Privacy Policy

1. Introduction

NEETOO Software LLC, operating under the trade name 42SAFE ("we", "us", "our"), is committed to protecting the privacy and security of your personal data. This Privacy Policy describes how we collect, use, share, and protect your information when you use our cybersecurity services.

Data Controller:
NEETOO Software LLC
30 N Gould St, STE R, Sheridan, WY 82801, USA
Email: [email protected]
GDPR Contact: [email protected]

As the Data Controller, we determine the purposes and means of processing your personal data. We comply with the General Data Protection Regulation (GDPR) for all EU users, applying the highest privacy standards globally. For B2B clients, see our B2B Terms for Controller/Processor arrangements.

2. Data We Collect

2.1 Account Information

When you create an account, we collect:

• Identity data: Name, email address
• Contact data: Phone number (optional)
• Payment data: Processed securely by Stripe/RevenueCat (we don't store card details)
• Technical data: Device identifiers, IP address (for security purposes only)

IP Address Handling: Session IPs are deleted after 24 hours. Security logs containing IPs are retained for 12 months maximum. Legal basis: Legitimate interest (fraud prevention). You can object by contacting [email protected].

2.2 Data You Provide for Monitoring

For our breach monitoring service, you may provide:

• Email addresses to monitor
• Phone numbers to monitor (optional)
• Names for identity matching

2.3 DNS Protection Data

For our DNS Protection service:

• We DO store: Alert events only (blocked scam domains, high-risk domains, malicious trackers)
• We DO NOT store: Browsing history, websites visited, traffic content, any identifiable online activity

Your privacy is paramount. Traffic through our secure tunnel is never logged, stored, or identified as belonging to you.

2.4 Data from Third-Party Sources

To provide breach monitoring, we access:

• Publicly available data breach databases
• Public security intelligence (OSINT)

We NEVER purchase data from dark web marketplaces or illegal sources.All data is obtained through legal, ethical means.

3. How We Use Your Data

3.1 Service Delivery

• Creating and managing your account
• Monitoring for data breaches affecting your information
• Sending security alerts when your data is found in breaches
• Providing DNS protection services
• Processing payments and managing subscriptions

3.2 Service Improvement

• Analyzing usage patterns to improve our services (anonymized data only)
• Developing new security features
• Fixing bugs and technical issues

3.3 Communication

• Critical security alerts (always enabled)
• Service updates and important notices
• Marketing communications (only with your consent)

3.4 Security & Compliance

• Preventing fraud and abuse
• Protecting our systems and users
• Complying with legal obligations

4. Legal Basis for Processing

We process your data based on the following legal grounds:

4.1 Contract Performance (GDPR Art. 6(1)(b))

Processing necessary to provide our services:

• Account creation and management
• Breach monitoring and alerts
• DNS protection services
• Payment processing

4.2 Consent (GDPR Art. 6(1)(a))

Processing based on your explicit consent:

• Marketing communications
• Non-essential cookies
• Breach monitoring for specific data you provide

4.3 Legitimate Interest (GDPR Art. 6(1)(f))

Processing for our legitimate business interests:

• System security and fraud prevention
• Service improvement (with anonymized data)
• Defending legal claims

Legitimate Interest Assessment

For each legitimate interest, we conduct a balancing test:

• Security & Fraud Prevention: Low privacy impact (minimal data), high security benefit. You can object (Art. 21) - contact [email protected]
• Service Improvement: Data is anonymized before analysis, removing identifiability. You can opt out in account settings.
• Legal Defense: Only retained when necessary for specific claims, deleted after resolution.

4.4 Legal Obligation (GDPR Art. 6(1)(c))

Processing required by law:

• Tax and accounting records
• Responding to lawful requests from authorities

5. Data Sharing

5.1 Service Providers

We share data with trusted providers who help us deliver our services:

• Supabase: Database hosting for B2C (EU - AWS Frankfurt)
• Neon: Database hosting for B2B (EU - AWS Frankfurt)
• Stripe: Payment processing (USA, with SCCs)
• RevenueCat: Mobile subscription management (USA, with SCCs)
• Firebase: Push notifications (USA, with SCCs)
• Resend: Email delivery

All providers are contractually bound to protect your data and process it only as instructed.

Sub-processor Change Notification

We notify users 30 days before adding new sub-processors. You can object to new sub-processors by contacting [email protected]. Subscribe to sub-processor updates by emailing us.

5.2 We NEVER Sell Your Data

42SAFE does not sell, rent, or share your personal data for advertising or marketing purposes with third parties. Never.

5.3 Legal Requirements

We may disclose data when required by law, court order, or government authority, within the strict limits of what is legally required.

5.4 Business Transfers

In case of merger, acquisition, or sale, your data may be transferred. You will be notified of any such change.

6. International Data Transfers

6.1 Primary Storage: European Union

Your data is primarily stored in the European Union (AWS Frankfurt), ensuring the highest level of GDPR protection.

6.2 Transfers to Third Countries

Some service providers may transfer data outside the EU. These transfers are protected by:

• Standard Contractual Clauses (SCCs): EU-approved data protection agreements
• Additional safeguards: Encryption, access controls, and data minimization

6.3 Transfer Impact Assessment (Schrems II)

Following the Schrems II ruling, we have conducted Transfer Impact Assessments (TIAs) for all non-EU data transfers. Our supplementary measures include:

• All US transfers use Standard Contractual Clauses (2021 version)
• Data encrypted with AES-256 (keys held by 42SAFE only)
• Sub-processors contractually prohibited from onward transfers
• TIAs conducted for: Stripe, Firebase, RevenueCat

7. Data Retention

7.1 General Retention: Maximum 30 days

We retain your personal data for a maximum of 30 days. After this period, data is automatically deleted.

