Legal · Privacy

Privacy Policy

Effective Date: January 1, 2025  ·  Last Updated: April 26, 2026

Plain-English Summary

This summary highlights the most important points. It does not replace the full Privacy Policy below. Where this summary appears to conflict with the detailed sections, the detailed sections govern.

  • Who we are. Stryvint ("we," "us," or "our") is an open-source intelligence (OSINT) analysis firm operating www.stryvint.com (the "Website"). For some engagements, we operate as an Investigative Consumer Reporting Agency under the federal Fair Credit Reporting Act and the California Investigative Consumer Reporting Agencies Act.
  • We collect very little from website visitors. If you email us, fill out a contact form, or request a briefing, we receive what you send us. Beyond that, the Website collects only minimal technical information necessary to operate and secure it.
  • Substantive personal information is only collected under contract. When we are engaged, we collect personal information about the protected individual ("Principal") and, where relevant, their adult household members, minor children (with verifiable parental consent), and identified threat actors.
  • All collection is from lawful, observable sources. We work from publicly available information, licensed data sources, client-provided information, and direct on-site observation where engagements involve it. We do not engage in pretexting, hacking, or unauthorized access.
  • We do not sell personal information. We have never sold personal information, and we do not "share" it for cross-context behavioral advertising. We do not rent, trade, or otherwise transfer personal information for third-party marketing.
  • Retention. Investigative reports and the underlying raw data are deleted within 30 days after delivery. Authorizations, contracts, invoices, dispute records, and similar work papers are retained as required by law and to support consumer rights under FCRA and ICRAA.
  • Your rights. Depending on where you live and the nature of the engagement, you may have rights under GDPR, CCPA/CPRA, FCRA, California ICRAA, and other laws. See Sections 15 through 19.
  • How to reach us. Email contact@stryvint.com or write to us at 124 W Capitol Ave, Suite 1883, Little Rock, AR 72201.

1. Scope of This Policy

This Privacy Policy explains how Stryvint collects, uses, discloses, and protects personal information in connection with:

  1. The Website, your visit to www.stryvint.com and any inquiries you submit through it; and
  2. Engagements, the personal information we process when we are contracted to deliver intelligence, security, risk-assessment, or investigative consumer reporting services to a client.

For some engagements, we act as an "Investigative Consumer Reporting Agency" or "ICRA" under the federal Fair Credit Reporting Act ("FCRA"), 15 U.S.C. § 1681 et seq., and the California Investigative Consumer Reporting Agencies Act ("ICRAA"), Cal. Civ. Code § 1786 et seq. When we do, additional rights apply to the subjects of those reports as described in Section 17.

This Policy applies where Stryvint acts as a "controller," "business," or "investigative consumer reporting agency" under applicable law. Where we act as a "processor," "service provider," or "contractor" on behalf of a client, our processing of personal information is governed primarily by the engagement contract and any applicable data-processing terms; this Policy applies only to the extent consistent with those terms.

Because of the nature of our work, additional confidentiality and information-handling commitments are set forth in engagement letters, statements of work, non-disclosure agreements, data-processing agreements, and the consent and authorization documents executed by subjects of investigative consumer reports. Those documents govern the specific engagement.

2. Definitions

  • "Personal Information" (also "Personal Data") means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, as defined under the EU General Data Protection Regulation ("GDPR"), the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable U.S. state privacy laws.
  • "Sensitive Personal Information" ("SPI") has the meaning given to it under the CCPA/CPRA. Under GDPR, equivalent categories are referred to as "special categories" of personal data.
  • "Investigative Consumer Report" ("ICR") has the meaning given to it under FCRA § 1681a(e) and Cal. Civ. Code § 1786.2(c). It is a type of consumer report in which information on a consumer's character, general reputation, personal characteristics, or mode of living is obtained through personal interviews or other investigative methods.
  • "Investigative Consumer Reporting Agency" ("ICRA") has the meaning given to it under FCRA and ICRAA, and refers to a firm that compiles and issues investigative consumer reports.
  • "Consumer" means an individual who is the subject of an investigative consumer report.
  • "Principal" means the individual on whose behalf an engagement is conducted (typically an at-risk executive or employee whose digital exposure or physical security is being assessed). The Principal is also the "Consumer" for purposes of any ICR issued in the engagement.
  • "Associated Party" means a person whose information is processed because of their relationship to the Principal, including adult household members, significant others, and minor children, where the engagement scope reasonably requires it.
  • "Threat Actor" means an individual or entity identified through analysis as posing or potentially posing a credible risk to a Principal, residence, or business.
  • "Process" or "Processing" means any operation performed on personal information.
  • "Sale" and "Share" have the meanings given to them under the CCPA/CPRA.
  • "OSINT" means open-source intelligence, the analysis of lawfully accessible information from publicly available sources and licensed data products.
  • "Employer" means a corporate or organizational client that engages us to assess threats to one or more of its employees, executives, board members, or other personnel.
  • "You" refers to the individual interacting with us.

