Privacy Policy

“Mephit,” “we,” or “us” refers to the operators of the Mephit OSINT assistant. We are the data controller for the personal data described below. Contact us at [email protected].

Account data. Email, hashed password (or OAuth identifier), display name, account creation date.

Usage data. Conversations and prompts you send, tool-call audit logs (which tools were called, how many credits they consumed, success/failure), session timestamps, IP address (for security and rate limiting), browser user-agent.

Billing data. Subscription tier, billing-period start and end, NOWPayments subscription/invoice IDs, payment status, on-chain payment metadata (transaction hash, currency, amount). We never see or store your wallet credentials, card numbers, or seed phrases. Crypto payment processing is handled entirely by NOWPayments.

Cookies. A single first-party session cookie used to keep you logged in. We do not use third-party advertising or tracking cookies.

• To provide the Service and your conversations.
• To authenticate you and keep your account secure.
• To meter usage and bill the correct tier.
• To diagnose abuse, fraud, and security incidents.
• To comply with legal obligations.

The legal bases under GDPR are contract performance (running the Service you subscribed to), legitimate interest (security, abuse prevention), and legal obligation (tax, law-enforcement requests).

To answer your prompts, Mephit sends your messages and tool results to a third-party LLM inference provider. They process the data under their own privacy policy and a Data Processing Agreement that prohibits them from using API content to train their models. Conversation transcripts are stored on our database so you can re-open them. The specific provider name is available on request for enterprise / compliance reviews.

You can delete a conversation at any time from the chat sidebar; deletion removes it from our active database within 24 hours and from backups within 30 days.

When you run a recon or threat-intel command, Mephit queries a curated set of third-party OSINT and security data providers on your behalf — covering categories such as passive DNS, certificate transparency, IP and URL reputation, malware sandbox results, breach indices, and vulnerability advisories.

Those queries contain only the indicator you submitted (a domain, IP, hash, email, CVE id, etc.). We do not share your account email, identity, billing data, or chat history with any of these providers. Each provider operates under its own privacy and acceptable-use terms, which apply to the data they return.

The specific list of OSINT providers, including any changes to it, is available on request for enterprise customers, security audits, or compliance reviews — contact us at the address in section 11.

Mephit runs on self-hosted infrastructure that we operate ourselves. Application servers, databases, and storage all live on hardware we control — we do not delegate hosting, database management, or backups to a public cloud provider.

The only external processors are:

• LLM inference provider — large-language-model inference (vendor name disclosed on request for enterprise or compliance reviews).
• OSINT and security data providers — receive only the indicator you submit, never your account or chat data (see section 5).
• Crypto payment processor — handles invoice generation and on-chain settlement for paid tiers; receives billing email and amount only, never chat content.

Each external processor is bound by a data-processing agreement and processes data only on our documented instructions. We publish the current processor list and material changes on this page.

• Account data: until you delete your account.
• Conversations: until you delete them, or 24 months of inactivity.
• Tool-usage audit logs: 90 days (security & billing reconciliation).
• Billing records: 7 years (legal/tax obligation).
• Webhook event logs: 30 days.

If you are in the EEA, UK, Switzerland, California, or other jurisdictions with similar laws, you may have the right to:

• Access the data we hold about you.
• Correct inaccurate data.
• Delete your data (right to be forgotten).
• Export your data in a portable format.
• Object to processing or restrict it.
• Withdraw consent where consent is the legal basis.
• Lodge a complaint with your data-protection authority.

To exercise any of these rights, email [email protected]. We respond within 30 days.

Passwords are hashed with bcrypt-class algorithms. Data is encrypted in transit (TLS 1.3) and at rest where the underlying provider supports it. Webhooks are HMAC-signed. We follow least-privilege access for production systems and rotate secrets on incident.

No system is 100% secure. Report vulnerabilities to [email protected].

Mephit is not directed to anyone under 18. We do not knowingly collect data from minors. If you believe a minor has registered, contact us and we will remove the account.

Our processors operate in the United States and the European Union. Where required, we rely on the EU Standard Contractual Clauses for cross-border transfers.

We’ll update this policy if our practices change. Material updates will be communicated by email or in-app notice at least 14 days before they take effect.