Privacy Policy
Effective Date: May 15, 2026
Last Updated: May 15, 2026
Stratir LLC, a Wyoming limited liability company doing business as LIMITLESS ("LIMITLESS," "we," "our," or "us"), is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your Personal Data when you access or use the LIMITLESS website at limitless-osint.com, its subdomains, and all related services (collectively, the "Service"). This policy is designed to comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), Brazil's Lei Geral de Protecao de Dados ("LGPD"), Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA"), South Africa's Protection of Personal Information Act ("POPIA"), and all other applicable data protection laws worldwide. By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.
1. DATA CONTROLLER
For the purposes of the GDPR and equivalent legislation, the data controller responsible for your Personal Data is:
If you are located in the European Economic Area ("EEA") or the United Kingdom ("UK") and have questions about how your data is processed, or wish to exercise any of your rights, you may contact us at the email address above. We do not currently have a mandatory obligation to appoint a Data Protection Officer ("DPO"); however, all data protection inquiries will be handled with the same level of diligence and priority as if a DPO were appointed.
2. PERSONAL DATA WE COLLECT
2.1 Data You Provide Directly
When you create an Account or interact with the Service, you may provide the following categories of Personal Data:
- Account Information: Email address, full name, and password (stored as a bcrypt hash; we never store plaintext passwords).
- Profile Information: Display name, username, avatar image, biography, specialization, technical experience level, and faction preference.
- Social Links (optional): Twitter/X username, Instagram username, GitHub username, LinkedIn username, and personal website URL.
- Payment Information: When you make a purchase, payment details (credit/debit card numbers, billing address) are collected and processed directly by Stripe, Inc. We never receive or store your full card numbers. We retain only Stripe transaction reference identifiers (session IDs, payment intent IDs, and customer IDs) for order management and support.
- Communications: Messages you send to our support team, and content you submit through AI chat features.
- User Content: Challenge submissions, code snippets, knowledge notes, team communications, and CTF competition entries.
2.2 Data Collected Automatically
- Session Data: We generate cryptographically random session tokens stored in HTTP-only cookies to authenticate your sessions. These tokens do not contain Personal Data and are not used for tracking.
- Learning Activity Data: Course enrollment dates, lesson completion records, challenge attempts and scores, XP earned, streaks, skill levels, leaderboard rankings, and activity timestamps.
- CTF Participation Data: Team membership, competition registrations, flag submissions, scores, and rankings.
- Rate-Limiting Metadata: We temporarily process truncated session identifiers and IP addresses through Upstash Redis solely for the purpose of rate limiting and abuse prevention. This data is ephemeral and is automatically purged within sixty (60) seconds of the rate-limit window expiring.
2.3 Data We Do NOT Collect
We are committed to data minimization. We do not collect or process:
- Precise geolocation data
- Device fingerprints or hardware identifiers
- Browsing history outside the Service
- Analytics or advertising cookies (see our Cookie Policy)
- Biometric data
- Data from minors under the age of eighteen (18)
- Sensitive Personal Data as defined under Article 9 of the GDPR (racial or ethnic origin, political opinions, religious beliefs, genetic data, health data, sexual orientation) unless voluntarily disclosed by you in free-text profile fields
3. PURPOSES AND LEGAL BASES FOR PROCESSING
We process your Personal Data only for specified, explicit, and legitimate purposes. The table below sets out the purposes of processing alongside the applicable legal basis under the GDPR (Article 6(1)):
| Purpose | Legal Basis |
|---|---|
| Creating and managing your Account | Performance of a contract (Art. 6(1)(b)) |
| Authenticating logins (email/password or Google OAuth) | Performance of a contract (Art. 6(1)(b)) |
| Delivering courses, challenges, and learning content | Performance of a contract (Art. 6(1)(b)) |
| Processing payments and managing purchases | Performance of a contract (Art. 6(1)(b)) |
| Sending transactional emails (CTF invitations, password resets) | Performance of a contract (Art. 6(1)(b)) |
| Tracking learning progress, XP, rankings, and certifications | Performance of a contract (Art. 6(1)(b)) |
| Providing AI-powered learning assistance (Karine) | Legitimate interest (Art. 6(1)(f)): improving the educational experience |
| Preventing abuse, fraud, and unauthorized access (rate limiting, session validation) | Legitimate interest (Art. 6(1)(f)): security and platform integrity |
| Displaying leaderboards and public profile information | Legitimate interest (Art. 6(1)(f)): fostering community engagement |
| Complying with legal obligations (tax records, lawful data requests) | Legal obligation (Art. 6(1)(c)) |
| Responding to your support requests and inquiries | Legitimate interest (Art. 6(1)(f)): customer support |
Where we rely on legitimate interest as the legal basis, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interest at any time (see Section 7).