3. Personal Information We Collect for Engagements

We process personal information solely to deliver intelligence, security, risk-assessment, and investigative consumer reporting services to clients under contract. The specific personal information collected varies by engagement, and the scope is set in the engagement contract and the consent and authorization documents executed by the Principal and Associated Parties.

Categories that may be involved include:

  • Client representative information, including names, business contact details, and the authority of individuals at the engaging organization.
  • Principal information, including identifying and biographical information needed to scope and conduct the work.
  • Associated Party information, including information about adult household members, significant others, minor children (with verifiable parental consent), staff, and business associates of the Principal, where the engagement scope reasonably requires it.
  • Digital signaling data, including mobile advertising identifiers ("MAIDs"), IP addresses, routing data, web beacons, and metadata.
  • Online activity and social media data, including publicly accessible posts, profiles, comments, and metadata, and dark-web activity surfaced through licensed sources.
  • Public records and licensed data, including court filings, news, corporate ownership databases, sanctions and KYC/AML records, and data from licensed commercial OSINT and breach-aggregator products.
  • Geolocation data, including approximate and, where authorized, precise geolocation indicators derived from device signaling and commercial telemetry.
  • Threat-actor information, including identifiers and content relating to individuals or entities credibly assessed to pose a risk.
  • Information collected through direct observation, including photographs, video, sketches, and notes collected during authorized on-site work.
  • Engagement work product, including analytical findings, assessments, investigative consumer reports, and recommendations.

We collect engagement-related personal information only to the extent necessary to perform the engagement and only with appropriate authorization from the client and, where required, the Principal and Associated Parties. We do not collect engagement-related personal information from members of the general public.

3.1 Methods We Do Not Use

Regardless of the engagement, we do not engage in:

  • Unauthorized access, credential stuffing, hacking, or social engineering of accounts;
  • Bypassing privacy settings or impersonating users to access non-public content or closed groups;
  • Pretexting or any technique that would exceed authorized access under the Computer Fraud and Abuse Act or similar laws;
  • Surveillance, photography, or observation in locations where doing so would be unlawful or unauthorized;
  • Acquisition of data from sources we have reason to believe acquired it unlawfully.

3.2 Roles and Regulatory Status

For some engagements, our work product constitutes an Investigative Consumer Report and we operate as an Investigative Consumer Reporting Agency under FCRA and ICRAA. In those engagements:

  • The Principal (and, where applicable, adult household members) is the "Consumer" who must receive a standalone disclosure and provide written authorization before we issue the ICR;
  • The permissible purpose is "employment purposes" under FCRA § 1681b(a)(3)(B), specifically to allow the Employer to assess and mitigate threats to the physical safety of an at-risk employee, executive, or board member, and to support the Employer's compliance with its general duty under 29 U.S.C. § 654(a)(1) (OSHA General Duty Clause); or, where applicable, "written instructions of the consumer" under FCRA § 1681b(a)(2);
  • The Consumer has rights under FCRA and ICRAA as described in Section 17, including rights to file disclosure, dispute, and reinvestigation.

For engagements that do not involve issuance of an Investigative Consumer Report, FCRA and ICRAA do not apply, but the other privacy frameworks described in this Policy (GDPR, CCPA/CPRA, other U.S. state laws) may.

We do not provide services that produce consumer reports for credit, insurance underwriting, tenant screening, government benefit decisions, child custody investigations, or general background screening unrelated to security and threat assessment.

