Privacy Policy

FDIW.org (Fraud Detection & Intelligence Wing) is a high‑security cyber‑intelligence platform built for law‑enforcement, governments, and approved enterprises. Because of the nature of what we do, privacy, security, and auditability are not features — they are core infrastructure. This Privacy Policy explains, in clear terms, how we collect, use, protect, and govern information across our websites, dashboards, APIs, tools, and services.

1. Who we are & scope of this policy

When we say “FDIW”, “we”, “us”, or “our”, we mean the operators of the FDIW.org platform. This Privacy Policy applies to:

• The public website at FDIW.org and any sub‑domains we operate;
• Secure dashboards, portals, and workspaces provided to authorised users;
• APIs, webhooks, and machine‑to‑machine integrations we expose;
• Reports, alerts, and intelligence outputs we deliver digitally.

This policy does not apply to how our customers (such as law‑enforcement agencies or enterprises) handle data inside their own systems. In most cases, they act as independent data controllers for their own use of FDIW and associated case data.

2. Key definitions

• Personal data — Any information that can identify a living individual directly or indirectly.
• Processing — Any operation performed on data (collection, storage, use, sharing, deletion, etc.).
• Controller — The entity that decides why and how personal data is processed.
• Processor — An entity that processes personal data on behalf of a controller.
• Intelligence data — Risk signals, entities, patterns, and derived data generated by FDIW.

Depending on the engagement, FDIW may act as:

• A data controller for account, billing, security, and platform telemetry data; and
• A data processor (or service provider) for investigation data supplied by customers.

3. What information we collect

3.1 Information you and your organisation provide

• Account and profile data — Name, official email, role, organisation, country, and team/department.
• Contract & billing data — Designated contacts, invoicing addresses, tax details, purchase orders, and payment identifiers.
• Case / investigation data — Case IDs, pseudonymous identifiers, evidence hashes, OSINT references, and other details your organisation chooses to upload or connect to FDIW.
• Support interactions — Emails, tickets, screenshots, and diagnostic information you choose to share with us.

3.2 Information we collect automatically

• Device & access details — Browser type, OS, approximate location (based on IP), time zone, device fingerprint signals.
• Log and telemetry data — Login attempts, session IDs, API calls, error logs, security alerts, and performance metrics.
• Usage analytics — Feature usage patterns, response latency, anonymised click‑paths within our dashboards (we do not use ad‑tech trackers or third‑party behavioural profiling pixels).

3.3 Intelligence & threat-signal data

FDIW builds fraud‑risk and cyber‑intelligence models from a combination of:

• Open‑source intelligence (OSINT) and public web signals;
• Customer‑contributed intelligence under appropriate legal frameworks;
• Licensed data sources, where permitted;
• Derived risk scores created by FDIW’s algorithms.

Where such data relates to individuals, we treat it as personal data and protect it accordingly.

4. Legal bases for processing

Where GDPR / UK‑GDPR or similar laws apply, we rely on the following legal bases:

• Performance of a contract — To create accounts, provide access to FDIW, and deliver contracted services.
• Legitimate interests — To secure our platform, prevent abuse, improve performance, and protect our users and the public (we balance these interests against your rights).
• Compliance with legal obligations — To meet statutory requirements, respond to lawful requests, and maintain audit records.
• Consent — For specific optional activities (e.g., certain communications or beta programs) where we ask you clearly and explicitly.

5. How we use your information

We use the information we collect to:

• Authenticate users and secure access to dashboards, APIs, and tools;
• Generate, present, and deliver intelligence reports, alerts, visualisations, and risk scores;
• Monitor, detect, and prevent abuse, intrusion, or misuse of our systems;
• Improve our models, interfaces, security posture, and reliability;
• Respond to support requests, incidents, and operational queries;
• Comply with legal, regulatory, and law‑enforcement obligations.

