Privacy Policy

Gurusmart Technology LLC and the GurusmartTech Research Lab ("Company," "we," "us," or "our") operate OSINT.GurusmartTech (the "Platform"). We are committed to protecting the privacy of all individuals who access or use the Platform.

This Privacy Policy ("Policy") explains: what personal data we collect; how and why we process it; with whom we share it; how long we retain it; your rights under applicable law; and how to contact us with privacy concerns. This Policy applies to all users globally and is designed to meet the requirements of applicable data protection frameworks including, without limitation:

• EU General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679;
• UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018;
• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA);
• Nigeria Data Protection Regulation (NDPR) 2019 and Nigeria Data Protection Act 2023;
• South Africa Protection of Personal Information Act (POPIA) 4 of 2013;
• Canada Personal Information Protection and Electronic Documents Act (PIPEDA);
• Ghana Data Protection Act 2012 (Act 843);
• Kenya Data Protection Act 2019;
• CAN-SPAM Act and applicable U.S. federal and state privacy laws.

For users in the European Economic Area (EEA) or United Kingdom, the Company acts as the data controller within the meaning of GDPR Article 4(7) and UK GDPR respectively. For Nigerian users, the Company is the data controller as defined under the NDPR 2019 and the Nigeria Data Protection Act 2023.

We collect the following categories of data, depending on how you interact with the Platform:

A. Data You Provide Directly

• Account Registration: Email address, password (stored as an irreversible hash), and optional profile name when you create an account;
• Payment Information: Billing details are collected directly by our payment processors (Stripe, Flutterwave, PayPal). We do not store full card numbers or bank account details on our servers;
• Support Communications: Any information you provide when contacting us via email.

B. Data Collected Automatically

• Usage Data: Pages visited, tools used, session duration, feature interactions — collected in aggregate and anonymized form;
• Technical Data: IP address (used for geo-detection and rate limiting only, not stored long-term), browser type, operating system, device type, referral URL;
• Authentication Tokens: Session tokens managed by our authentication infrastructure for security purposes.

C. Data You Submit for Analysis (Tool Inputs)

When you use public security tools (phishing analyzer, URL scanner, password checker, etc.), the content you submit is processed ephemerally. See Section 6 (Zero-Log Policy) for full details.

We process personal data for the following purposes:

• Service Delivery: To authenticate users, process subscriptions, and provide access to Platform features;
• Security Operations: To detect, prevent, and respond to fraud, abuse, unauthorized access, and security threats;
• Communications: To send account-related emails (password resets, billing notices, security alerts). We do not send unsolicited marketing emails without consent;
• Service Improvement: To analyze anonymized usage patterns and improve the Platform's features and performance;
• Legal Compliance: To comply with applicable laws, regulations, legal process, and governmental requests;
• Dispute Resolution: To enforce our Terms of Service and defend legal claims;
• Geo-Based Pricing: IP-based country detection for localized pricing. The IP address is used transiently and not retained after the session.

We do not sell, rent, or trade personal data to third parties for advertising or marketing purposes.

For users in the EEA and United Kingdom, our processing is based on the following legal grounds under GDPR Article 6:

• Contract (Art. 6(1)(b)): Processing necessary to perform our contract with you — account creation, subscription management, service delivery;
• Legitimate Interests (Art. 6(1)(f)): Fraud detection, platform security, anonymized analytics, and improving our services — balanced against your rights and interests;
• Legal Obligation (Art. 6(1)(c)): Compliance with applicable laws, tax obligations, and lawful authority requests;
• Consent (Art. 6(1)(a)): Where we rely on your explicit consent (e.g., optional marketing communications). You may withdraw consent at any time without affecting prior processing.

For special categories of data (if applicable), processing is based on GDPR Article 9(2)(a) explicit consent or Article 9(2)(g) substantial public interest, as appropriate.

