions with OSINTO services.
No AI Processing in Extension
The Chrome extension itself does **not** perform AI processing or send data to AI services.
All AI-powered features (such as summaries or intelligence insights) are handled on OSINTO servers when you use the main platform.
Third-Party Services
The extension uses:
Supabase for authentication and data storage
Standard Chrome/browser APIs for notifications and audio
No third-party analytics, tracking, or advertising services are integrated into the extension.
Security & Data Protection
All data transmitted between the extension and OSINTO servers is encrypted using HTTPS (TLS/SSL).
Authentication tokens are stored securely using Chrome's storage APIs
Tokens are never accessible to websites you visit
Access is restricted to OSINTO domains only
The extension follows the principle of least privilege, accessing only what is necessary to function.
Your Control
You can uninstall the extension at any time via chrome://extensions.
Upon uninstallation:
All locally stored data (tokens and preferences) is removed from your device
Your OSINTO account data remains on our servers and can be managed via the main website
Commitment to Privacy
The OSINTO Chrome extension is designed with privacy by default.
It does NOT collect, access, or transmit data from webpages you visit outside of OSINTO services
It does NOT track browsing behaviour or build user profiles
It does NOT sell, rent, or use data for advertising or profiling purposes
The extension exists solely to provide convenient, secure access to your Intelligence Forum while maintaining high standards of privacy and data protection
You also have the right to lodge a complaint with your local data protection authority. For UK residents, this is the Information Commissioner's Office (ICO). For EEA residents, you can find your local authority on the European Data Protection Board (EDPB) website.
Thank you for trusting OSINTO.ai with your information. We are committed to protecting your privacy and maintaining your trust.
Thanks for using OSINTO.ai — our mission is to build and provide a living knowledge environment for Security, Resilience and Defence stakeholders, to promote global Risk & Resilience Management capability via a secure, trusted platform for sharing and sourcing business, operational, and threat intelligence, market insights and associated risk mitigation solutions and opportunities.
This Privacy Policy explains how we collect, use, and protect your personal data when you access or use our websites, software, browser extensions, chat, AI summaries, and related services (collectively, the “Services”). OSINTO.ai acts as the Data Controller for the personal data collected through the Services, meaning we determine the purposes and means of processing your data.
1. What Information We Collect and Why We collect only the personal data necessary to enable you to register, engage with the platform, communicate securely, and comply with legal obligations.
This includes:
● Account Information: Your name, email address, company name, and login credentials.
● Usage Data: Information about your activities on the platform, such as messages posted, groups joined, and interactions with content.
● Technical Data: Device information (like IP address, browser type), and data from cookies and similar technologies to improve and secure the Services.
● Communications Data: Content of your messages, chats, and summaries generated or sent by the platform.
● Billing Data: If applicable, payment information required to process subscriptions or purchases.
We do not collect or store sensitive personal data such as physical addresses, phone numbers, or contact lists unless you explicitly provide them. We do not knowingly collect personal data from individuals under the age of 18, as our services are not directed at children.
2. Legal Bases for Processing Your Data We process your data based on the following legal grounds:
● Performance of Contract: To provide and maintain your account and the Services, including enabling your access to the platform, facilitating communications, and delivering AI summaries and other features as described.
● Consent: For optional communications such as marketing emails, which you can opt out of at any time, and for the use of non-essential cookies.
● Legitimate Interests: To improve, protect, and secure the platform, including fraud prevention and abuse detection. Our legitimate interests include:
o Enhancing the security and functionality of the Services.
o Detecting and preventing fraud, unauthorized access, and other malicious activities.
o Understanding how users interact with our platform to improve user experience and develop new features.
o Conducting analytics and research to optimize our service delivery.
o Ensuring the integrity and stability of our systems.
o Managing our business operations effectively. We ensure that these interests do not override your fundamental rights and freedoms.
● Legal Compliance: To comply with applicable laws and respond to lawful government or judicial requests.
3. How We Use Your Information We use your data to:
● Provide and personalize the Services you use.
● Enable collaboration, sharing, and communications within the intelligence forum.
● Maintain security and detect unauthorized or abusive behaviour.
● Comply with legal requirements and protect our rights.
