Serus exists to help you take back control of your personal information — so it wouldn't make much sense if we didn't hold ourselves to the same standard. This policy breaks down what we collect, why we collect it, how we use it, and what choices you have.
No surprises, no fine print tricks.
Just straight talk about how we handle your data.
Privacy Policy
Last Update: April 13th, 2026
Introduction
We’re committed to protecting your privacy with care and transparency. This Privacy Policy explains how Serus collects, uses, shares, and safeguards information when you use our websites, applications, APIs, and related services (collectively, the “Services”).
This Privacy Policy is incorporated into our Terms of Service and should be read together with our Cookie Policy, Acceptable Use Policy, and (where applicable) our Data Processing Addendum (“DPA”).
1. Who We Are
The Services are operated by ANON AI Labs, Inc., a Delaware corporation (United States) (“Serus,” “we,” “us,” or “our”).
ANON AI Labs, Inc.
131 Continental Dr, Suite 305
Newark, DE 19713
United States
1.1 Representatives
We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact for the following regions:
•
European Union (EU)
•
United Kingdom (UK)
•
Switzerland
1.2 Contact
2. Scope: Who This Policy Applies To
This Privacy Policy applies to:
visitors to our websites (including
serus.aiand related domains we operate), andcustomers, users, and authorized representatives who access or use the Services (including via the platform, API, integrations, or white-label deployments).
If you use the Services through an organization (for example, an employer), your organization may control and administer your account as described in our Terms of Service.
3. Roles: Controller vs. Processor
Depending on how you use the Services, Serus may act as either:
•
a data controller (for example, when we process account information, billing, and website analytics for our own purposes), and/or
•
a data processor/service provider (for example, when a business customer submits personal data into the Services and instructs us to process it on their behalf).
Where we act as a processor for business customers, our processing is governed by our DPA and the customer’s instructions. If you submit third-party data (e.g., for monitoring or removal requests), you are responsible for ensuring you have a lawful basis to do so.
4. Information We Collect
We collect information in three main ways: (1) you provide it, (2) we collect it automatically when you use the Services, and (3) we receive it from third parties as part of the Services.
4.1 Information you provide
•
Account information: name, email, login credentials (or authentication tokens), organization name (if applicable).
•
Billing information: billing address, payment status, subscription details. (Payment card details are typically processed by our payment processor, not stored by us.)
•
Customer content / Customer Data: information you submit to the Services, such as:
search inputs and queries (e.g., names, emails, usernames),
monitoring targets you configure (e.g., emails, phone numbers),
removal request details you provide (e.g., URLs, identifiers, supporting data),
outputs you save/export (where the product supports saving).
•
Support and communications: messages to support, survey responses, feedback, or other communications.
4.2 Information collected automatically
•
Usage data: feature usage, timestamps, clickstream events, session logs, error logs, performance metrics, diagnostic data.
•
Device and connection data: IP address, browser type, operating system, device identifiers, language settings, approximate location derived from IP.
•
Cookies and similar technologies: described in our Cookie Policy (https://www.serus.ai/legal/cookies).
4.3 Information from third parties
•
Subprocessors and service providers: authentication providers, hosting providers, analytics providers, payment processors, customer support tools (see our Subprocessors list).
•
Third-party sources used for OSINT features: publicly available web sources and third-party datasets (including breach/dark web datasets) that we do not own or control. The Services may display results derived from these sources.
Important
We do not provide OSINT results from another customer’s private account data, and we do not disclose other customers’ queries or stored content to you.
5. Sensitive Information and Exposed Credentials
Certain features may allow you to view unredacted high-risk data (for example, exposed passwords, tokens, or similar information) (“Sensitive Information”).
•
Sensitive Information may be redacted by default and require an affirmative action (for example, a confirmation checkbox) before you can view unredacted content.
•
You may use Sensitive Information only for lawful, authorized security and privacy purposes (for example, securing accounts you own or are authorized to manage).
•
We may restrict, monitor, suspend, or terminate access to Sensitive Information where we reasonably believe use violates our Terms, AUP, or applicable law.
We do not guarantee the accuracy, completeness, or continued availability of any Sensitive Information or third-party sources.
6. How We Use Information
We use information for the following purposes:
6.1 To provide and operate the Services
•
create and manage accounts, authenticate users, and provide customer support
•
process searches, monitoring, alerts, and reports
•
process and transmit removal requests to third parties when you use removal features
•
administer subscriptions, billing, and plan entitlements
•
maintain audit logs for security and abuse prevention
•
We do not use Customer Data or content from AI-powered features to train, fine-tune, or improve machine learning models. Where AI features are provided (such as content analysis), your data is sent to third-party AI providers for inference only and is not retained by those providers for model training. See our Subprocessors list for details on which providers are used.