3.3 CCPA Categories Summary

For California residents, the categories of personal information we may collect map to CCPA Cal. Civ. Code § 1798.140 as follows:

CategoryExamplesCollected?
A. IdentifiersName, email, postal address, phone, IP address, online identifiers, MAIDsYes
B. Customer recordsBusiness contact and billing details for clientsYes (clients)
C. Protected classification characteristicsGenerally not affirmatively collected; may incidentally appear in OSINT source materialLimited
D. Commercial informationRecords of services purchasedYes (clients)
E. Biometric informationNot collectedNo
F. Internet/network activityWebsite usage data; Principal's online presence as part of OSINTYes
G. GeolocationApproximate and, where authorized, precise geolocation derived from device signaling and commercial telemetryYes
H. Sensory dataPhotographs/video collected with authorization during on-site engagement workLimited
I. Professional or employment informationProvided in inquiries; Principal's professional history as relevantYes
J. Education information (FERPA)Generally not collectedNo
K. InferencesRisk assessments and analytical conclusions about Principals and Threat ActorsYes
L. Sensitive Personal InformationGeolocation behavioral patterns, account credentials referenced in breach data, KYC/AML and sanctions data, and other categories surfaced through OSINT, processed under the purpose limitations in Section 6Yes (purpose-limited)

4. Sources of Personal Information

We collect personal information from:

  • Directly from you, when you contact us via the Website or email, or when you sign a notice and authorization for an engagement.
  • From clients, at the outset of an engagement, to scope the work.
  • From the Principal and Associated Parties directly, where the engagement requires it.
  • From publicly available sources, including search engines, social media, public records, court filings, news archives, and similar.
  • From licensed data products, including commercial OSINT tools, telemetry vendors, breach-aggregator databases, and KYC/AML/sanctions databases that license data lawfully.
  • Through direct observation, during authorized on-site work where the engagement involves it.

We do not purchase data from sources that we have reason to believe acquired it unlawfully, and we do not collect through deception or unauthorized access.

5. How We Use Personal Information

We process personal information only for the following purposes:

  • To respond to inquiries and provide information about our services.
  • To scope, deliver, and document engagements as described in Section 3, including the issuance of Investigative Consumer Reports where applicable.
  • To communicate with clients, Principals, and Associated Parties about active engagements and related matters.
  • To support FCRA and ICRAA compliance, including reinvestigation and dispute resolution.
  • To operate, secure, and improve the Website.
  • To detect, prevent, and respond to fraud, abuse, security incidents, and unauthorized activity affecting our systems or our clients.
  • To comply with legal obligations, respond to lawful requests, and exercise or defend legal claims.

We do not use personal information for behavioral advertising, marketing profiling, or any purpose unrelated to our engagements or the operation of the Website.

6. Sensitive Personal Information

Engagements regularly involve Sensitive Personal Information under California law and "special category" data under GDPR. This may include geolocation behavioral patterns, account credentials referenced in publicly disclosed breach data, KYC/AML and sanctions records, and other categories surfaced through OSINT.

Purpose limitation. We process SPI only for the purpose of identifying and mitigating threats to the physical safety of the Principal and the security and integrity of person, assets, and residence. This is a purpose permitted under 11 CCR § 7027(m)(4) and Cal. Civ. Code § 1798.140(ac), is reasonably necessary and proportionate, and is not used for inferring characteristics about the Consumer for marketing or any unrelated purpose.

Right to Limit. Because SPI processing is limited to the security and threat-mitigation purposes identified above, and not used to infer characteristics about consumers, the "Right to Limit" mechanism described in Cal. Civ. Code § 1798.121(a) is not required. You retain the right to request information about our SPI processing using the contact methods in Section 19.

We obtain explicit consent from Principals and adult Associated Parties for SPI processing as part of the engagement authorization documents.

