Legal stuff! Yay! Don’t you simply love unreadable documents!? Unlike other companies we will have two sections – one where we tell you what we think you should know about our products and services – in a way that we would have liked to have read it ourselves.
Then there’s a section just for lawyers….
The Vortimo software is the Chrome Extension and the database/server that is installed on your local machine. The software collects all pages you browse to in your Chrome browser – except for those you define in Settings under Ignore/Recording. It stores these pages in the database which is local to your machine. None of that information is being sent to us at all – we don’t see it in any form or shape. We cannot log or process what we don’t receive.
However – if you were to monitor all the network traffic that goes out of Vortimo (and you should !) – this is what you will see:
- When you run a widget the Vortimo software makes a call to an AWS Lambda function (that is under our control). The function then makes the call out to the remote API. It means that – if we wanted to – we could see the object value and the API keys. The initial design was that the UI would make a call directly to the relevant API (e.g. we’re not in the middle of it) but we scrapped it because too many of the API providers does not allow it. Read about CORS headers [here]. So while we’re really not interested in your API calls we can’t give you the functionality without being in the middle – thus having the ability to see the data. If it helps we can assure you that we don’t log or look at the data.
- To make sure people are not ripping us off we check the validity of your license every hour. We do this by sending a hash of (license + nonce) to the server, and the server sends back the license + new nonce. This call goes out to license.osint-tool.com (or at least when we were writing this!).
- To keep the Links sections in our software relevant we have the ability to remotely update links (the buttons you click on that goes off to another website). We check for changed or new links on start-up of the tool and every 90 minutes thereafter. The call-out is to AWS. These requests are also logged – nothing other than the source IP, user-agent, time of the request, resource requested is logged.
- When you replay a site, the data comes from the local store, but we’re pretty sure that there could be trickery (or even bugs on our side) that can cause the page to load any number of elements from the actual live site on the Internet. If you’re working with particular sensitive information and it’s crucial that the target web site is never touched again we advise you to disable your internet connection completely. That’s just good opsec anyhow.
- We call out to Google’s S2 favicon service in order to get you the favicons, the little images next the website, name – never to the actual site.
- When you click on a link that goes to an external provider then obviously the data is going to that provider. The URL is opened on the provider – we do not intercept or record it.
On our website:
- When you visit our website we obviously log the visit – like any other site on the Internet. In an Apache log format.
- When you sign up to the mailing list we record the email address, sector and employer – this is information that you supply to us and just the email address is mandatory. This info is kept at Mailchimp.
- All transactional data like credit card numbers, CVV and that stuff is kept with FastSpring – our payment provider. We don’t touch that data. We only get your email address and your name. And your money 🙂
There are two levels of service:
- FREE: You don’t pay us. We provide no support. You get to use the software – but it’s limited in functionality. If you want to use the software without limits you need to pay a bit of money. If you want to have support you need to pay some more.
- STANDARD: You give us money and in return you get software without any limitations. You get updates, you get bug fixes. You get email support – when we have the time to respond to you.
- If the software blows up your computer or your network or your house or so on – it’s still on you. We do our best to ensure there is no malware in our software. However we cannot guarantee that our source code hasn’t been compromised by a state-level bad actor. It would be be a sad day though and we’re pretty diligent to ensure that doesn’t happen. Then again – that’s probably what the Solarwinds guys said too.
- Mileage might vary – for all of the models there is no guarantee that the software works exactly as you wish. We will do our best to not have bugs in our software, but let’s be fair – that’s also wishful thinking. Our worst nightmare is if you lose data due to corrupt databases or faulty exports. But – in full disclosure – that can happen. So regularly make PDFs.. 😉
- If you buy the standard version and you use it in your mega corporation then the following applies. 1) We won’t know that you are cheap & cheating – but 2) you would know and it will haunt you and 3) we can guarantee that you’ll find your karma directly affected by our state of the art automated bad juju generator if you’re lucky, by our lawyers if you’re unlucky (which, since you stole from us, you now will be (see 3)). So don’t be cheap, cheating, haunted, or unlucky and just stick to the plan here – corporates and big organizations should buy the Premium version. We totally rely on you not to be a poephol.
- For Standard license users – in order to develop (pretty niche) custom software at that price point we can’t really sit next to the computer waiting for your email. We’re all subtle about it but we appreciate that you understand this.