6.2 To secure, protect, and improve the Services
•
detect, prevent, and investigate fraud, abuse, and security incidents
•
enforce our Terms and Acceptable Use Policy
•
debug, test, and improve performance and reliability
•
develop new features and improve user experience
6.3 To communicate with you
•
send service-related communications (transactional emails, alerts, security notifications)
•
respond to inquiries and provide support
•
send updates about changes to the Services or policies
6.4 Marketing and advertising (where permitted)
When you create an account, you may receive marketing and promotional emails from us, such as product updates, tips, and offers. You can opt out of marketing emails at any time by clicking the "unsubscribe" link in any marketing email, or by updating your communication preferences in your account settings. Opting out of marketing emails will not affect transactional or service-related communications (such as security alerts, billing notifications, or account updates), which are necessary for the operation of the Services.
6.5 To comply with legal obligations
•
comply with applicable laws, regulations, and lawful requests
•
protect rights, safety, and property of Serus, our users, and others
6.6 Communications you initiate
When you contact us through a form, email, chat, or any other communication channel — including but not limited to support requests, sales inquiries, partnership inquiries, feedback, and business contact forms or similar — you consent to us processing the information you provide for the purpose of responding to and fulfilling your request. This may include contacting you back via email, phone, or other channels you have provided, for transactional, support, sales, or other purposes related to your inquiry. Where permitted by applicable law, we may also send you marketing or promotional communications relevant to your inquiry or interest in our Services. You can opt out of marketing communications at any time through the unsubscribe link in any marketing email or by contacting us at support@serus.ai. We may also use this information to follow up on your request, provide relevant information about our Services, and maintain records of our communications for quality assurance and legal compliance. If your inquiry leads to an ongoing business or customer relationship, your data will continue to be processed in accordance with this Privacy Policy and our Terms of Service.
7. Legal Bases for Processing (EEA/UK)
Where the GDPR/UK GDPR applies, we process personal data under one or more of these legal bases:
•
Contractual necessity (to provide the Services you request)
•
Legitimate interests (to secure and improve the Services, prevent abuse, and protect users), balanced against your rights
•
Consent (for non-essential cookies and certain optional features where required)
•
Legal obligation (to comply with laws and lawful requests)
Where we act as a processor for business customers, the customer determines the appropriate legal basis and provides instructions under the DPA.
8. How We Share Information
We do not sell your personal information in the traditional sense. We share information only as described here:
8.1 Subprocessors and service providers
We share information with vendors that help us operate the Services (hosting, analytics, payments, support tools, security). These vendors are bound by contractual obligations to protect data.
See: Subprocessors (https://www.serus.ai/legal/subprocessors)
8.2 Removal requests and third parties
If you use removal features, we may transmit information you provide (such as URLs and identifiers) to relevant third parties (e.g., website operators or platforms) on your behalf.
8.3 Legal and safety reasons
We may disclose information when we believe it is necessary to:
•
comply with law or legal process,
•
protect rights, safety, and security,
•
investigate abuse or enforce our agreements.
8.4 Business transfers
If we’re involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction, subject to appropriate safeguards.
8.5 Advertising and measurement partners
9. International Data Transfers
Because we operate globally, personal data may be processed in countries other than where you live, including the United States
Where required, we use appropriate safeguards for international transfers (such as Standard Contractual Clauses) and additional measures described in our DPA.
See: DPA (https://www.serus.ai/legal/dpa)
10. Data Retention
We retain personal data only as long as necessary for the purposes described in this Privacy Policy, unless a longer period is required or permitted by law. Below are our general retention practices for key categories of data:
Account and profile data is retained for as long as your account is active and deleted upon account deletion (subject to any legal retention obligations).
Customer content — including chat messages, AI-generated results, breach and paste data, and saved items — is retained for as long as your account is active or until you delete it, whichever comes first. You can delete individual items or conversations through the Services at any time.
Exposure activity metadata is retained for 60 days and automatically deleted thereafter.
Billing and transaction records are retained for as long as required by applicable tax and accounting laws (typically up to 7 years depending on jurisdiction).
Security and operational logs (such as application logs, error logs, and infrastructure logs) are retained for a limited period appropriate to their purpose (typically up to 90 days, unless a longer period is required for an active investigation or legal obligation).
When you delete your account, we will delete or anonymize your personal data in accordance with the above, except where retention is required by law or for legitimate security, fraud prevention, or dispute resolution purposes. Certain data may persist in encrypted backups for a limited period consistent with our backup and recovery practices.
