Privacy Policy
1. Who We Are
Nettorii Ltd ("Nettorii", "we", "us") is the developer and operator of ONINET, a containerised offensive security platform, registered in England and Wales. Our registered address is:
Nettorii Ltd
66 Paul Street
London EC2A 4NA
United Kingdom
For any privacy-related enquiries, contact us at [email protected].
2. What Data We Collect
We collect only the data necessary to operate the platform, enforce licensing, and process payments.
2.1 Account Data
Collected at checkout and during account setup:
- Full name — provided in pre-checkout form
- Company name — provided in pre-checkout form
- Work email address — used as account identifier
- Phone number — provided in pre-checkout form
- Password (hashed) — stored by Supabase Auth, never accessible to us in plaintext
- MFA enrolment — TOTP secret managed by Supabase Auth
2.2 Billing Data
Payment processing is handled entirely by Stripe (PCI DSS Level 1 certified). We store your Stripe customer ID and subscription ID for account linkage. We never receive, process, or store your card number, CVC, or bank details.
2.3 Licence Telemetry
The ONINET CLI sends a heartbeat to our licence server approximately every 5 minutes. Each heartbeat includes:
- IP address — of the machine running the CLI
- Country code — derived from your IP address by Cloudflare geolocation (we do not perform our own IP-to-location lookups)
- Machine identifier — a SHA-256 hash derived from your system's hostname and username. The raw hostname is also transmitted and stored alongside heartbeat data.
- Device fingerprint — the hardware hash described in Section 2.4
- Device binding token — a server-issued token linking your device to your licence seat
- System information — operating system name, OS family, CPU architecture, and CLI version
- Container name and active container count
- Engagement metrics — session hours, hosts discovered, and days active (30-day rolling window)
- Tool usage metrics — the names and invocation counts of recognised security tools used within the ONINET container (e.g., nmap, bloodhound, hashcat). Only the tool name and count are recorded; command arguments, output, and targets are never captured.
Heartbeat data is used exclusively for licence enforcement and aggregate product analytics. No operational data (credentials, findings, targets, scan results, tool output, or command history) is included.
We maintain a device history record tracking when each device was first and last seen, along with system information, for device management and licence enforcement.
2.4 Device Binding
To enforce per-seat device limits, ONINET generates a hardware fingerprint computed as a SHA-256 hash of:
/etc/machine-id- DMI board serial number
- CPU model name
- A locally generated device UUID (
~/.oninet/.device_id)
This fingerprint is a one-way hash — the individual hardware identifiers cannot be recovered from it. It is stored server-side solely to enforce your subscription's device slot limit.
2.5 Portal Session Data
The customer portal uses browser-based storage for session management. These are not cookies — they are stored in your browser's local storage APIs and are accessible only to the portal origin.
- Authentication token — Supabase stores your session token in browser localStorage (encrypted in transit via TLS, accessible only to the portal origin)
- Idle timeout flag — stored in browser sessionStorage to enforce inactivity timeouts
We do not use tracking cookies, analytics cookies, or advertising cookies. The only cookie set in
connection with our services is a strictly-necessary security cookie (__cf_bm)
placed by our infrastructure provider Cloudflare when your browser contacts our API, to
protect it from automated abuse. It lasts around 30 minutes, builds no profile of you, is not used for
advertising or cross-site tracking, and is exempt from consent requirements under UK PECR and EU ePrivacy rules.
2.6 Audit Log
Security-relevant events are recorded in an audit log, including: logins, password changes, MFA enrolment and verification, member invitations, role changes, and licence actions. Each entry includes a timestamp, user ID, event type, and IP address. Logs contain only event metadata, not substantive content.
2.7 TOS Acceptance Records
When you accept our Terms of Use (e.g. at download), we record: timestamp, IP address, platform, user ID, and TOS version accepted.
2.8 Interest Form Submissions
If you submit an enquiry via our interest form, we collect: name, company, email, phone number, tier interest, and your message.
2.9 Download Tracking
When you download the ONINET binary, we log: platform, IP address, timestamp, and the TOS version accepted.