● Send service-related notices and optional marketing communications (only with your consent).
● Generate AI summaries and insights from communications data to enhance the utility of the platform's intelligence sharing capabilities. When we use AI to process forum content for summaries, we want to be clear that while we exclude direct personal identifiers, the content itself, such as unique opinions, experiences, or specific details you share, may still constitute personal data. This is because such information can indirectly relate to or help identify you within the context of your contributions. We process this data to provide valuable insights and improve the service, always in accordance with this policy. We do not use your individual communications data to train public-facing AI models without explicit, separate consent.
4. Sharing Your Data We do not sell your personal data.
We may share your information with:
● Service Providers: Trusted third-party partners who help us operate and improve the Services (e.g., hosting, security, payment processing). They access your data only to perform specific tasks and must comply with our data protection standards and contractual obligations.
● Other Users: Information you choose to make visible to others within the platform, such as your name and profile details, to facilitate collaboration and communication.
● Legal Authorities: When required by law or to protect safety, prevent fraud, or enforce our rights.
5. Your Rights and Controls Under GDPR and other privacy laws, you have the right to:
● Access: Request a copy of the personal data we hold about you.
● Correction: Update or correct inaccurate or incomplete information.
● Erasure: Delete your personal data, subject to certain legal or operational limitations.
● Restriction: Limit the use of your data in specific situations.
● Data Portability: Receive your data in a commonly used, machine-readable format.
● Object: Object to certain data processing, including marketing communications.
You can exercise these rights by contacting us at [email protected]. You can also manage your communications preferences via links provided in our emails.
6. Data Retention We retain your personal data only as long as necessary to provide the Services and fulfil legal obligations.
If you delete your account, we will securely erase your data within 30 days, except where retention is required by law or for legitimate business purposes (such as dispute resolution).
7. Security of Your Data We implement appropriate technical and organizational measures to protect your data from unauthorized access, loss, or misuse, including:
● Encryption of data in transit and at rest where applicable.
● Regular security assessments and vulnerability testing.
● Two-factor authentication options to secure your account.
● Monitoring for abusive or suspicious behaviour to protect our community.
● Access controls to ensure data is only accessed by authorized personnel on a need-to-know basis.
8. Cookies and Tracking Technologies We use cookies and similar technologies to:
● Remember your preferences and login details.
● Analyse usage to improve and secure the platform.
● Provide relevant marketing content (with your consent).
You can control cookie settings through your browser, but disabling cookies may limit some functionalities. For a detailed explanation of the types of cookies we use, their purpose, and how to manage your preferences, please refer to our separate Cookie Policy.
9. International Data Transfers Your data may be processed and stored in the UK and other countries where OSINTO.ai or its service providers operate.
● Transfers to the UK: The European Commission has adopted an adequacy decision for the UK, meaning personal data can be transferred from the European Economic Area (EEA) to the UK without needing additional specific safeguards, as the UK's data protection laws are considered to provide an adequate level of protection.
● Transfers to other countries outside the UK or European Economic Area (EEA): When transferring data to countries without an adequacy decision, we use legally approved safeguards such as Standard Contractual Clauses (SCCs) to ensure your data remains protected. These clauses require data importers to adhere to EU/UK data protection standards. We also conduct transfer impact assessments where required, to ensure that the laws in the recipient country do not undermine the protections provided by the SCCs.
10. Handling Government Requests We respect your privacy and apply principles of transparency and user protection when responding to government or law enforcement requests for data. We will challenge overly broad or unlawful requests where possible and notify you unless prohibited by law.
11. Changes to This Policy We may update this Privacy Policy from time to time. If we make material changes affecting your rights, we will notify you via email or prominent notice on the platform.
12. Contact Us If you have questions or concerns about this Privacy Policy or your data, please contact our Data Protection Officer at:
Data Protection Officer OSINTO.ai [email protected]
13. Chrome Browser Extension
Our OSINTO Chrome extension is designed to keep you connected to your Security, Resilience & Defence Intelligence Forum without requiring you to keep a tab open. The extension does **NOT** read, scan, analyse, or access any content from webpages you visit. It operates independently and only communicates with OSINTO-owned services.