Data previously transmitted to third-party service providers (for example, for breach lookups, analytics, or advertising measurement) in the course of providing the Services may be retained by those providers in accordance with their own privacy policies and retention practices. We cannot delete data from third-party systems after transmission.
Removal request records (including request details, target URLs, submission status, and related correspondence) are retained for as long as your account is active and for up to 12 months after account deletion or request completion, whichever is later, to maintain audit trails, support dispute resolution, and comply with legal obligations. After this period, removal request records are deleted or anonymized.
11. Security
We maintain reasonable administrative, technical, and organizational measures designed to protect personal data. No system is 100% secure, and you are responsible for maintaining the confidentiality of your credentials and securing your devices.
In the event of a security incident that involves unauthorized access to, or disclosure of, your personal data and that is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay (and in any event within the timeframes required by applicable law). We will also notify relevant supervisory authorities as required by applicable law. Notifications will be provided via the email address associated with your account or through the Services.
12. Your Privacy Rights
Depending on your location, you may have rights such as:
access, correction, deletion
restriction and objection
data portability
withdrawing consent (where processing is based on consent)
12.1 EEA/UK
You may also have the right to lodge a complaint with your local data protection authority.
12.2 California (CCPA/CPRA)
California residents may have rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”), including the right to:
• know what personal information we collect, use, and disclose;
• request deletion of personal information;
• correct inaccurate personal information;
• opt out of the “sale” or “sharing” of personal information (as those terms are defined under the CCPA); and
• not be discriminated against for exercising these rights.
We do not sell personal information.
We do not exchange personal information for monetary consideration.
Sharing for advertising.
We may “share” personal information (as defined under CCPA) with advertising platforms for cross-context behavioral advertising, but only where you have affirmatively consented to non-essential (marketing) cookies through our cookie consent mechanism. If you have declined or not consented to marketing cookies, no personal information is shared with advertising platforms. You may withdraw your consent at any time through our cookie preferences widget, and we will cease sharing upon withdrawal.
Opt-out.
You may opt out of any sharing for cross-context behavioral advertising at any time by: (a) adjusting your cookie preferences through the cookie widget available on our website; (b) enabling a recognized opt-out preference signal (such as Global Privacy Control) in your browser. We honor recognized opt-out preference signals as valid opt-out requests.
Account deletion.
You may delete your account and request deletion of all personal data associated with your account at any time through your account settings or by contacting support@serus.ai. Upon account deletion, we will delete or anonymize your personal information in accordance with our retention practices described in Section 10, and cease all sharing of your data with third parties.
If the CCPA does not apply to you or to Serus based on the statutory thresholds, the above rights are provided voluntarily as a matter of good practice and may be modified or discontinued at our discretion.
13. How to Exercise Your Rights
14. Cookies and Tracking
We use cookies and similar technologies for essential functionality, analytics, and advertising (where permitted). You can manage your preferences through our cookie banner, the cookie preferences widget, and your browser settings.
When you create an account, we set strictly necessary cookies for authentication and session management. These are required for the Services to function and are set under contractual necessity and/or legitimate interests.
During registration, you are asked to consent to the use of cookies for analytics and advertising purposes as part of the account creation process. If you have previously declined non-essential cookies through our cookie banner, those preferences will be honored and non-essential cookies will not be activated upon registration.
You may withdraw your consent for non-essential cookies at any time through our cookie preferences widget, your account settings (where available), or your browser settings. Withdrawing consent will not affect your ability to use the Services.
We recognize and honor Global Privacy Control (GPC) opt-out preference signals. If your browser or device transmits a GPC signal, we treat it as a valid request to opt out of any “sharing” of personal information for cross-context behavioral advertising (as defined under the CCPA) and as a withdrawal of consent for non-essential cookies where applicable. When we detect a GPC signal, we will not load or activate marketing or advertising cookies or tracking technologies, and we will not share personal information with advertising platforms for that session. This applies regardless of whether you have separately interacted with our cookie banner. For more information about GPC, visit https://globalprivacycontrol.org.
See: Cookie Policy (https://www.serus.ai/legal/cookies)
15. Children’s Privacy
The Services are not intended for children under 18, and we do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us and we will take appropriate steps.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will post the updated policy on our website or within the Services and update the effective date. If changes are material, we will provide additional notice where required by law.
17. Contact
For questions about this Privacy Policy or our data practices:
Support: support@serus.ai
Privacy/DPO: dpo@serus.ai
Support portal: https://www.serus.ai/contact/support
EU/UK/Swiss Representative: iuro Rechtsanwälte GmbH t/a Prighter Schellinggasse 3, 1010 Vienna, Austria support@prighter.com Trust Center: https://app.prighter.com/portal/serus-privacy