Privacy Policy

Draft — pending legal review.This document describes OSINT AI Labs's current data practices as a working draft. Review with counsel before launch.

Last updated: 2026-04-23

1. Who we are

OSINT AI Labs helps sales teams discover candidate buyer companies for their products. "We", "us", and "our" refer to the operator of this service. Contact: bob.steger@gmail.com.

2. Information we collect

We collect only what is necessary to operate the service:

• Account data — your email address and an opaque identifier from our authentication provider (Supabase).
• Usage data — counts and timestamps of discovery requests you make, used to enforce per-plan quotas and improve the service. We do not attach the content of your queries to your account beyond what is needed to render and save reports.
• Billing data — if you subscribe to a paid plan, Stripe collects and processes your payment details. We store only a Stripe customer identifier and the current subscription status; card numbers never touch our servers.
• Reports you save — when you save a discovery report, the product list and candidate company information contained in it are stored against your workspace.

3. Information we display about third parties

The service displays information about companies retrieved from public sources — the Google Places API and publicly-reachable company websites that we politely scrape while respecting robots.txt. We do not use dubiously-sourced contact data, and we do not store personal data about individuals beyond what a company itself publishes (for example, a general "info@" email address on its own website).

4. How we use your data

• To authenticate you and maintain your account.
• To run discovery queries you request and return results.
• To enforce usage limits and apply billing entitlements.
• To diagnose errors and improve reliability.

We do not sell personal data. We do not send marketing email without your explicit opt-in.

5. Your rights

You can export all data we hold about you at any time via GET /api/v1/me/export, and delete your account via DELETE /api/v1/me (or the controls on the Settings page). Deletion is not a soft-delete: the rows are removed from our database, and any active paid subscription is cancelled at the same time. GDPR- and CCPA-specific rights (access, rectification, restriction, portability, objection) are honoured through these same endpoints; email us if you need assistance.

6. Retention

Account, usage, and report data are retained until you delete your account. Billing records may be retained by Stripe independently per their own policies, for tax and accounting purposes.

7. Sub-processors

• Supabase (authentication)
• Stripe (payments)
• Google Places API (candidate discovery)
• Hunter.io (paid tier email enrichment, when enabled)

8. Changes

We will update the "Last updated" date above whenever this policy changes, and notify active users by email when the change is material.