Levonata Pte Ltd (trading as Otonata) operates iris-insight, a device vulnerability monitoring service. We are registered in Singapore and are the data controller for personal data processed through this service.
Data Protection Officer: data_protection@otonata.com
General enquiries: helpme@otonata.com
When you register for iris-insight, we collect and process the following:
| Data | Why we collect it |
|---|---|
| Email address | Your identity and the address we send alerts to. We confirm it via a single-use link. |
| Device vendor and model | Self-reported by you. We use these to search the NIST NVD for matching CVEs. |
| Device label | Optional name you give a device (e.g. "living room router"). Stored for your convenience. |
| CPE match and confidence score | Derived from your vendor/model input. Records how precisely your device matched our database. Never shared externally. |
| CVE alert data | CVE IDs, CVSS scores, severity, and descriptions sourced from NIST NVD (public data). Stored to generate alerts and deduplicate future alerts. |
| Privacy incident data | Vendor name, incident type, source URL, and article title from public cybersecurity news feeds. Used to notify you of data breaches or privacy leaks affecting your vendors. |
| Email delivery timestamps | When confirmation and alert emails were sent. Used for deduplication and service audit. |
| Tier and billing status | Which tier you are on (free, watchlist, shield) and Stripe subscription ID for paid tiers. |
We use the data above to:
We do not use your data for advertising, profiling, or to train machine-learning models. We do not sell or rent your personal data to any third party.
We process your personal data on the basis of consent, which you give when you click the confirmation link in the email we send after registration. This constitutes your affirmative consent under the Singapore Personal Data Protection Act 2012 (PDPA) and its 2024 amendments.
You may withdraw your consent at any time by requesting deletion of your account (see section 9). Withdrawal of consent will result in the cessation of all monitoring and the deletion of your data.
We use the following services to operate iris-insight. Each has access only to the data necessary for their function:
| Processor | Role | Data shared |
|---|---|---|
| NIST NVD API | Source of CVE data; public US government database | Vendor/model strings only (no personal data) |
| Karakeep (self-hosted) | Internal feed aggregator for privacy incident monitoring | No personal data; stores article metadata only |
| n8n (Hetzner, Germany) | Workflow automation — registration processing and alert dispatch | Email address and device data transit this server during processing |
| SMTP (noreply@otonata.com) | Email delivery for confirmation and alert emails | Email address and email body |
| Stripe (paid tiers only) | Subscription billing | Email address and payment details; governed by Stripe's Privacy Policy |
We do not use Anthropic, Meta/WhatsApp, or any other AI or social platform processors for iris-insight. (Those are used in our separate full-scan service for business clients.)
| Data | Retained for |
|---|---|
| Email and device records | As long as your account is active. Deleted within 14 days of a deletion request. |
| CVE and privacy alert log | 12 months from the date of the alert, then deleted. |
| Email confirmation tokens | Single-use; invalidated immediately upon use. |
| Stripe billing data | Retained by Stripe per their policies. Subscription ID deleted from our systems when account is deleted. |
Our workflow automation runs on servers operated by Hetzner Online GmbH in Germany (European Union). Your email address and device data transit this server when you register and when alerts are dispatched. Hetzner is subject to EU data protection law (GDPR), which provides a level of protection comparable to Singapore's PDPA.
No other international transfers of personal data are made in connection with iris-insight.
You have the following rights regarding your personal data:
To exercise any of these rights, email helpme@otonata.com. We will respond within 10 business days.
To delete your iris-insight account and all associated data, email helpme@otonata.com with the subject line "Delete my iris-insight account". We will confirm deletion within 14 days. After deletion, we retain only the anonymised alert count for aggregate service statistics (no personal data).
In the event of a data breach that affects your personal data, we will notify you by email and, where required, report to the Personal Data Protection Commission (PDPC) Singapore within the timeframes set out by the PDPA.
We may update this Privacy Policy to reflect changes to our practices or applicable law. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify you by email at least 14 days before the change takes effect.
For privacy enquiries or to exercise your rights:
Levonata Pte Ltd (trading as Otonata)
Data Protection Officer: data_protection@otonata.com
General: helpme@otonata.com