For individuals in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under GDPR Article 6:

  • Performance of a contract (Art. 6(1)(b)), to deliver services to a client, or to take steps at the client's request prior to entering into a contract.
  • Legitimate interests (Art. 6(1)(f)), including (i) responding to inquiries, (ii) operating and securing the Website, (iii) performing OSINT-based security and risk-assessment services to protect Principals, families, residences, and businesses from credible threats, (iv) supporting Employers in fulfilling their general duty to provide a workplace free from recognized hazards under 29 U.S.C. § 654(a)(1), and (v) processing information about Threat Actors for the purpose of identifying, assessing, and mitigating risks to Principals. These interests are weighed against the rights and freedoms of data subjects, and we limit processing accordingly.
  • Vital interests (Art. 6(1)(d)), where processing is necessary to protect the physical safety of a Principal or another individual.
  • Compliance with legal obligations (Art. 6(1)(c)), to meet tax, accounting, regulatory, and other legal requirements, including FCRA and ICRAA recordkeeping.
  • Consent (Art. 6(1)(a)), as obtained through engagement authorization documents and where else required.

For special-category data under Article 9, we rely on an applicable Article 9(2) condition, which may include explicit consent (Art. 9(2)(a)), establishment, exercise, or defense of legal claims (Art. 9(2)(f)), reasons of substantial public interest where applicable national law provides a basis (Art. 9(2)(g)), or, for information already manifestly made public by the data subject, Article 9(2)(e).

7.1 Notice to Data Subjects Whose Information We Receive Indirectly (GDPR Article 14)

GDPR Article 14 generally requires notice to data subjects when their personal data is collected from sources other than the data subject. We rely on the following exceptions where applicable:

  • Disproportionate effort (Art. 14(5)(b)), where individual notice would involve disproportionate effort relative to the limited scope and short retention of our processing, particularly when processing is for archival, scientific, statistical, or, by analogy, security and risk-assessment purposes.
  • Confidentiality obligations (Art. 14(5)(d)), where personal data must remain confidential subject to a professional secrecy obligation imposed by client engagement and applicable law.
  • Legal claims and security, where processing is necessary for the establishment, exercise, or defense of legal claims, or for the protection of individuals from credible threats.

This Privacy Policy itself provides the general information required by Article 14 to the extent reasonable. Data subjects may contact us at contact@stryvint.com to exercise their rights as described in Section 15, subject to applicable exemptions.

8. Disclosure of Personal Information

We disclose personal information only as described below.

To Service Providers and Processors. We use a limited number of vendors to operate the Website and our business, including hosting, encrypted email, document storage, OSINT tooling, telemetry licensing, and accounting providers. Vendors are contractually bound to use personal information only on our instructions and to protect it appropriately.

To Clients (Including Employers). Engagement deliverables, including Investigative Consumer Reports, are provided to the contracting client. Where the client is an Employer, the deliverable may include information about the Principal, adult household members, significant others, and minor children, as authorized in the engagement consent and authorization documents. The client is responsible for its handling of the deliverable thereafter, including any retention, access, and consumer notice obligations imposed on it by FCRA, ICRAA, IRC § 132, OSHA, or other applicable law.

For Legal and Safety Reasons. We may disclose personal information when we believe in good faith that disclosure is necessary to (i) comply with a subpoena, court order, or other valid legal process; (ii) protect the rights, property, or physical safety of Stryvint, our clients, Principals, or other persons facing imminent harm; (iii) report credible threats of violence to law enforcement; (iv) enforce our agreements; or (v) cooperate with law enforcement in matters involving credible threats. We resist overbroad or improper requests.

Business Transfers. In connection with a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred to the relevant counterparty subject to confidentiality protections.

With Your Direction or Consent. We share personal information with other parties when you direct us to or otherwise consent.

9. We Do Not Sell or Share Personal Information

We do not sell personal information. We have never sold personal information for monetary or other valuable consideration, and we do not intend to do so.

We do not share personal information for cross-context behavioral advertising, as that term is defined under the CCPA/CPRA.

We do not rent, trade, or otherwise transfer personal information to third parties for those third parties' independent marketing or advertising purposes. Disclosures to clients in the ordinary course of an engagement, including the issuance of Investigative Consumer Reports to an Employer, are not "sales" or "shares" under California law because they are made under contract for the specific purposes described in this Policy and the engagement authorization.

Because we do not sell or share personal information, we are not required to display a "Do Not Sell or Share My Personal Information" link. You retain the right to make such a request, and we will confirm in writing that no sale or sharing is taking place. Contact us using the methods in Section 19.