4. DATA SHARING AND THIRD-PARTY PROCESSORS
4.1 Categories of Recipients
We may share your Personal Data with the following categories of recipients, solely to the extent necessary for the purposes described in this Privacy Policy:
- Convex, Inc. (backend infrastructure and database hosting). Convex processes and stores your Account data, profile information, learning progress, and User Content on our behalf.
- Google LLC (OAuth authentication). If you choose to sign in with Google, Google receives your authentication request and provides us with your name and email address. We do not share any additional data with Google.
- Stripe, Inc. (payment processing). Stripe processes your payment card information directly. We share only the minimum information necessary to initiate and manage transactions (email address and transaction amounts).
- Resend (transactional email delivery). Resend receives recipient email addresses and email content solely for the purpose of delivering transactional messages such as CTF invitations and password reset links.
- Mistral AI (AI chat assistant). When you interact with Karine, your chat messages are transmitted to Mistral AI for processing. We do not send your Account information, profile data, or other Personal Data to Mistral AI. Only the content of your chat message and relevant lesson context (titles and descriptions, not personal identifiers) are transmitted.
- Upstash (rate limiting). Upstash processes truncated, pseudonymized session identifiers and IP addresses solely for abuse prevention. This data is ephemeral and automatically expires.
4.2 Data Processing Agreements
We maintain data processing agreements ("DPAs") or equivalent contractual safeguards with each of our third-party processors to ensure they process your data only on our instructions and in compliance with applicable data protection laws.
4.3 Other Disclosures
We may also disclose your Personal Data if required to do so by law, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to: (a) comply with a legal obligation; (b) protect and defend our rights or property; (c) prevent fraud or other illegal activity; (d) protect the personal safety of Users or the public; or (e) protect against legal liability.
We do not sell, rent, or trade your Personal Data to third parties for their marketing purposes. We do not share your Personal Data for cross-context behavioral advertising.
5. INTERNATIONAL DATA TRANSFERS
The Service is hosted in the United States. If you access the Service from outside the United States, including from the EEA, the UK, Brazil, Canada, or South Africa, your Personal Data will be transferred to and processed in the United States.
For transfers of Personal Data from the EEA or the UK to the United States, we rely on the following transfer mechanisms:
- Standard Contractual Clauses (SCCs): We use the Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914) as the primary safeguard for international data transfers.
- EU-US Data Privacy Framework: Where our third-party processors are certified under the EU-US Data Privacy Framework (or equivalent successor framework), we rely on such certification as an additional transfer safeguard.
For transfers from other jurisdictions (Brazil under the LGPD, Canada under PIPEDA, South Africa under POPIA), we ensure that appropriate safeguards, including contractual commitments equivalent to those required under the applicable law, are in place.
You may request a copy of the relevant transfer safeguards by contacting us at vance@stratir.com.
6. DATA RETENTION
6.1 Retention Periods
- Account and Profile Data: Retained for as long as your Account remains active. Upon Account deletion or a verified erasure request, this data will be permanently removed from our production systems within thirty (30) days.
- Learning Progress Data: Retained for as long as your Account remains active to provide continuity in your training experience. Deleted in accordance with Account deletion.
- Payment Records: Stripe transaction reference identifiers are retained for up to seven (7) years after the date of the transaction to comply with applicable tax and accounting regulations.
- Session Tokens: Automatically expire after seven (7) days or upon logout, whichever occurs first.
- Rate-Limiting Data: Automatically purged within sixty (60) seconds of the rate-limit window expiring.
- AI Chat Interactions: Chat messages sent to Mistral AI are processed in real time for response generation. We do not store a persistent log of your AI conversations.
- Support Communications: Retained for up to three (3) years after the resolution of the inquiry for quality assurance and legal compliance.
6.2 Backup and Residual Copies
Residual copies of your data may exist in encrypted backups for a limited period (not exceeding ninety (90) days) after deletion from production systems. These backups are access-restricted and are not used for active processing.