For authenticated subscribers (Basic, Pro, Enterprise tiers), the following additional data is collected and retained to support subscribed features:

• Scan History: An anonymized preview of submitted content (e.g., first 200 characters of an email subject) and the analysis result are stored in your personal scan log to support the Threat History and PDF Report features. Raw full inputs are discarded after analysis;
• Subscription Status: Your tier, subscription end date, and payment reference are stored to manage access control;
• API Keys: Hashed API keys (SHA-256) and usage logs (endpoint, status code, response time, timestamp) are stored for Enterprise/API Access users. Full API key values are never stored — only the cryptographic hash and a short prefix for identification;
• Team Data: For Enterprise users, team membership data (invited emails, user roles, join dates) is stored to support organizational features;
• Scheduled Scans: For subscribers using automated recurring scans, we store: scan configuration (target, scan type, schedule frequency), last execution timestamp, next scheduled run, and the most recent scan result. Target identifiers (email addresses, domains) are retained for the duration the scheduled scan is active;
• Domain Breach Checks: When you perform a domain breach lookup, the domain name is transmitted to the Have I Been Pwned API. Results are displayed to you in real-time. For authenticated users, domain breach results may be stored in your scan history if performed within the Security Audit feature;
• Security Audit Reports: The HIBP Security Audit aggregates results from multiple checks (breach, paste, phishing, smishing, password, URL). The combined risk score and individual results are stored in your scan history for report generation (PDF/DOCX). Raw input content is truncated to a preview and the full content is discarded.

You may delete your scan history at any time from your Dashboard. Account deletion requests will result in permanent removal of all personal data within 30 days, subject to legal retention obligations.

We work with carefully selected third-party processors to operate the Platform. All processors are bound by data processing agreements requiring appropriate security and data protection standards:

We do not authorize any processor to use your data for their own independent purposes.

The Company is based in the United States. Your personal data may be transferred to and processed in the United States and other countries that may not have data protection laws equivalent to those in your jurisdiction.

Where we transfer personal data from the EEA, UK, or Switzerland to countries without an adequacy decision, we rely on appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914);
• UK International Data Transfer Agreements (IDTAs) where applicable;
• Binding Corporate Rules or other approved transfer mechanisms;
• Supplementary technical and organizational measures where required.

For Nigerian users, international data transfers comply with the requirements of the Nigeria Data Protection Act 2023, Article 43, requiring adequate protection in the destination country or equivalent contractual safeguards.

You may request a copy of the applicable transfer safeguards by contacting us at info@gurusmart.ai.

We retain personal data only as long as necessary for the purposes outlined in this Policy:

• Account Data: Retained for the duration of your account plus 90 days following account deletion (to handle billing disputes);
• Scan Logs: Retained for the duration of your subscription. Automatically deleted upon account deletion;
• Payment Records: Retained for 7 years to comply with financial and tax regulations;
• Security & Fraud Logs: Retained for up to 2 years for fraud prevention and legal compliance;
• Tool Inputs (Public): Not retained — discarded immediately after analysis (zero-log);
• Support Correspondence: Retained for up to 3 years to maintain quality of service and resolve disputes.

When retention periods expire, data is securely deleted or anonymized in accordance with industry-standard data destruction practices.

Regardless of your location, you have the right to:

• Request access to the personal data we hold about you;
• Request correction of inaccurate or incomplete data;
• Request deletion of your personal data (subject to legal retention obligations);
• Opt out of non-essential communications at any time;
• File a complaint with your applicable data protection authority.

To exercise any of these rights, contact us at info@gurusmart.ai. We will respond within the timeframes required by applicable law. We may need to verify your identity before fulfilling requests.

If you are located in the EEA or United Kingdom, you have the following additional rights under GDPR / UK GDPR:

• Right of Access (Art. 15): Obtain a copy of your personal data and information about how it is processed;
• Right to Rectification (Art. 16): Correct inaccurate personal data;
• Right to Erasure / Right to be Forgotten (Art. 17): Request deletion of your data where no lawful basis for continued processing exists;
• Right to Restriction of Processing (Art. 18): Request that we limit how we use your data in certain circumstances;
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format;
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing;
• Rights Related to Automated Decision-Making (Art. 22): Not be subject to solely automated decisions with significant legal or similar effects.

You have the right to lodge a complaint with your national supervisory authority. In the EU, the relevant authority is determined by your country of residence. In the UK, the relevant authority is the Information Commissioner's Office (ICO) at ico.org.uk.

We will respond to GDPR requests within 30 days (extendable by two further months for complex requests, with notice).

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information collected about you in the preceding 12 months;
• Right to Delete: Request deletion of your personal information, subject to certain exceptions;
• Right to Correct: Request correction of inaccurate personal information;
• Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising. No opt-out is required as we do not engage in this activity;
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond what is necessary to provide services;
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

Users in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other states with comprehensive privacy laws have analogous rights which we honor on a consistent basis.