We do not sell or share the personal information of consumers we actually know are under 16 years of age, and we would not do so even if we sold or shared other personal information.

10. Data Retention

We retain personal information only for as long as necessary for the purposes described in this Policy and to comply with applicable legal obligations. The retention period depends on the type of information.

Investigative reports and underlying raw data: 30 days. All raw data, metadata, and Investigative Consumer Reports are permanently purged from our systems no later than thirty (30) days after delivery of each report (or, for ongoing or recurring engagements, on a rolling 30-day window from collection, except where a specific item is preserved as part of an active workflow being delivered to the client). We do not maintain backup copies for more than thirty (30) days.

Authorizations, contracts, invoices, dispute records, and work papers: indefinitely. Notice and authorization documents executed by Principals and Associated Parties, engagement contracts, statements of work, invoices, dispute and reinvestigation records, and other work papers are retained indefinitely, or for the period required by applicable law (including the recordkeeping obligations imposed on Investigative Consumer Reporting Agencies under FCRA and ICRAA), whichever is longer. These records are minimized and access-controlled.

Employer custodianship. For engagements supporting an Employer's IRC § 132(d) and Treas. Reg. § 1.132-5(m) substantiation, the Employer (not Stryvint) is the sole custodian of the security records for the period required by IRS rules. We do not retain the deliverable itself for substantiation purposes; that obligation belongs to the Employer.

Inquiry information. Inquiry information submitted through the Website or by email is retained only as long as necessary to respond to your inquiry and, where you become a client, for the duration of the relationship plus the periods described above.

Website server logs and security telemetry are retained for 12 months unless a security investigation requires a longer period.

Effect of revocation. If a Principal or Associated Party revokes engagement consent, we pause future cycles of collection from the revoking individual and handle previously collected data in accordance with this Section, except as required by applicable law. Revocation does not extinguish rights under FCRA or ICRAA to inspect, dispute, or correct any Investigative Consumer Report previously prepared.

11. Cookies and Similar Tracking Technologies

The Website uses a minimal set of cookies and similar technologies necessary to operate the site and understand basic usage. Categories include:

  • Strictly necessary, required for the Website to function (e.g., security, load balancing). These cannot be disabled.
  • Analytics/performance, which help us understand how the Website is used in aggregate. Where required by law, these are used only with your consent.

We do not use cookies for advertising or for cross-context behavioral advertising.

Your choices.

  • Most browsers let you block or delete cookies through settings.
  • We honor Global Privacy Control (GPC) signals as a valid opt-out request from California residents (and residents of other states with similar laws).
  • We do not respond to "Do Not Track" signals because there is no industry-standard interpretation, but our practices already align with the privacy posture DNT was designed to support.

12. Data Security

We apply administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, use, alteration, disclosure, and destruction. Reflecting the sensitivity of our work, our practices include:

  • Encryption of personal data in transit (TLS 1.2 or higher) and at rest where feasible
  • Strict role-based access controls and the principle of least privilege
  • Compartmentation of engagement materials
  • Logging, monitoring, and intrusion detection
  • Regular vulnerability scanning and patch management
  • Vendor due diligence and contractual data-protection requirements
  • Personnel screening, training, and confidentiality obligations
  • Incident response procedures, including breach notification consistent with applicable law

No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we work continuously to maintain and improve our safeguards. If we become aware of a breach affecting your personal information, we will notify you and the appropriate authorities as required by law. Additional security details applicable to specific engagements are addressed in the engagement contract.

13. International Data Transfers

We are based in the United States, and personal information may be processed in the United States or in other countries where we or our service providers operate. Data-protection laws in those countries may differ from those in your country.

When we transfer personal data from the EEA, UK, or Switzerland to a country that has not been deemed adequate by the relevant authorities, we use appropriate safeguards, such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Agreement or Addendum, and supplementary technical and organizational measures where appropriate. You may request a copy of the relevant transfer mechanism by contacting us at contact@stryvint.com.

14. Automated Processing and Decision-Making

Our analytical work product is produced by human analysts. We do not engage in automated decision-making that produces legal or similarly significant effects concerning you within the meaning of GDPR Article 22, and we do not use automated decision-making technology to make "significant decisions" about consumers within the meaning of the California ADMT regulations (11 CCR §§ 7200–7222).

