OSB/LEGAL/PP/001/2026

Privacy Policy

Effective: April 2026  ·  Version 1.0  ·  OSB
1. Who We Are

OSB (trading as OSB) is a behavioural intelligence consultancy specialising in romance fraud detection and prevention. We operate the RSEI Model™ v2.0 — a behavioural scoring framework for dating and social platforms.

For all data protection enquiries: john@onlinesecuritybureau.com
2. What Data We Collect

Data you provide directly:

  • Contact form submissions: name, email address, message content
  • RSEI scoring tool submissions: case details, platform information, scoring responses
  • Newsletter sign-ups: email address
  • AI intake transcripts: conversation content submitted through our platform
  • Certification application forms: name, organisation, role, contact details

Data collected automatically:

  • Session data necessary for platform functionality
  • Basic server logs (IP address, browser type, pages visited)

Data we do NOT collect:

  • Payment card details (handled by our payment processor)
  • Biometric data
  • We do not sell your data to any third party under any circumstances
3. How We Use Your Data

Contact form data:

  • To respond to your enquiry and assess whether OSB can assist you
  • Legal basis: Legitimate interest (GDPR Article 6(1)(f))

RSEI scoring submissions:

  • To generate a behavioural risk score and improve the RSEI Model™ framework
  • To publish anonymised aggregate intelligence
  • Legal basis: Consent (GDPR Article 6(1)(a)) and Legitimate interest

Newsletter:

  • To send intelligence field notes and OSB publications
  • Legal basis: Consent (GDPR Article 6(1)(a)) — withdraw at any time by unsubscribing

Certification enquiries:

  • To process and respond to platform certification applications
  • Legal basis: Pre-contractual steps (GDPR Article 6(1)(b))
4. How Long We Keep Your Data
  • Contact form submissions: 2 years from date of submission
  • RSEI scoring submissions: 5 years (intelligence record purposes)
  • Newsletter subscriber data: Until you unsubscribe + 30 days
  • Certification enquiries: 5 years from date of application
  • Server logs: 90 days

After the retention period, data is securely deleted or anonymised.

5. Who We Share Your Data With

We do not sell, rent, or trade your personal data. We may share data with:

  • Supabase — database infrastructure (data processor under contract)
  • Railway — hosting infrastructure (data processor under contract)
  • Brevo — newsletter delivery (data processor under contract)
  • Flutterwave — payment processing (for payment transactions only)

All processors are contractually bound to protect your data. We may disclose data where required by law or court order.

6. International Data Transfers

Our infrastructure providers may process data outside your country of residence. Where data is transferred internationally, we ensure appropriate safeguards are in place including Standard Contractual Clauses (SCCs) as approved by the European Commission, or equivalent mechanisms.

7. Your Rights

Under GDPR (EU/UK users):

  • Right to access, rectification, erasure, restriction, portability, and objection
  • Right to withdraw consent at any time
  • Right to lodge a complaint with your supervisory authority

Under CCPA (California users):

  • Right to know, delete, and opt-out of sale (we do not sell data)
  • Right to non-discrimination for exercising your rights

Under Australian Privacy Act:

  • Right to access and correct your personal information
  • Right to complain to the OAIC
To exercise any of these rights: john@onlinesecuritybureau.com — We respond within 30 days.
8. Data Security

We implement appropriate technical and organisational measures including encrypted data storage, HTTPS on all communications, access controls and authentication, and regular security reviews.

In the event of a data breach, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay.

9. Supervisory Authorities
  • EU users: Your national Data Protection Authority
  • UK users: Information Commissioner's Office (ICO) — ico.org.uk
  • Australian users: Office of the Australian Information Commissioner (OAIC)
  • California users: California Privacy Protection Agency (CPPA)

We would appreciate the opportunity to resolve any concern directly first. Contact us at john@onlinesecuritybureau.com

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the effective date. Your continued use of our platform after changes constitutes acceptance of the updated policy.

Last updated: April 2026  ·  Version 1.0