2.10 Security Enforcement Data
To protect the platform against unauthorised use and abuse, we collect and process:
- Security event logs — records of anomalous licence activity, including the associated IP address, country code, and device identifiers
- IP address and country blocking — we may block specific IP addresses or country codes from accessing the licence server when suspicious activity is detected
- Remote wipe directives — in cases of confirmed licence abuse or theft, we may issue a remote wipe directive. This wipes ONINET application data only (container images, engagement data stored within the ONINET working directory). Personal files, system files, and data outside the ONINET directory are never affected.
- Wipe execution status — the CLI reports back whether a wipe directive was successfully executed, including the timestamp of completion
2.11 Container and Satellite Events
We collect lifecycle telemetry about ONINET containers and satellite services:
- Container lifecycle events — start, stop, and error events for the main ONINET container, including the associated machine identifier, IP address, and country code
- Satellite events — which satellite services were started or stopped, their version, and timestamps
3. Data We Do Not Collect
ONINET runs entirely on your hardware. The following data never leaves your machine:
- Engagement content (targets, findings, credentials, reports)
- Session recordings
- Tool output or command history
- Network traffic or scan results
4. Legal Basis for Processing
We process your personal data under the following legal bases (UK GDPR / UK DPA 2018):
| Data Category | Legal Basis |
|---|---|
| Account data, billing | Contract — necessary to provide the service you purchased |
| Licence telemetry, device binding | Legitimate interest — We have a legitimate interest in preventing unauthorised use, enforcing subscription limits, and maintaining platform stability. Data collected is limited to what is necessary — heartbeats contain no operational content. Device fingerprints are one-way hashes; individual hardware identifiers cannot be recovered. We assessed this is proportionate given the product's nature and minimal intrusiveness of hashed identifiers. You have the right to object (Section 8). |
| Audit log | Legitimate interest — We maintain security audit logs to detect unauthorised access. Logs contain only event metadata, not substantive content. You have the right to object (Section 8). |
| Security enforcement data | Legitimate interest — protecting the platform against fraud and unauthorised use. Processing is limited to security event metadata and wipe status only. You have the right to object (Section 8). |
| Container and satellite events | Legitimate interest — licence enforcement and platform stability monitoring. Only lifecycle metadata is recorded. You have the right to object (Section 8). |
| Interest form submissions | Consent — you voluntarily submit enquiry data |
| TOS acceptance, download tracking | Legal obligation — record-keeping for regulatory compliance |
5. How We Use Your Data
- Licence enforcement — verifying active subscriptions, enforcing seat and device limits
- Billing — managing your subscription via Stripe, processing renewals
- Account management — authentication, password resets, MFA, team member invitations
- Support — responding to your enquiries
- Product improvement — aggregate, anonymised usage patterns to inform development priorities
- Security — detecting and preventing unauthorised access or abuse
6. Data Sharing
We do not sell your data. We do not share your data with advertisers. We share data only with:
- Stripe — payment processing (your email and name for invoice generation)
- Cloudflare — CDN, DNS, Workers infrastructure, and R2/KV edge storage (requests are processed at the nearest edge point of presence)
- Supabase — hosted database and authentication (EU region)
Each sub-processor operates under a Data Processing Agreement (DPA) meeting UK GDPR Article 28 requirements.
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Lifetime of your account + 30 days after deletion |
| Heartbeat telemetry | 90 days (rolling) |
| Device history | Lifetime of your account + 30 days after deletion |
| Audit logs | 1 year |
| Security event logs | 1 year |
| Download events | 1 year |
| Container and satellite events | 90 days |
| Engagement metrics | Lifetime of your account + 30 days after deletion |
| Billing records | As required by applicable tax and accounting law (typically 6 years in the UK) |
| Interest form submissions | 12 months, or until you request deletion |
| TOS acceptance records | Lifetime of your account + 30 days |
Where automated deletion is not yet in place, we perform periodic manual reviews to ensure data is not retained beyond the periods stated above.