We use one automated tool as part of know-your-customer, anti-money-laundering, and sanctions analysis, which assigns risk scores to entities (such as companies, addresses, and other non-consumer subjects) appearing in OSINT source material. Outputs from this tool inform but do not replace human analytical judgment, and the tool is not used to score, evaluate, profile, or make decisions about Principals, Associated Parties, or other individuals.

If our use of automated processing changes, we will update this Policy accordingly.

15. Your Rights Under GDPR / UK GDPR

If you are in the EEA, UK, or Switzerland, you have the following rights, subject to applicable conditions and exceptions:

  • Right of access, meaning confirmation of whether we process your personal data and a copy of that data.
  • Right to rectification, meaning correction of inaccurate or incomplete personal data.
  • Right to erasure, meaning deletion of your personal data in certain circumstances. Note: where we hold investigative data only for 30 days following an engagement, erasure of that data may already be complete or imminent; authorization, contract, and dispute records are retained as described in Section 10 and are subject to legitimate-interest and legal-obligation exceptions.
  • Right to restrict processing, meaning a temporary halt of processing in certain circumstances.
  • Right to data portability, meaning the right to receive personal data you provided to us in a structured, commonly used, machine-readable format.
  • Right to object, meaning the right to object to processing based on legitimate interests, including a categorical right to object to direct marketing. Where you object to processing related to a security or threat-assessment engagement, we will assess whether compelling legitimate grounds (including the safety of the Principal) override your objection.
  • Right to withdraw consent, at any time where processing is based on consent.
  • Right not to be subject to solely automated decisions producing legal or similarly significant effects (see Section 14).
  • Right to lodge a complaint with your local supervisory authority. EU authorities are listed at edpb.europa.eu. UK residents may contact the ICO at ico.org.uk.

Where we process your personal information as a processor on behalf of a client, please direct rights requests to the client where reasonable; we will assist them in responding.

To exercise these rights, see Section 19.

EU/UK Representative. We do not currently maintain an Article 27 representative because our processing of EEA/UK personal data is occasional, does not involve large-scale processing of special-category data, and is unlikely to result in a risk to the rights and freedoms of natural persons within the meaning of Article 27(2)(a). If this changes, we will appoint a representative and update this Policy.

16. Your Rights Under California Law (CCPA/CPRA)

If you are a California resident, you have the following rights:

  • Right to know what categories and specific pieces of personal information we have collected about you, the sources, the business or commercial purposes for collecting it, and the categories of third parties with whom we share it.
  • Right to delete personal information we collected from you, subject to legal and contractual exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing. We do not sell or share personal information, so there is nothing to opt out of. You may submit a request and we will confirm in writing.
  • Right to limit the use and disclosure of Sensitive Personal Information. Because our processing of SPI is limited to the security and threat-mitigation purposes identified in Section 6, and falls within the permitted purposes under 11 CCR § 7027(m)(4) and Cal. Civ. Code § 1798.140(ac), the "Right to Limit" mechanism described in Cal. Civ. Code § 1798.121(a) is not required. You retain the right to request information about our SPI processing.
  • Right to non-discrimination for exercising your rights.
  • Right to designate an authorized agent to make a request on your behalf. We may require written authorization signed by you and may verify your identity directly.

Verification. To protect your privacy, we will verify your identity before responding to a Right to Know, Delete, or Correct request. We may ask you to confirm data points we already have on file.

Response time. We will confirm receipt of your request within 10 business days and respond substantively within 45 calendar days, with one 45-day extension when reasonably necessary.

Exemptions. Some requests may be denied where applicable law permits, including where compliance would conflict with legal obligations, ongoing legal claims, the security or integrity of our systems, the safety of an identified individual, or the recordkeeping and reinvestigation obligations imposed on us as an Investigative Consumer Reporting Agency under FCRA and ICRAA.

Note for principals, associated parties, and others. Where we process personal information about you as a service provider or contractor on behalf of an engaging client, we will refer your request to that client and assist with their response, except where applicable law requires us to respond directly.

