VØIDNETversion 2026-04-12

> PRIVACY POLICY

Last updated: 12 April 2026 · Version 2026-04-12

This Privacy Policy explains how the VØIDNET platform (the “Service”) collects, uses, stores and protects personal data, in compliance with Regulation (EU) 2016/679 (the “GDPR”), the Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (“LOPDGDD”), and Law 34/2002 on Information Society Services (“LSSI-CE”).

1. Data controller

The data controller responsible for processing your personal data is the operator of the VØIDNET project. You can reach the controller at privacy@vøidnet.app. Where we process personal data on behalf of users (for example, when you submit a target identifier into a scan) you act as data controller and we act as your data processor with respect to that input.

2. What data we collect

We process the following categories of personal data:

  • Account data: the email address you use to sign in, an automatically generated username derived from it, and the timestamp at which you accepted these legal documents.
  • Authentication data: hashes of one-time sign-in tokens (we never store the plaintext token), the IP address and user-agent of the device that requested each link, and the timestamps of issue, redemption and expiry.
  • Service data: the inputs you submit (e.g. emails, usernames, IPs, domains, hashes), the modules you run, and the resulting scan output, which we store so you can revisit it.
  • Knowledge graph: entities and relations derived from your scans (emails, usernames, IPs, domains, organisations, etc.) linked to your account.
  • Technical data: server logs (request paths, status codes, IP, user agent) for security, abuse prevention and debugging.

3. Lawful basis

We rely on the following legal bases under Article 6 GDPR:

  • Performance of a contract (Art. 6.1.b) — to provide you with the Service you have requested, including issuing sign-in links and storing your scans.
  • Legitimate interest (Art. 6.1.f) — to keep the Service secure, to investigate abuse, and to enable lawful security and OSINT research. Our interest is balanced against the rights and freedoms of data subjects.
  • Legal obligation (Art. 6.1.c) — where we are required to retain or disclose data by law (e.g. response to a lawful order).
  • Consent (Art. 6.1.a) — when you explicitly accept these legal documents at sign-in. You may withdraw consent at any time, without affecting the lawfulness of processing carried out before the withdrawal.

4. Purposes of processing

  • Authenticating you and managing your account.
  • Executing the OSINT modules you invoke and returning results.
  • Building your private knowledge graph from those results.
  • Detecting, preventing and mitigating abuse, fraud and security incidents.
  • Complying with applicable legal obligations.

5. Recipients of data

We share personal data only with the following categories of recipients, and only to the extent strictly necessary for the purposes above:

  • Email delivery provider — to send sign-in links to your inbox.
  • Hosting and infrastructure providers — for storage, compute and network of the Service.
  • Threat-intelligence and OSINT data providers — when you run a scan, the identifier you submit is sent to one or more upstream APIs to retrieve enrichment data. By submitting an input, you instruct us to perform that lookup on your behalf.
  • Public authorities — only when required by a binding legal request, and only after assessing its legality.

We do not sell personal data, and we do not use it for targeted advertising or profiling.

6. International transfers

Some of the providers above may process data outside the European Economic Area. Where this is the case, we rely on appropriate safeguards under Chapter V GDPR, such as the European Commission's Standard Contractual Clauses or an adequacy decision.

7. Retention

  • Account data: retained for as long as your account is active. After deletion, residual backups may persist for up to 30 days before being purged.
  • Sign-in tokens: single-use, expire after 15 minutes. Used or expired records are kept briefly for audit and abuse-prevention purposes.
  • Scan results & knowledge graph: retained until you delete them or until you delete your account.
  • Server logs: typically retained for up to 90 days, longer if needed for security investigation.

8. Your rights

Under the GDPR you have the following rights, which you can exercise by writing to privacy@vøidnet.app:

  • Right of access (Art. 15) — to obtain a copy of your personal data.
  • Right to rectification (Art. 16) — to correct inaccurate or incomplete data.
  • Right to erasure / “right to be forgotten” (Art. 17).
  • Right to restriction of processing (Art. 18).
  • Right to data portability (Art. 20).
  • Right to object (Art. 21), in particular to processing based on legitimate interest.
  • Right to withdraw consent at any time, where processing is based on consent.
  • Right to lodge a complaint with a supervisory authority. In Spain this is the Agencia Española de Protección de Datos (www.aepd.es).

9. Cookies & local storage

The Service uses strictly necessary browser local storage to keep your authentication token and basic UI state. We do not use analytics, advertising or tracking cookies. No prior consent is required for strictly necessary storage under Article 22.2 LSSI-CE.

10. Security

We implement reasonable technical and organisational measures to protect personal data, including transport encryption (TLS), hashed authentication tokens, principle of least privilege, and short token lifetimes. No system can be guaranteed 100% secure; if you become aware of a vulnerability, please report it to security@vøidnet.app.

11. Children

The Service is not directed at children under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us so we can delete it.

12. Changes to this Policy

We may update this Policy from time to time. When we make material changes we will bump the version identifier at the top of the page and may require you to acknowledge the new version the next time you sign in.