Privacy Policy

Last updated: February 21, 2026

1. Introduction & Data Controller

We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how SEQ SIA (“we”, “us”, “our”) processes personal data in relation to the Breach cybersecurity platform (“Service”). It applies to all users, including visitors, customers, and trial users.

Controller: SEQ SIA, reg. No. 40203410806, Lastadijas 12 k-3, Riga, Latvia, LV-1050. Email: breach@offseq.com

If you are within the EU/EEA, SEQ SIA is the data controller of your personal data under the General Data Protection Regulation (GDPR).

2. Data We Collect

We process the following categories of personal data:

2.1. Account and Identity Data

  • Full name, business email, organization name
  • Hashed password (bcrypt; we never store plaintext passwords)
  • Billing information and payment history

2.2. Usage and Platform Data

  • Search queries submitted by authorized users
  • Search results presented to users
  • Alert configurations and audit logs

2.3. Technical and Device Data

  • IP address (for security, rate limiting)
  • Browser, device metadata
  • Session and authentication tokens

2.4. Cookies and Similar Technologies

We use essential cookies for authentication and session management. Optional analytics or performance cookies will be used only with your consent.

3. Breach Intelligence Data

SEQ SIA does not store, host, or maintain any leaked or breached databases on its own infrastructure.

All breach intelligence data (compromised credentials, exposed passwords, leak records) is retrieved in real-time from third-party intelligence providers via secure, encrypted API connections. The data is queried on-demand and presented to authorized users for the sole purpose of cybersecurity risk assessment and organizational protection.

Search results may be temporarily cached in our database to improve performance and reduce redundant API calls. Cached data is subject to automatic expiration (TTL) and does not constitute permanent storage of breach data.

4. Purposes of Processing & Legal Bases

We process personal data for the following purposes and legal bases:

Contract performance — Art. 6(1)(b) GDPR

Providing, maintaining, and improving the Service; processing payments and billing.

Legal obligation — Art. 6(1)(c) GDPR

Tax and financial record-keeping; compliance with legal obligations.

Legitimate interest — Art. 6(1)(f) GDPR

Security monitoring, fraud prevention, abuse detection, improving the Service, audit logging.

Consent — Art. 6(1)(a) GDPR

Marketing communications (only when explicitly opted in).

Legitimate interest details: Security monitoring and abuse prevention are critical to protect customer accounts and platform integrity. We balance this with data minimization and retention limits.

5. Third-Party Data Sharing

We share personal data only as necessary for the Service:

  • Payment processors (EveryPay): For billing and card tokenization
  • Intelligence providers: For real-time breach data retrieval (no account information is shared)
  • Hosting providers: On secure EU data centers
  • Legal authorities: When required by law

Personal data may be processed by subprocessors subject to contractual safeguards.

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

6. Cross-Border Transfers

If personal data is transferred outside the EU/EEA, we ensure appropriate safeguards such as:

  • EU Standard Contractual Clauses (SCCs)
  • Adequacy decisions by the European Commission

7. Data Retention

We retain personal data only as long as needed for the purposes noted above:

  • Account and billing information: until account closure + 30 days
  • Audit logs: 24 months
  • Search cache: TTL expiry (typically 60 minutes)
  • Payment records: 7 years (Latvian tax law)
  • Unlocked records: Retained while your account is active

Once data is no longer needed, it is deleted or irreversibly anonymized.

8. Your Data Protection Rights

Under GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data (“right to be forgotten”)
  • Restrict or object to processing
  • Data portability
  • Withdraw consent where given

To exercise rights, contact breach@offseq.com. We respond within 1 month in most cases.

You may lodge a complaint with the Latvian DPA (Datu valsts inspekcija) at www.dvi.gov.lv.

9. Automated Decision-Making / Profiling

We do not use automated decision-making that produces legal or similarly significant effects on individuals outside normal Service functions.

10. Security

We implement appropriate technical and organizational measures, including:

  • TLS/SSL encryption in transit
  • Encrypted storage and hashed passwords (bcrypt)
  • Access controls and rate limiting
  • JWT-based session management with expiration
  • IP-based abuse prevention
  • Audit logging and monitoring
  • Incident response procedures

11. Cookies

Essential cookies enable core platform functionality (authentication and session management). These cookies are strictly necessary for the Service to function and cannot be disabled.

Optional cookies (e.g., analytics) will require a consent prompt.

We do not use advertising cookies or third-party tracking pixels.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the platform. The “Last updated” date at the top of this page indicates the most recent revision.

13. Contact

For privacy-related inquiries, contact us at breach@offseq.com or visit our contact page.

SEQ SIA · Reg. 40203410806 · Lastadijas 12 k-3, Riga, Latvia, LV-1050