Page Access & Content Injection
The extension injects a floating action button and side panel into webpages you visit using isolated Shadow DOM technology. This ensures the extension UI is completely separate from the page's content.
The extension is designed **not to access, read, or process any content from webpages**, and its content scripts do not include any functionality to inspect, extract, or modify page data. This includes text, inputs, forms, and DOM elements.
The extension may run on all webpages solely to render its interface (floating action button and panel), but it does **not access, read, or process any content** from those pages.
Data Transmission
The extension only sends data to our backend when you actively use it to interact with the OSINTO platform. This includes:
Authentication tokens for secure login
API requests to fetch your forum feed and notifications
Data you explicitly submit (e.g. posts, messages, search queries)
The extension does **NOT** send:
URLs of pages you visit
Page content
Browsing history
Any information about websites outside of OSINTO services
No Tracking or Monitoring
We do **NOT** track your browsing history, pages you visit, time spent on websites, or general web activity.
The extension has **no analytics or tracking capabilities related to browsing behaviour** and only operates when you explicitly interact with the OSINTO interface or when required for core functionality (such as authentication refresh or notifications).
Local Storage & Authentication
The extension uses Chrome's secure storage API to store:
Authentication tokens (access and refresh tokens)
User preferences
This allows you to remain logged in and maintain your settings.
Tokens are stored securely using Chrome's storage APIs and are **never exposed to content scripts or third-party websites**. Authentication uses industry-standard JWT (JSON Web Tokens) via Supabase Auth, with secure token refresh approximately every 45 minutes.
Permissions Explained
The extension requests only the minimum permissions necessary for its core functionality:
storage: Stores authentication tokens and user preferences locally
notifications: Allows desktop alerts for new forum activity (e.g. replies, messages)
alarms: Schedules background tasks such as periodic authentication token refresh
offscreen: Enables audio playback for notification sounds
host permissions: Restricted exclusively to OSINTO-owned domains (e.g. osinto.ai, api.osinto.ai, and Supabase infrastructure) for secure communication
Background Service Worker
The extension's background service worker performs only essential tasks:
Refreshes authentication tokens periodically
Routes messages between extension components
Displays notifications for forum activity
It does not perform analytics, user tracking, or unnecessary data processing.
API Calls & Data
All API calls are made exclusively to OSINTO-owned endpoints over secure HTTPS connections.
Only the data required for the feature you are using is transmitted. For example:
Posting → sends your post content
Searching → sends your query
We do **not** collect or log browsing activity outside of interactions with OSINTO services.
No AI Processing in Extension
The Chrome extension itself does **not** perform AI processing or send data to AI services.
All AI-powered features (such as summaries or intelligence insights) are handled on OSINTO servers when you use the main platform.
Third-Party Services
The extension uses:
Supabase for authentication and data storage
Standard Chrome/browser APIs for notifications and audio
No third-party analytics, tracking, or advertising services are integrated into the extension.
Security & Data Protection
All data transmitted between the extension and OSINTO servers is encrypted using HTTPS (TLS/SSL).
Authentication tokens are stored securely using Chrome's storage APIs
Tokens are never accessible to websites you visit
Access is restricted to OSINTO domains only
The extension follows the principle of least privilege, accessing only what is necessary to function.
Your Control
You can uninstall the extension at any time via chrome://extensions.
Upon uninstallation:
All locally stored data (tokens and preferences) is removed from your device
Your OSINTO account data remains on our servers and can be managed via the main website
Commitment to Privacy
The OSINTO Chrome extension is designed with privacy by default.
It does NOT collect, access, or transmit data from webpages you visit outside of OSINTO services
It does NOT track browsing behaviour or build user profiles
It does NOT sell, rent, or use data for advertising or profiling purposes
The extension exists solely to provide convenient, secure access to your Intelligence Forum while maintaining high standards of privacy and data protection
You also have the right to lodge a complaint with your local data protection authority. For UK residents, this is the Information Commissioner's Office (ICO). For EEA residents, you can find your local authority on the European Data Protection Board (EDPB) website.
Thank you for trusting OSINTO.ai with your information. We are committed to protecting your privacy and maintaining your trust.