// Legal · Last updated 2026-06-02

Privacy Policy

This policy explains what personal data [0x]INT collects, why we collect it, how long we keep it, and the rights you have over it. We keep data collection to the minimum needed to run this website, deliver our briefings, and respond to enquiries. All processing happens on infrastructure we control directly — our Cloudflare edge and Worker, and our own server. We do not use any third-party advertising network, behavioural-tracking cookie, third-party analytics service, or third-party email-marketing platform on this site.

Who we are

[0x]INT is an OSINT and due-diligence agency focused on Russia and the CIS. For the purposes of the EU General Data Protection Regulation (GDPR), [0x]INT is the data controller for the personal data described here. You can reach us about any privacy matter at contact@oxint.io.

What we collect

  • Newsletter email address — if you sign up for our briefings, we collect the email address you submit. Nothing else is required.
  • Intake-request details — if you submit a request through our request form, the details you enter (the services you select, target count, timeline, your briefing text, and the name, organisation and contact address you provide) are sent to our own intake endpoint, running as a Cloudflare Worker on our account. The Worker checks an anti-spam challenge (Cloudflare Turnstile) and your sender IP for abuse prevention, mints a reference, and relays your request by email to our inbox through a mail server we run ourselves. The details are not sold or shared and are not passed to any third-party form, CRM, or email-marketing service.
  • Enquiry details — if you contact us by email or a secure-messaging channel (Threema, Session), we receive whatever information you choose to send, including your contact address and the content of your message.
  • Privacy-preserving usage analytics — we run a self-hosted, cookieless analytics instance (Umami) on our own server, served first-party from this domain. It records aggregate, non-identifying signals such as page paths, a coarse referrer class, and event counts. It sets no cookies, does not fingerprint you, builds no cross-site profile, and sends nothing to a third-party analytics company. We also use Cloudflare Web Analytics (also cookieless) for a basic geography and volume baseline.
  • Technical server logs — like virtually all websites, our Cloudflare edge and our own server record standard request data such as IP address, browser user-agent, and timestamps. This is used for security, abuse prevention, and keeping the site online.

We do not use third-party advertising cookies, cross-site tracking pixels, third-party analytics services, or open-rate beacons in our briefings.

Why we use it and our legal basis

  • Sending briefings — on the basis of your consent, which you give when you subscribe and can withdraw at any time.
  • Handling intake requests — on the basis of taking steps at your request prior to a possible engagement, and our legitimate interest in scoping and responding to enquiries.
  • Responding to enquiries — on the basis of our legitimate interest in answering people who contact us, and in taking steps prior to any engagement.
  • Spam and abuse prevention on the intake form (the Turnstile challenge and short-lived per-IP rate-limit data) — on the basis of our legitimate interest in protecting the form from automated abuse.
  • Privacy-preserving usage analytics — on the basis of our legitimate interest in understanding, in aggregate and without identifying you, how the site is used so we can improve it. The analytics are cookieless and collect no personal profile.
  • Securing the site — on the basis of our legitimate interest in protecting our infrastructure against abuse and attack.

Processors and where your data is handled

We deliberately keep the list of processors short, and we run the parts that touch your request details ourselves:

  • Cloudflare (edge and Worker) — Cloudflare serves and protects this site at its edge, and our intake form posts to a Cloudflare Worker running on our own account. The Worker processes your request details in transit (validating the Turnstile anti-spam challenge, applying a short-lived per-IP rate limit, and minting a reference) and Cloudflare processes the technical server-log data described above. We do not use a third-party form provider or CRM.
  • Our own mail server — intake requests are relayed to our inbox by a mail server we operate ourselves. The content of your request is not handed to a third-party transactional-email or email-marketing service.
  • Our own analytics (self-hosted Umami) — usage analytics run on an instance we host ourselves and serve first-party from this domain. There is no third-party analytics company in this path. Cloudflare Web Analytics (cookieless) provides a basic geography and volume baseline.
  • Buttondown (newsletter only) — if, and only if, you subscribe to our newsletter, your email address is stored on our behalf by Buttondown, which provides one-click unsubscribe in every email. This processor is involved only in the optional newsletter and never sees intake-request or analytics data.

Beyond the optional newsletter above, the data you send through this site is processed only on infrastructure we control (our Cloudflare account and our own server). We do not use a third-party email or analytics sub-processor for intake requests or site analytics. We never sell, rent, or share our subscriber list, and we do not pass your data to third parties for marketing.

How long we keep it

  • Newsletter email — kept until you unsubscribe or ask us to delete it, after which it is removed from our active list.
  • Intake requests — the request you submit arrives in our inbox by email and is kept only as long as needed to handle your request and any resulting engagement, then deleted. The Worker does not maintain its own database of submissions; the per-IP rate-limit counter used for spam prevention is transient and expires within minutes.
  • Enquiry correspondence — kept only as long as needed to handle your request and any resulting engagement, then deleted.
  • Usage analytics — aggregate, non-identifying event data retained on our own analytics instance for trend analysis; it contains no personal profile that can be tied back to you.
  • Server logs — retained for a short period for security and then rotated out in the normal course.

A note on the intake form

When the intake endpoint is reachable, the request you submit is transmitted to our own Cloudflare Worker and relayed to our inbox — so, unlike a simple contact link, your details do pass through a server (one we control). If that endpoint is ever unavailable, the form falls back to composing the message locally in your own email client (a mailto: message) and sends nothing through our servers until you press send; in that fallback case no data is transmitted to us until you choose to send it. We will never tell you a request was received unless our server actually issued you a reference for it.

Your rights

Under the GDPR you have the right to access the personal data we hold about you, to have it corrected or erased, to object to or restrict our processing, to withdraw consent at any time, and to data portability. To exercise any of these rights, email contact@oxint.io. You also have the right to lodge a complaint with your local data-protection authority.

Changes to this policy

If we change how we handle personal data, we will update this page and revise the date shown at the top. This policy was last updated on 2026-05-29.