7. YOUR RIGHTS
Depending on your jurisdiction, you may have some or all of the following rights regarding your Personal Data:
| Right | Description | Applicable Laws |
|---|---|---|
| Access | Request a copy of the Personal Data we hold about you | GDPR, UK GDPR, CCPA/CPRA, LGPD, PIPEDA, POPIA |
| Rectification | Request correction of inaccurate or incomplete Personal Data | GDPR, UK GDPR, CCPA/CPRA, LGPD, PIPEDA, POPIA |
| Erasure ("Right to be Forgotten") | Request deletion of your Personal Data, subject to legal retention obligations | GDPR, UK GDPR, CCPA/CPRA, LGPD |
| Restriction | Request that we limit our processing of your data in certain circumstances | GDPR, UK GDPR, LGPD |
| Portability | Receive your Personal Data in a structured, commonly used, machine-readable format | GDPR, UK GDPR, LGPD |
| Objection | Object to processing based on legitimate interest or for direct marketing | GDPR, UK GDPR, LGPD, POPIA |
| Withdraw Consent | Withdraw your consent at any time where processing is based on consent | GDPR, UK GDPR, LGPD, PIPEDA, POPIA |
| Non-Discrimination | Exercise your privacy rights without receiving discriminatory treatment | CCPA/CPRA, LGPD |
| Opt Out of Sale/Sharing | Opt out of the sale or sharing of Personal Data for behavioral advertising | CCPA/CPRA |
| Lodge a Complaint | File a complaint with your local data protection supervisory authority | GDPR, UK GDPR, LGPD, POPIA |
How to Exercise Your Rights: Submit your request by emailing vance@stratir.com with the subject line "Data Rights Request." We will verify your identity and respond within thirty (30) days (or the shorter period required by your applicable law). We will not charge a fee for processing your first request within a twelve-month period, unless the request is manifestly unfounded or excessive.
CCPA/CPRA Disclosure: LIMITLESS does not sell your Personal Data. We do not share your Personal Data for cross-context behavioral advertising. We do not use or disclose sensitive personal information for purposes beyond those permitted under the CPRA. We honor Global Privacy Control (GPC) signals.
8. DATA SECURITY
We implement commercially reasonable technical and organizational measures to protect your Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:
- Passwords are hashed using bcrypt with a cost factor of 12. We never store plaintext passwords.
- Authentication sessions use cryptographically random tokens stored in HTTP-only, Secure, SameSite cookies.
- Rate limiting is applied to authentication endpoints, API routes, and email-sending functions to prevent brute-force and abuse attacks.
- All data in transit is encrypted using TLS 1.2 or higher.
- Administrative access to production systems is restricted to authorized personnel and protected by role-based access controls.
- Input sanitization and output encoding are applied across the Service to prevent injection attacks.
While we take commercially reasonable precautions, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security. If you become aware of a security vulnerability or suspect that your Account has been compromised, please contact us immediately at vance@stratir.com.
9. CHILDREN'S PRIVACY
The Service is not directed at individuals under the age of eighteen (18). We do not knowingly collect Personal Data from children under the age of eighteen. If we become aware that we have inadvertently collected Personal Data from a child under eighteen, we will take prompt steps to delete that data from our systems. If you are a parent or guardian and believe that your child has provided us with Personal Data, please contact us at vance@stratir.com so that we can take appropriate action.
10. AUTOMATED DECISION-MAKING AND PROFILING
The Service does not engage in automated decision-making that produces legal effects or similarly significant effects on you, as described under Article 22 of the GDPR. While the Service uses automated systems to calculate XP, rankings, and learning progress, these calculations are purely gamification features within the educational platform and do not affect your legal rights, access to services, or financial standing.
The AI chat assistant (Karine) generates responses using third-party machine learning models. These responses are informational and educational only. No decisions affecting your Account, access, or standing are made solely on the basis of AI outputs.
11. DO NOT TRACK AND GLOBAL PRIVACY CONTROL
Some web browsers transmit "Do Not Track" ("DNT") signals. Because there is no universally accepted standard for interpreting DNT signals, the Service does not currently respond to DNT signals. However, because we do not use tracking cookies, advertising cookies, or cross-site tracking technologies, the practical effect is equivalent to honoring a DNT request.
We honor Global Privacy Control ("GPC") signals as a valid opt-out preference signal under the CCPA/CPRA. Because we do not sell or share Personal Data for cross-context behavioral advertising, no additional action is required upon receiving a GPC signal, but the signal is acknowledged and respected.
12. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will: (a) update the "Effective Date" and "Last Updated" date at the top of this page; (b) provide prominent notice through the Service; and (c) where required by applicable law, obtain your consent to the changes before they take effect.
We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of any update constitutes your acknowledgment of the revised Privacy Policy.
13. CONTACT AND SUPERVISORY AUTHORITIES
If you have questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us at:
If you are not satisfied with our response, you have the right to lodge a complaint with the competent data protection supervisory authority in your jurisdiction. For residents of the EEA, a list of supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en. For residents of the UK, the supervisory authority is the Information Commissioner's Office (ICO). For residents of Brazil, the supervisory authority is the Autoridade Nacional de Protecao de Dados (ANPD).