6. Cookies and similar technologies

FDIW uses a minimal, security‑first cookie strategy. We do not run advertising cookies or third‑party behavioural tracking. Cookies we may use include:

• Strictly necessary cookies — For login sessions, CSRF protection, load balancing, and secure navigation.
• Functional cookies — To remember certain UI preferences or configuration choices.
• Analytics cookies — Limited, internal analytics to understand performance and reliability.

You can typically disable cookies via your browser settings, but core security and sign‑in features may not function correctly without them.

7. Data retention

We retain data only for as long as necessary for the purposes set out in this policy, including legal, security, and operational requirements. Indicative retention:

• Account records — While your organisation has an active relationship with FDIW, plus a reasonable period thereafter for audit, dispute resolution, and legal requirements.
• Security logs — Retained for a defined window to support incident investigation and compliance with security standards.
• Case / investigation data — As directed by the customer/controller and in line with the applicable legal framework or contract.
• Backups — Time‑limited and rotated; data may persist for a short period within encrypted backup archives before being fully overwritten.

8. How we share information

FDIW does not sell personal data. We may share information only in these controlled situations:

• Within FDIW — With team members who need access to operate, secure, or improve the platform under strict confidentiality and role‑based controls.
• With service providers — For secure hosting, email delivery, monitoring, or similar functions; each provider is contractually bound to protect data and use it only for our instructions.
• With your organisation — For example, providing audit logs, admin views, or cross‑team collaboration within the same customer account.
• Legal, regulatory, or law‑enforcement disclosures — Where we are required or permitted to do so by law, court order, or applicable authority.
• Business transfers — In the context of a merger, acquisition, or similar event, subject to appropriate safeguards and continued protections.

9. International transfers

FDIW may process data using infrastructure or service providers located in multiple jurisdictions. Where data is transferred across borders, we implement appropriate safeguards in line with applicable law, such as standard contractual clauses, data‑processing agreements, and security controls.

10. Security measures

We design FDIW as a security‑first environment. Measures include, among others:

• Encryption in transit (TLS 1.2+ / TLS 1.3) and at rest;
• Network segmentation, firewalls, and hardened infrastructure;
• Multi‑factor authentication (MFA) and role‑based access control (RBAC) for privileged users;
• Logging, monitoring, and anomaly‑detection systems across core services;
• Principle of least privilege for both human and machine access paths;
• Secure development practices, including code review and change management.

No system can ever be 100% secure, but our goal is to operate at a standard that is appropriate for high‑sensitivity, law‑enforcement‑grade use cases.

11. Your rights

Depending on your jurisdiction, you may have some or all of the following rights with respect to your personal data:

• Right to access — To request a copy of the data we hold about you;
• Right to rectification — To correct inaccurate or incomplete data;
• Right to erasure — To request deletion of certain data, where legally permissible;
• Right to restriction — To limit how we process your data in specific circumstances;
• Right to portability — To receive your data in a structured, commonly used format, where applicable;
• Right to object — To object to certain processing based on legitimate interests.

In practice, some rights may be limited or delayed when data forms part of active or historical law‑enforcement investigations, or where disclosure could seriously impact the rights and freedoms of others.

12. Children’s data

FDIW is not designed for direct use by children or general consumers. Our services are targeted at institutions and professional users. We do not knowingly collect personal data directly from children.

13. Third‑party links and services

FDIW.org may contain links to external websites or services that we do not control. This Privacy Policy does not apply to those sites. We recommend reviewing their privacy notices separately.

14. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in law, technology, or our services. When we make material updates, we will update the “Last updated” date at the top and, where appropriate, provide additional notice (for example via the dashboard or email to administrators).

15. Contacting us

If you have questions about this Privacy Policy, or wish to exercise your rights, you can contact:

• Email: support@fdiw.org
• or via the secure contact channel made available to your organisation’s designated administrators.

For security reasons, we may need to verify your identity and affiliation before responding to certain requests.