Privacy Policy
See also: Cookie Policy
1. Purpose & Scope
latwarden is an open-source intelligence (OSINT) monitoring platform that tracks publicly available security, hybrid threat, and geopolitical indicators relevant to Estonia and the Baltic states. The platform processes the following categories of data:
- Security indicators β military movements, airspace events, maritime activity, GPS interference, energy flows (all aggregated, no personal data).
- Economic indicators β inflation, employment, GDP, consumer confidence (aggregated statistics, no personal data).
- Disinformation & influence monitoring β public social media posts, news articles, and Telegram channel messages relevant to information manipulation campaigns targeting Estonia and the Baltic region. This includes processing personal data of public figures.
2. Data Controller
latwarden is an independent, non-governmental OSINT project operated by a private individual.
Contact: [email protected]
Website: latwarden.eu
3. Personal Data Processed
3a. Public figures (influence monitoring)
The platform processes personal data of public figures (elected officials, political activists, media figures, sanctioned individuals) in the context of disinformation and foreign influence monitoring. This includes:
- Full name and known aliases
- Political party affiliation (publicly declared)
- Publicly available social media posts (Telegram, YouTube)
- Company board memberships (from public commercial registries)
- Publicly available biographical information
- Sanctions status (from OpenSanctions public dataset)
The platform does not process:
- Private communications or messages
- Data from non-public social media profiles
- Financial data beyond public registry information
- Data about private individuals who are not public figures
3b. Website visitors
When you visit latwarden.eu, we process:
- IP address and approximate location (via Cloudflare, for security/DDoS protection)
- Browser type and operating system (via Google Analytics, only with your consent)
- Pages visited, time on site, referrer URL (via Google Analytics, only with your consent)
- Language and theme preferences (stored locally in your browser)
We do not collect your name, email address, or any identifying information unless you contact us directly. For details on cookies and local storage, see the Cookie Policy.
4. Lawful Basis
| Data category | Legal basis |
|---|---|
| Public social media posts | Art. 6(1)(f) legitimate interest β monitoring of foreign information manipulation and interference (FIMI) as defined by EEAS |
| Political affiliation | Art. 9(2)(e) β data manifestly made public by the data subject |
| Company board memberships | Art. 6(1)(f) β data from public commercial registries (Γriregister, teatmik.ee) |
| Sanctions data | Art. 6(1)(f) β processing of publicly available sanctions lists in the public interest |
| Website analytics | Art. 6(1)(a) β consent (Google Analytics loaded only after explicit cookie consent) |
| Essential cookies | Art. 6(1)(f) β strictly necessary for site functionality (no consent required) |
The legitimate interest pursued is the monitoring and analysis of foreign information manipulation and interference (FIMI) targeting Estonia and the Baltic states, which constitutes a substantial public interest under Estonian law (IKS Β§4 β processing for journalistic, academic, artistic, or literary purposes).
5. Legitimate Interest Balancing Test
The controller has conducted a legitimate interest assessment considering:
- Nature of data: Only publicly available information from public figures acting in their public capacity.
- Reasonable expectations: Public officials and political figures have a reduced expectation of privacy regarding their public political activity.
- Safeguards: Access to detailed person profiles is restricted to authenticated users. Public-facing pages show only aggregated statistics. Shared dossier links expire automatically and access is logged.
- Data minimization: Only data relevant to influence monitoring is collected. Private life information is not processed.
- Accuracy: Data provenance is tracked with source URLs, timestamps, and confidence scores. Automated connections are flagged as unverified until manually confirmed.
6. Data Subject Rights
If your personal data is processed by this platform, you have the following rights under GDPR:
- Right of access (Art. 15) β request a copy of data held about you.
- Right to rectification (Art. 16) β request correction of inaccurate data.
- Right to erasure (Art. 17) β request deletion, subject to applicable exceptions (Art. 17(3)(a) β freedom of expression and information).
- Right to object (Art. 21) β object to processing based on legitimate interest.
- Right to restriction (Art. 18) β request restriction of processing.
- Right to lodge a complaint β Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon): www.aki.ee, Tatari 39, Tallinn 10134, [email protected], +372 627 4135.
How to submit a data subject request
To exercise any of the above rights, send an email to [email protected] with the subject line "GDPR Data Subject Request". Please include:
- Your full name and any known aliases
- Which right you wish to exercise (access, rectification, erasure, restriction, objection)
- Any information to help us identify your data (e.g., social media handles, platform names)
We will verify your identity before processing the request. Response time: within 30 days. If the request is complex, we may extend this by an additional 60 days with notification.
Erasure requests: When we process a deletion request, we remove the person record and all associated data (social media signals, connections, profile data, shared dossier links) from all our systems including the primary database and graph database. Suspended monitoring profiles will not be reactivated.
7. Data Retention
Data is retained only as long as necessary for the stated purpose (GDPR Art 5(1)(e)). Automated retention enforcement runs daily.
| Data type | Retention period | Legal basis |
|---|---|---|
| Social media signals (RSS, YouTube, Telegram) | 2 years from publication date | Art. 6(1)(f) β FIMI monitoring of public figures |
| Defense OSINT articles (MilWatch RSS) | 2 years from publication date | Art. 6(1)(f) β security monitoring |
| AI-generated OSINT summaries (Perplexity, GDELT) | 1 year from creation | Art. 6(1)(f) β analytical processing |
| Security indicators (ADS-B, AIS, FIRMS, GPS, NOTAM, energy, satellite) | Indefinite | No personal data β aggregated sensor/geospatial data |
| Public records (sanctions lists, legislation) | Indefinite | Publicly available government data |
| Person profiles (public figures) | Duration of monitoring or until valid erasure request | Art. 6(1)(f) β legitimate interest (FIMI monitoring) |
| Narrative classification tags | Same as parent signal; NEUTRAL/NA tags deleted after 90 days | Art. 6(1)(f) β analytical processing |
| Shared dossier links | Expire after 72 hours; cleaned 30 days after expiry | Art. 6(1)(f) β controlled sharing |
| Dossier access logs | 1 year | Art. 5(2) β GDPR accountability |
| Classification audit trail | Indefinite | Art. 5(2) β accountability for automated decisions |
| Website analytics (Google Analytics) | 14 months (Google default) | Art. 6(1)(a) β consent |
| Cookies | See Cookie Policy | Art. 6(1)(a) consent / Art. 6(1)(f) strictly necessary |
8. Data Security
- All traffic encrypted via TLS (HTTPS), enforced by Cloudflare.
- Administrative access requires hardware security key (WebAuthn/FIDO2) or biometric passkey.
- Person profiles and dossiers accessible only to authenticated users.
- Infrastructure hosted in the EU (Hetzner, Helsinki, Finland).
- Database encrypted at rest. No data stored on third-party cloud providers.
9. Automated Processing
The platform uses automated processing including narrative classification (assigning topic codes to social media posts) and campaign detection (identifying coordinated activity patterns). These are analytical tools used by administrators and do not produce decisions with legal or similarly significant effects on data subjects (GDPR Art. 22).
Automated classifications are reviewed by administrators and can be corrected or removed. Connections between persons generated by automated systems are explicitly flagged as unverified.
10. International Transfers
No personal data is transferred outside the EU/EEA, except:
- Google Analytics (USA) β only with explicit consent, covered by EU-US Data Privacy Framework.
- Cloudflare (USA) β for CDN/security, acting as data processor under Standard Contractual Clauses.
11. Changes to This Policy
This policy may be updated. The "last updated" date at the top will reflect changes. Continued use of the platform constitutes acceptance.