To submit a verifiable consumer request, email info@gurusmart.ai. We respond within 45 days (extendable to 90 days with notice).

In compliance with the Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Act (NDPA) 2023, Nigerian users have the following rights:

• Right of Access: Request a copy of personal data we hold about you;
• Right to Rectification: Correct inaccurate or outdated data;
• Right to Erasure: Request deletion of data no longer necessary for the original purpose;
• Right to Data Portability: Receive data in a structured, commonly used format;
• Right to Object: Object to specific types of processing;
• Right to Withdraw Consent: Withdraw consent where processing is based on consent, without affecting prior lawful processing.

The Company complies with the NDPA 2023 requirement to register with the Nigeria Data Protection Commission (NDPC) for entities processing personal data of Nigerian residents above the applicable threshold. Complaints may be directed to the NDPC at ndpb.gov.ng.

Flutterwave, our payment processor for Nigerian and African transactions, is a registered Nigerian entity and complies with the NDPR/NDPA independently as a data processor.

For users in African jurisdictions beyond Nigeria, we acknowledge and comply with applicable national data protection frameworks, including:

• South Africa (POPIA 2013): We process personal information of South African users in accordance with the eight conditions for lawful processing under POPIA. Users may direct inquiries to the Information Regulator of South Africa at inforegulator.org.za;
• Ghana (Data Protection Act 2012): We process personal data of Ghanaian residents in accordance with the Data Protection Commission's requirements;
• Kenya (Data Protection Act 2019): We respect the rights of Kenyan data subjects as defined by the Kenya Data Protection Act and the Office of the Data Protection Commissioner;
• Other African Nations: We apply a baseline of NDPR/GDPR-equivalent standards to all African users regardless of whether their jurisdiction has enacted a comprehensive data protection law.

We use the following types of cookies and similar tracking technologies:

• Strictly Necessary Cookies: Authentication tokens and session management. These are essential for the Platform to function and cannot be disabled;
• Functional Cookies: User preferences (e.g., theme, language). These are set with your implicit consent through use of the Platform;
• Analytics Cookies: Anonymous, aggregated usage statistics to improve the Platform. No personally identifiable information is linked to analytics data.

We do not use advertising cookies, cross-site tracking pixels, or third-party behavioral advertising technology.

Under the EU ePrivacy Directive (Cookie Law) and UK PECR, we obtain consent for non-essential cookies. Users may manage cookie preferences through their browser settings. Note that disabling necessary cookies will impair Platform functionality.

The Platform and Services are intended exclusively for users who are 18 years of age or older. We do not knowingly collect, process, or retain personal information from individuals under 18.

In compliance with the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506, we do not direct the Services to children under 13 and take no action to knowingly collect data from such individuals.

If we become aware that we have inadvertently collected personal data from a minor, we will take prompt steps to delete that information. If you believe a minor has submitted data through the Platform, contact us immediately at info@gurusmart.ai.

We implement technical, administrative, and organizational security measures designed to protect your personal data against unauthorized access, disclosure, alteration, or destruction. These include:

• TLS/HTTPS encryption for all data in transit;
• AES-256 encryption for data at rest;
• Password hashing using industry-standard algorithms (bcrypt/Argon2);
• API key hashing — full keys are never stored in plaintext;
• Ephemeral processing of tool inputs — real-time analysis with immediate discard;
• Row-Level Security (RLS) policies enforced at the database level to prevent unauthorized cross-user data access;
• Regular security assessments and penetration testing;
• Principle of least privilege access controls for internal systems.

Despite these measures, no security system is impenetrable. In the event of a personal data breach affecting your rights and freedoms, we will notify you and applicable supervisory authorities within the timeframes required by law (72 hours under GDPR; as soon as reasonably practicable under NDPA 2023).

We reserve the right to update this Privacy Policy at any time. When we make material changes, we will:

• Update the "Last Updated" date at the top of this Policy;
• Notify registered users via email at least 14 days before the changes take effect (for material changes);
• Display a prominent notice on the Platform.

Your continued use of the Platform after the effective date of any updated Policy constitutes acceptance of the changes. If you disagree with material changes, you may close your account before the effective date.

For privacy inquiries, data subject rights requests, complaints, or to reach our Data Protection Officer:

We aim to acknowledge all privacy requests within 5 business days and resolve them within the timeframes required by your applicable law. If you are not satisfied with our response, you have the right to lodge a complaint with your national or regional data protection authority.