Privacy Policy
GDPR Compliant Privacy Policy for Oppi OSINT Training Platform
Effective Date: August 28, 2025 | Version: 2.0
Our Privacy Commitment: We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws. We maintain complete anonymity for training participants.
1. Data Controller Information
Organization: CheckFirst
Platform: Oppi OSINT Training Platform
Contact: privacy@checkfirst.network
Data Protection Officer: dpo@checkfirst.network
Address: CheckFirst, PL 7, 00351 Helsinki Finland (EU)
2. Legal Basis for Processing (GDPR Article 6)
We process data based on:
- Legitimate Interest: Operating the training platform and ensuring security
- Contract Performance: Providing training services to registered trainers
- Legal Obligation: Security logging and fraud prevention
- Consent: When explicitly provided (e.g., newsletter subscription)
3. Data Collection Overview
3.1 Training Participants (Anonymous Users)
Application Level - We DO NOT collect:
- Names or personal identifiers
- Cookies or tracking data
- Behavioral analytics
- Session recordings
- Performance metrics
- User accounts or profiles
Server Level - Standard Web Server Logs:
- Access Logs: Like all web servers, our web server automatically creates access logs containing:
- IP addresses
- Request timestamps
- Requested URLs
- HTTP response codes
- User agent strings (browser information)
- Referrer information
- Purpose: Server security, troubleshooting, and abuse prevention
- Retention: 7 days, then automatically deleted
- Access: Limited to system administrators for security purposes only
- Not used for: Tracking individual users, marketing, or behavioral analysis
Important: While server logs contain IP addresses, we do not link this data to individuals or use it for tracking. Participants remain anonymous at the application level.
3.2 Registered Trainers
We collect:
- Email address: For authentication only (OTP-based login)
- Account creation date: For service provision
- Created content: Scenarios and training sessions you create
- Security logs: Login attempts, API access for security purposes
We DO NOT collect:
- Passwords (we use OTP authentication only)
- Payment information
- Marketing preferences
- Tracking cookies
3.3 Technical Data
Application-level operational data:
- Session codes: Random identifiers for training sessions (no personal data)
- Rate limiting: Temporary IP hashes for DDoS protection (auto-deleted after 10 minutes)
- Security logs: Failed login attempts, suspicious activities (retained for 90 days)
- PHP session data: Temporary authentication state (expires after 30 minutes of inactivity)
Server-level logs:
- Access logs: Standard HTTP request logs including IP, timestamp, URL, status code
- Error logs: Server errors and warnings for troubleshooting
- Retention: 7 days for access logs, 30 days for error logs
- Purpose: Security monitoring, troubleshooting, abuse prevention
- Legal basis: Legitimate interest in maintaining platform security and stability
4. Purpose of Processing
| Data Type |
Purpose |
Legal Basis |
Retention |
| Trainer Email |
Authentication |
Contract |
Until account deletion |
| Created Scenarios |
Service Provision |
Contract |
Until deletion by trainer |
| Security Logs (App) |
Platform Security |
Legitimate Interest |
90 days |
| Web Access Logs |
Server Security & Troubleshooting |
Legitimate Interest |
7 days |
| Web Error Logs |
Technical Troubleshooting |
Legitimate Interest |
30 days |
| Rate Limiting |
DDoS Protection |
Legitimate Interest |
10 minutes |
| OTP Codes |
Authentication |
Contract |
10 minutes |
5. Your Rights Under GDPR
For Training Participants
At the application level, we don't collect personal data from participants. However, standard web server logs do contain IP addresses. You can:
- Access training without creating an account or providing personal information
- Leave at any time by closing your browser
- Request deletion of server logs containing your IP address (email privacy@checkfirst.network with timestamp of access)
- Use a VPN or Tor browser for additional anonymity if desired
Note: Server logs are automatically deleted after 7 days, and we cannot identify which log entries belong to specific individuals without additional information from you.
For Registered Trainers
You have the following rights under GDPR:
| Right |
Description |
How to Exercise |
| Access (Art. 15) |
Request a copy of your personal data |
Email privacy@checkfirst.network |
| Rectification (Art. 16) |
Correct inaccurate personal data |
Update in dashboard or email us |
| Erasure (Art. 17) |
Request deletion of your account and data |
Email privacy@checkfirst.network |
| Restriction (Art. 18) |
Limit processing of your data |
Email privacy@checkfirst.network |
| Portability (Art. 20) |
Receive your data in a portable format |
Export feature in dashboard |
| Object (Art. 21) |
Object to certain processing |
Email privacy@checkfirst.network |
| Complaint (Art. 77) |
Lodge a complaint with supervisory authority |
Contact your local DPA |
6. Data Security
We implement appropriate technical and organizational measures to ensure data security:
- Encryption: All data transmissions are encrypted using HTTPS
- Access Control: Strict authentication for trainer accounts
- No Passwords: OTP-only authentication eliminates password breach risks
- Minimal Data: We only collect essential data
- Regular Security Audits: Platform security is regularly reviewed
- Secure Infrastructure: Hosted on secure, EU-based servers
7. Third-Party Services
We use minimal third-party services:
- Brevo (Sendinblue): For sending OTP emails to trainers only. Brevo Privacy Policy
- CDN (jsdelivr): For loading visualization libraries (no personal data shared)
We do not use any analytics, advertising, or tracking services.
8. International Transfers
Your data is stored and processed within the European Union. We do not transfer personal data outside the EEA without appropriate safeguards in accordance with Chapter V of the GDPR.
9. Children's Privacy
Our service is designed for professional training and is not intended for children under 16. We do not knowingly collect personal data from children.
10. Cookies Policy
Session Cookies (Trainers only):
- Name: PHPSESSID
- Purpose: Maintain authentication state
- Type: Strictly necessary
- Duration: Session (30 minutes inactivity)
- Data: Session identifier only
No cookies are used for participants. No tracking, analytics, or marketing cookies are used anywhere on the platform.
11. Data Breach Notification
In the event of a personal data breach, we will:
- Notify the relevant supervisory authority within 72 hours (if required)
- Notify affected trainers without undue delay if the breach poses a high risk
- Document all breaches in accordance with Article 33(5) GDPR
12. Changes to This Policy
We may update this privacy policy to reflect changes in our practices or legal requirements. Significant changes will be communicated via email to registered trainers. The "Effective Date" at the top will be updated.
13. Data Protection Impact Assessment
We have conducted a Data Protection Impact Assessment (DPIA) for our platform. Key findings:
- Minimal data collection reduces privacy risks
- Application-level participant anonymity (no accounts, profiles, or tracking)
- Server logs are industry-standard and kept for minimal time (7 days)
- OTP authentication provides better security than passwords
- No profiling or automated decision-making occurs
- No behavioral tracking or analytics
- Server logs are not used for individual user tracking or marketing
14. Transparency About Server Infrastructure
In the interest of complete transparency:
- Web Server: Our web server creates standard access and error logs
- What's logged: IP address, timestamp, requested URL, HTTP status, user agent, referrer
- Why it's necessary: Security monitoring, abuse prevention, technical troubleshooting
- What we DON'T do: We don't analyze these logs for user behavior, create user profiles, or use them for marketing
- Industry standard: All web servers create these logs - it's a fundamental part of web infrastructure
- Your options: Use VPN/Tor for additional anonymity, or host your own instance if complete control is required
Supervisory Authority: You have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated. In Finland, this is the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto).
Last updated: August 28, 2025 | Version: 2.0