17. Your Rights as the Subject of an Investigative Consumer Report (FCRA / ICRAA)

If we have prepared or are preparing an Investigative Consumer Report concerning you, you have the following rights under the federal Fair Credit Reporting Act and the California Investigative Consumer Reporting Agencies Act, in addition to the rights described elsewhere in this Policy.

Disclosure before issuance. Before an ICR is procured, you must be provided with a clear and conspicuous standalone disclosure and provide written authorization. We provide that standalone disclosure as required by Cal. Civ. Code § 1786.16(a)(2)(B) and 15 U.S.C. § 1681d.

Right to receive a copy of the report. Under Cal. Civ. Code § 1786.16(b)(1), you may request a copy of any ICR prepared regarding you. If you check the appropriate box on the standalone disclosure, the recipient of the report will send you a copy within three business days of receipt. You may also request a copy directly from us.

Right to inspect your file. Under Cal. Civ. Code § 1786.22 and 15 U.S.C. § 1681g, you are entitled, with proper identification, to find out what is in our file on you:

  • In person, by visual inspection during normal business hours and on reasonable notice;
  • By certified mail, upon written request, with copies sent to a specified addressee.

We will provide trained personnel to explain any information furnished to you and a written explanation of any coded information. You may be accompanied by one other person of your choosing who furnishes reasonable identification and, if requested, written permission to discuss your file in their presence.

Right to dispute and reinvestigation. Under FCRA § 1681i and Cal. Civ. Code § 1786.24, if you dispute the accuracy or completeness of any item in our file or report, we will conduct a reasonable reinvestigation, generally within 30 days. We will record the current status of the disputed information, delete or correct it if found to be inaccurate or unverifiable, provide written notice of the results, and, on request, furnish a corrected report to anyone who received the original within the preceding two years.

Right to a Summary of Rights. You will receive, with each disclosure, a Summary of Your Rights under FCRA and a Summary of Your Rights under ICRAA. Additional copies are available on request.

Permissible purpose certification. We provide ICRs only for permissible purposes under FCRA § 1681b. Each client certifies its permissible purpose at the time of order. We do not provide ICRs for credit, insurance underwriting, tenant screening, government benefit decisions, child custody investigations, or general background screening unrelated to security and threat assessment.

Adverse action. If a client takes any adverse action against you based in whole or in part on an ICR, the client (not Stryvint) is responsible under FCRA § 1681m for providing the required adverse-action notice, including identification of the consumer reporting agency and your rights to dispute and obtain a free copy. We assist clients in fulfilling this obligation.

Notice for public-record information. Where applicable, we follow FCRA § 1681k requirements regarding public-record information likely to have an adverse effect on the consumer, including either notifying the consumer or maintaining strict procedures for accuracy.

To exercise these rights, see Section 19. ICR-related requests should reference the engagement and identify the requestor sufficiently for verification.

18. Your Rights Under Other U.S. State Privacy Laws

Residents of certain other U.S. states (including, where applicable, Virginia, Colorado, Connecticut, Utah, Oregon, Texas, Montana, Iowa, Delaware, Indiana, Tennessee, New Jersey, New Hampshire, Minnesota, Maryland, and others as laws come into effect) may have rights similar to those described above. Some states also recognize an appeal right if a request is denied. To exercise these rights, use the contact methods in Section 19.

Note that personal information processed for FCRA-permissible purposes is subject to FCRA-specific exemptions in many state privacy laws.

19. How to Exercise Your Privacy Rights

You can exercise any of the rights described above by:

  • Email: contact@stryvint.com (subject line: "Privacy Request")
  • Mail: Stryvint, Attn: Privacy Officer, 124 W Capitol Ave, Suite 1883, Little Rock, AR 72201

Please include enough information for us to verify your identity and locate any records (typically your name, the email address you used to contact us or that was associated with the engagement, and a description of your request). We will not use information you provide for verification for any other purpose.

If we are unable to verify your identity or your request is otherwise denied, we will explain the reason. You may appeal a denial by replying to our response within 30 days.

20. Children's Privacy

Our Website is not directed to children, and we do not knowingly collect personal information from children under 13 through the Website in violation of the Children's Online Privacy Protection Act ("COPPA"). If you believe a child under 13 has provided us with personal information through the Website, please contact us at contact@stryvint.com and we will take steps to delete it.