7.2 Specific Retention Periods

• Active account data: Duration of subscription + 30 days
• Breach monitoring results: 30 days
• Security logs: 12 months maximum
• Billing records: As required by law (typically 7-10 years)
• Marketing consent records: Until consent is withdrawn + 3 years

7.3 Data Minimization

• We only collect data necessary for our services
• We NEVER enrich our database with data found in breaches
• If you don't provide a phone number, we will NEVER contact you by phone - even if we find your number in a breach

8. Your Rights

8.1 GDPR Rights (for all users)

You have the right to:

• Access (Art. 15): Request a copy of your personal data
• Rectification (Art. 16): Correct inaccurate data
• Erasure (Art. 17): Request deletion of your data
• Restriction (Art. 18): Limit processing of your data
• Portability (Art. 20): Receive your data in a portable format
• Objection (Art. 21): Object to certain processing activities
• Withdraw consent: Withdraw consent at any time without affecting prior processing

8.2 How to Exercise Your Rights

Step 1: Email [email protected] with:

• Request type (access, deletion, portability, etc.)
• Your account email address
• Brief description of your request

Step 2: We verify your identity (may request ID copy for security)

Step 3: Response timeline:

• Simple requests: 30 calendar days
• Complex requests: up to 90 days for complex requests (with notification)

Format options: Data export available in JSON or CSV. Deletion confirmation sent by email.

8.3 Complete Data Deletion

You can request total deletion of ALL your data at any time by emailing [email protected]. We will confirm deletion within 30 calendar days.

8.4 Complaint to Supervisory Authority

Step 1: Contact us first at [email protected]. We respond within 30 calendar days.

Step 2: If unsatisfied with our response, you can lodge a complaint with a data protection authority:

• France (CNIL):
• Online: www.cnil.fr/plaintes
• Phone: +33 1 53 73 22 22
• Mail: 3 Place de Fontenoy, 75007 Paris, France
• Other EU countries: Your local data protection authority

9. Data Security

9.1 Technical Measures

• Encryption in transit: TLS 1.3 for all communications
• Encryption at rest: AES-256 for all stored data
• Access controls: Least privilege principle, 2FA required
• Infrastructure: EU-hosted servers for B2C users
• Monitoring: 24/7 security monitoring and intrusion detection

9.2 Organizational Measures

• Regular security training for all staff
• Security audits and penetration testing
• Incident response procedures
• Vendor security assessments

9.3 Breach Notification

In case of a data breach affecting your rights and freedoms, we will notify you and relevant authorities within 72 hours, as required by GDPR Article 33.

10. Regional Data Handling

10.1 EU Users (GDPR Compliant)

For users in the European Union, we display limited breach information to comply with GDPR data minimization principles:

• City and country only (no full address)
• Birth year only (not full date)
• Partially masked phone numbers
• No plaintext passwords
• No sensitive financial data

10.2 Non-EU Users

For users outside the EU, we provide enhanced breach information for better protection:

• Full address (if found in breach)
• Full phone number
• Password hints (intelligently masked)
• Complete breach details

This differentiation is automatic based on your detected location and helps us comply with local privacy laws while maximizing protection for all users.

11. Automated Decision-Making (Article 22)

11.1 Automated Processes

We use automated systems for:

• Threat detection alerts: Informational only, no restriction on your account
• Rate limiting: Technical protection, not personal decision-making
• Breach matching: Automated detection, human-reviewed before notification

11.2 Human Review Required

The following decisions always require human review:

• Account suspension or termination
• Access restrictions
• Legal actions or data requests

11.3 Your Rights

You can request human review of any automated decision by contacting [email protected]. We respond within 30 calendar days.

12. Cookies and Tracking

We use cookies and similar technologies as described in our Cookie Policy.

• Essential cookies: Required for service operation (no consent needed)
• Analytics cookies: Help us improve our services (consent required)
• Advertising cookies: We do NOT use advertising cookies

13. Children's Privacy (Article 8)

In accordance with GDPR Article 8:

• Minimum age: 16 years for consent
• Under 16: Parental or guardian consent required
• Family Plan: Parent/guardian must authorize adding minors
• Parental rights: Parents can request deletion of their child's data at any time

If you believe we have collected data from a child without appropriate consent, contact us immediately at [email protected].

14. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Significant changes will be notified via email or in-app notification at least 30 days before taking effect.

We encourage you to review this page periodically. The "Last updated" date at the top indicates when this policy was last revised.

15. Contact Us

For questions about this Privacy Policy or your personal data:

• GDPR/Privacy inquiries: [email protected]
• General support: [email protected]
• Mail: NEETOO Software LLC, 30 N Gould St, STE R, Sheridan, WY 82801, USA

We respond to all privacy inquiries within 30 calendar days.

16. Data Protection Authorities

Data protection authorities from any country may contact us directly at [email protected]. We commit to responding within 30 calendar days.

We maintain an AIPD (Data Protection Impact Assessment) documenting our data processing activities, available to authorities upon request.