1) Data controller and processor roles

OSINTA.AI acts as a data processor for customer data and as a data controller for account and service operation data. We process personal data in accordance with GDPR requirements and your instructions.

Depending on deployment and service configuration, data processing agreements (DPAs) may be available for enterprise customers.

2) Data subject rights (DSAR)

We support data subject rights under GDPR Art.15-22, including:

• Right of access: You can access your personal data through the service interface or export functions.
• Right to rectification: Request correction of inaccurate data through account settings or support.
• Right to erasure: Request deletion of your account and associated data when no longer needed.
• Right to restrict processing: Request limitation of processing in certain circumstances.
• Right to data portability: Export your data in a machine-readable format.
• Right to object: Object to processing based on legitimate interests where applicable.

3) Lawful bases for processing

Personal data is processed under GDPR Art.6 based on:

• Contract performance: Account creation, authentication, service delivery, and support.
• Legal obligation: Compliance with statutory record-keeping, reporting, and billing requirements.
• Legitimate interests: Service security, abuse prevention, and performance improvements.
• Consent: Where explicitly provided for optional communications or analytics.

4) Data transfers and safeguards

Data may be transferred to service providers necessary for service delivery, including cloud hosting, communications, and analytics (if enabled).

Where transfers occur outside the EEA, we aim to use appropriate safeguards such as Standard Contractual Clauses (SCCs) or adequacy decisions.

Transfer scope is kept to a minimum and limited to what is necessary for service operation.

5) Data minimization and retention

We collect and retain only the data necessary for service operation and support. Data retention periods are aligned with service needs and legal requirements.

Data is deleted when no longer needed for the processing purpose or upon request, subject to legal retention obligations.

6) Security and breach notification

We implement technical and organizational measures to protect personal data, including encryption, access controls, and regular security assessments.

In the event of a data breach that may affect your rights, we will notify you and relevant supervisory authorities as required by GDPR Art.33-34, typically within 72 hours where feasible.