Engagement context. In engagements supporting at-risk Principals, the engagement scope may include processing personal information of minor children residing in the Principal's household. We do so only with verifiable parental consent provided by the parent or legal guardian, in compliance with COPPA where applicable. Categories may include approximate or precise geolocation, device identifiers (including MAIDs), online activity metadata, and publicly available social media information. The data is acquired from commercial telemetry vendors and data brokers under Cal. Civ. Code §§ 1798.99.80 et seq. and the California Delete Act (SB 362), and is processed for pattern-of-life analysis, security assessment, and threat detection. Minor personal information is purged on the standard 30-day retention schedule and additionally upon revocation by the parent or guardian, whichever occurs first.

We do not knowingly sell or share the personal information of any individual under 16 years of age.

21. U.S. Federal and State Privacy Considerations

The following federal and state laws are relevant to our practice:

  • FCRA (15 U.S.C. § 1681 et seq.). For engagements that involve issuance of an Investigative Consumer Report, we operate as an Investigative Consumer Reporting Agency and comply with FCRA's permissible purpose, disclosure, authorization, accuracy, dispute, and adverse-action provisions. See Section 17.
  • California ICRAA (Cal. Civ. Code § 1786 et seq.). We comply with ICRAA's standalone disclosure, continuing authorization, file disclosure, dispute, and reinvestigation provisions.
  • CIPA / Pen Register Act (Cal. Penal Code § 638.51(b)(5); 18 U.S.C. § 3121 et seq.). Where engagements involve correlation of device signaling, we obtain express written consent from the subject.
  • OSHA General Duty Clause (29 U.S.C. § 654(a)(1)). Where applicable, our engagements support an Employer's general duty to provide a workplace free from recognized hazards, including targeted violence, stalking, and doxxing-driven harm to at-risk employees.
  • IRC § 132(d) and Treas. Reg. § 1.132-5(m). Where applicable, our engagements support an Employer's substantiation of a working-condition fringe benefit. The Employer, not Stryvint, retains the deliverable for the period required for tax substantiation.
  • HIPAA. We are not a HIPAA covered entity. To the extent any engagement involves Protected Health Information that is incidentally surfaced through OSINT, we treat it as Sensitive Personal Information under Section 6.
  • GLBA. We are not a financial institution within the meaning of the Gramm-Leach-Bliley Act and do not provide consumer financial products or services subject to GLBA's privacy provisions.
  • DPPA. We do not access, request, or use personal information from state motor-vehicle records.
  • CFAA. We do not access computers or accounts without authorization. All OSINT collection is from publicly available or lawfully licensed sources.
  • CAN-SPAM. Any commercial email we send includes an unsubscribe mechanism and our physical mailing address.
  • TCPA. We do not conduct telemarketing or send marketing text messages.
  • State data-breach notification laws. We comply with applicable breach-notification statutes.

22. Confidentiality of Engagements

We maintain strict confidentiality regarding our engagements, our clients, and the Principals on whose behalf we work. We do not publicly identify clients or Principals without authorization. Personnel are subject to non-disclosure obligations that survive the end of their employment or contractor relationship.

23. Third-Party Links

The Website may contain links to third-party websites or resources that we do not control. We are not responsible for their privacy practices or content. We encourage you to review the privacy notices of any third-party services you visit.

24. Changes to This Policy

We may update this Policy from time to time. When we do, we will revise the "Last Updated" date above and, if changes are material, provide a more prominent notice (such as an email to active clients or Principals or a notice on the Website) before the changes take effect. For changes that materially affect ongoing engagements, we will provide written notice and a reasonable opportunity to revoke consent before the change takes effect.

25. Contact Us

If you have questions, concerns, or complaints about this Policy or our privacy practices:

  • Email: contact@stryvint.com
  • Mail: Stryvint, Attn: Privacy Officer, 124 W Capitol Ave, Suite 1883, Little Rock, AR 72201
  • Website: www.stryvint.com

We are committed to working with you to resolve any concerns. You also have the right to lodge a complaint with your state Attorney General or, if you are in the EEA/UK, your local supervisory authority.