Privacy Policy

Chainbrium AS operates a professional blockchain forensics and intelligence platform designed to support law enforcement agencies, financial institutions, compliance teams, and legal professionals in investigating cryptocurrency transactions and tracing on-chain activity.

This Privacy Policy explains how we collect, use, store, and protect personal data when you access or use the Chainbrium platform, website, and related services. It also describes the rights you hold under applicable data protection law, including the General Data Protection Regulation (GDPR) as implemented in Norway through the Personal Data Act (personopplysningsloven).

By creating an account or using Chainbrium, you acknowledge that you have read and understood this policy. If you do not agree with how we handle personal data, please do not use our services.

The data controller responsible for your personal data is:

If you have questions about this policy or wish to exercise your rights, please contact us at the details above.

We collect only the personal data necessary to provide our services. This includes:

Account Information

• Full name and email address provided at registration
• Password (stored as a cryptographic hash — we never store plaintext passwords)
• Organisation name and role, if provided
• Billing and subscription details where applicable

Usage Data

• Log data including IP address, browser type, operating system, and access timestamps
• Pages visited, features used, and session duration within the platform
• Error logs and diagnostic information

Investigation Data

• Blockchain addresses, transaction hashes, and related identifiers submitted for analysis
• Note: blockchain addresses are pseudonymous public data recorded on distributed ledgers. We process these as part of the investigative service but do not treat them as personal data unless they can reasonably be linked to an identified individual in context.
• Case notes, labels, and annotations you add within the platform

Cookies and Similar Technologies

We use cookies and similar browser-based storage to maintain your session and support platform functionality. See Section 6 for a full breakdown.

We process personal data only where we have a valid legal basis under GDPR Article 6. The bases we rely on are:

• Contractual necessity (Art. 6(1)(b)): Processing required to provide the service you have signed up for — including account management, authentication, and delivery of investigation results.
• Legitimate interests (Art. 6(1)(f)): Processing necessary for our legitimate business interests, including platform security, fraud prevention, service improvement, and internal analytics — provided these interests are not overridden by your rights and freedoms.
• Legal obligation (Art. 6(1)(c)): Processing required to comply with applicable Norwegian and EU law, including anti-money laundering regulations and law enforcement cooperation obligations.
• Consent (Art. 6(1)(a)): For optional analytics cookies and non-essential communications. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

We use the data we collect for the following purposes:

• Providing the platform: Account creation, authentication, case management, trace analysis, and report generation.
• Platform improvement: Analysing usage patterns (in aggregate and, where necessary, individually) to improve features, fix bugs, and enhance performance.
• Security and integrity: Detecting and preventing unauthorised access, abuse, fraud, and other harmful activity.
• Communications: Sending service-related notifications such as password resets, account alerts, and policy updates. We do not send unsolicited marketing without your explicit opt-in.
• Legal compliance: Meeting our obligations under Norwegian law, EU law, and applicable financial crime regulations, including potential cooperation with competent authorities.
• Billing: Processing subscription payments and maintaining financial records as required by law.

We use the following categories of cookies:

Essential Cookies

Required for the platform to function. These include your authentication session token (cb_token), which keeps you logged in securely. These cookies cannot be disabled without breaking core functionality.

Analytics Cookies

Optional cookies used to understand how users interact with the platform, such as which features are used most often and where errors occur. These are only set with your consent and can be declined or withdrawn at any time via your account settings.

Preference Cookies

Cookies that remember your settings, such as selected theme (dark, semi-dark, or light) and display preferences. These improve your experience but are not strictly necessary.

We do not sell, rent, or trade your personal data to third parties. We do not use your data for advertising purposes.

We may share data in the following limited circumstances:

• Service providers: Trusted technical partners who process data on our behalf (such as cloud hosting and infrastructure providers) under binding data processing agreements that require them to maintain the same level of protection as we do.
• Legal obligations: Where required by Norwegian or EU law, court order, or a request from a competent public authority (such as Kripos or Finanstilsynet), we may disclose data. We will notify affected users where legally permitted to do so.
• Corporate transactions: In the event of a merger, acquisition, or sale of assets, personal data may be transferred to a successor entity, subject to the same privacy protections described in this policy.

Any third-party recipient of personal data is required to process it only for the purposes for which it was shared, in accordance with applicable law.

We retain personal data for only as long as necessary to fulfil the purposes for which it was collected, or as required by law.

• Account data: Retained for the duration of your active account, plus 30 days following account closure (to allow for reactivation requests). After this period, account data is permanently deleted or anonymised.
• Investigation and case data: Retained in accordance with the case retention policy agreed at the time of access provisioning. Enterprise clients may specify custom retention schedules. Default retention is 12 months from case creation unless extended.
• Usage and log data: Retained for a maximum of 90 days for security and debugging purposes, then automatically purged.
• Financial records: Retained for 5 years in accordance with Norwegian accounting law (bokføringsloven).

You may request deletion of your data at any time. See Section 9 for how to exercise this right.

As a data subject under GDPR, you have the following rights with respect to your personal data:

• Right of access (Art. 15): You may request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): You may request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent.
• Right to data portability (Art. 20): You may request that we provide your data in a structured, machine-readable format for transfer to another controller.
• Right to restriction of processing (Art. 18): You may request that we restrict processing of your data in certain circumstances, such as while a dispute about accuracy is resolved.
• Right to object (Art. 21): You may object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at hq@chainbrium.com. We will respond within 30 days. In complex cases, we may extend this by up to two additional months and will notify you accordingly.

We take the security of your data seriously and apply industry-standard technical and organisational measures to protect it against unauthorised access, disclosure, alteration, and destruction. These include:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of sensitive data at rest using AES-256
• Role-based access controls ensuring staff access only the data necessary for their function
• Secure password storage using bcrypt hashing
• Regular security reviews and penetration testing
• Audit logging of administrative and sensitive operations

No method of transmission over the internet or electronic storage is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security. In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by GDPR Article 33 and 34.

Chainbrium primarily stores and processes data on infrastructure located within the European Economic Area (EEA), in compliance with GDPR requirements.

In limited circumstances, technical service providers may process data outside the EEA. Where this occurs, we ensure appropriate safeguards are in place, including:

• Use of the European Commission's Standard Contractual Clauses (SCCs) as the legal transfer mechanism
• Verification that recipient countries or organisations provide an adequate level of data protection
• Supplementary technical measures where necessary to ensure equivalent protection

You may request details of any specific third-country transfers and the safeguards applied by contacting us at hq@chainbrium.com.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The date at the top of this page indicates when the policy was last updated.

For material changes that significantly affect your rights or how we process your data, we will notify registered users by email and/or by displaying a prominent notice within the platform at least 14 days before the changes take effect.

We encourage you to review this policy periodically. Continued use of Chainbrium after changes take effect constitutes acceptance of the updated policy.

For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us:

We aim to respond to all privacy-related inquiries within 5 business days. For formal GDPR rights requests, the statutory response window is 30 days.