8. Your Rights
Under UK GDPR and the Data Protection Act 2018, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate data
- Erasure — request deletion of your data (subject to legal retention obligations)
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest
- Restriction — request that we limit how we process your data
- Withdraw consent — where processing is based on consent, you may withdraw it at any time
To exercise any of these rights, email [email protected]. We will respond within 30 days.
If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
9. International Transfers
Our primary database is hosted by Supabase in the EU (eu-west-1, Ireland). Supabase operates under a Data Processing Agreement that meets UK GDPR Article 28 requirements.
Cloudflare Workers, R2 object storage, and KV edge storage process requests at the nearest global edge point of presence, which means some request data may be briefly processed outside the UK/EEA. Cloudflare maintains appropriate safeguards including Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (UK IDTA) for international data transfers.
Stripe processes payment data in accordance with their global infrastructure and maintains compliance with EU-US and UK data transfer frameworks, including Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (UK IDTA).
10. Security Measures
- Encryption in transit — all communications use TLS 1.2+
- Encryption at rest — database encryption via Supabase (AES-256), binary distribution via AES-256-GCM
- Multi-factor authentication — required for all portal accounts
- Session timeouts — automatic idle logout
- Row-Level Security — database policies enforce organisation-scoped data access
- Audit logging — security events recorded and retained
- Least privilege — Docker socket proxy restricts API surface; container capabilities selectively granted
11. Cookies and Browser Storage
The customer portal uses browser storage (localStorage and sessionStorage) for session management,
not traditional HTTP cookies. We do not use analytics, tracking, or advertising cookies. The only cookie set in
connection with our services is a single strictly-necessary security cookie (__cf_bm)
placed by Cloudflare to protect our API from automated abuse — see the table below. Because it is essential, no
consent banner is required for it.
| Storage Item | Type | Purpose | Duration |
|---|---|---|---|
| Supabase auth token | localStorage | Session authentication | Until logout / token refresh cycle |
| Idle timeout flag | sessionStorage | Enforce inactivity logout | Browser session |
| Pending invite token | localStorage | Preserve team invitation link through authentication flow | Until consumed or cleared |
__cf_bm | Cookie (Cloudflare) | Strictly-necessary bot & abuse protection on our API — no profiling or cross-site tracking | ~30 minutes |
12. Automated Decision-Making
We use automated systems to make certain decisions that may affect your access to the service. These are based on objective, rule-based criteria and do not constitute profiling:
- Device slot enforcement — if you exceed your subscription's device limit, additional devices are automatically blocked from starting containers until a slot is freed
- IP address and country blocking — if anomalous licence activity is detected from a specific IP address or country, automated rules may temporarily block access from that source
- Revoked key enforcement — if your licence key is revoked (e.g. due to non-payment or confirmed abuse), the CLI will automatically prevent further use
None of these decisions are based on profiling, personal characteristics, or behavioural analysis. If you believe an automated decision has been applied to you in error, you have the right to request human review by contacting [email protected].
13. Obligation to Provide Data
Different categories of data we collect carry different obligations:
- Contractual requirement — account data (name, email, company, phone) and billing data are required to establish and maintain your subscription. Without this data, we cannot provide the service.
- Licence requirement — device fingerprints, telemetry heartbeats, and device binding tokens are required by the licence agreement. The ONINET CLI cannot function without transmitting this data. Disabling telemetry is not supported and will result in licence validation failure.
- Voluntary — interest form submissions are entirely voluntary. You are under no obligation to provide this data, and choosing not to submit an enquiry has no effect on your use of the service.
14. Children
ONINET is a professional security tool and is not intended for use by individuals under 18. We do not knowingly collect data from children.
15. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via the customer portal at portal.nettorii.com. Continued use of the service after changes constitutes acceptance of the revised policy.
16. Contact
For any questions about this privacy policy or your personal data, contact:
Nettorii Ltd
66 Paul Street
London EC2A 4NA
United Kingdom
General: [email protected]
Privacy: [email protected]
GDPR requests: [email protected]
Website: nettorii.com