Legal · v1.0 · effective 2026-05-24

Privacy Policy

For machine-readable summary see /llms.txt. For security disclosure see /.well-known/security.txt.
5CIP ("we", "our", "us") operates the crypto forensic investigation platform at https://5cip.com. This Privacy Policy explains what information we collect, how we use it, and the rights you have under GDPR, CCPA, and APAC data-protection regimes.

1. Who we are

5CIP is operated by CipherJudge Forensic Engine, a private legal entity headquartered in the Asia-Pacific region. Engagements are delivered globally to law firms, recovery counsel, VASP compliance teams, and independent investigators.

2. What we collect

Account data: name, email, organization, role, password hash (Argon2id), MFA secrets, API keys, billing details handled exclusively by Stripe.
Investigation data: case identifiers, evidence addresses, transaction hashes, narrative descriptions, attached files, generated reports.
Service operational data: request logs, error traces (Sentry, scrubbed of PII), session cookies, API usage counters, audit-trail entries. We do NOT collect third-party cookies and do NOT operate an advertising network.

3. Why we collect (lawful basis)

Performance of contract (delivering the forensic service you purchased), legal obligation (anti-money-laundering record keeping where applicable), and our legitimate interest in detecting platform abuse and preventing fraud.

4. Retention

Evidence artifacts are stored in MinIO Object Lock with GOVERNANCE-mode 90-day retention to ensure chain-of-custody for court-admissible reports. Account data is retained for the life of the account plus 12 months after deletion (legal hold). Operational logs are retained 90 days. Email backups: 30 days.

5. Who we share with

We share data only with the following processors strictly to deliver the service:
  • Hetzner Online GmbH — hosting (Singapore, Frankfurt)
  • Cloudflare, Inc. — CDN, DDoS protection, DNS
  • Stripe Payments — payment processing
  • Sentry — error monitoring (PII scrubbed at the SDK)
  • Anthropic, OpenAI, Google (Gemini), Z.ai — LLM inference (only when the customer explicitly invokes AI analysis; payloads tokenized to remove personal identifiers where feasible)
  • MistTrack, Arkham Intelligence, Etherscan, Bitquery — on-chain intelligence (read-only, address-keyed lookups)
A full Subprocessors list lives at /subprocessors and is updated whenever we onboard a new processor.

6. Your rights

Under GDPR, CCPA, PIPL (China), PDPA (Singapore / Thailand), APPI (Japan), and PDPB (Malaysia), you may request access, correction, deletion, portability, or restriction of your personal data. Email [email protected]. Identity verification is required to fulfill requests. We respond within 30 days.

7. International transfers

Data may be processed in Singapore (primary), the European Economic Area (Hetzner Frankfurt), or the United States (Stripe, Cloudflare). Cross-border transfers rely on Standard Contractual Clauses (EU), and where applicable, Data Privacy Framework or equivalent adequacy mechanisms.

8. Security

We encrypt all data in transit (TLS 1.3) and at rest (AES-256 for object storage, Argon2id for credentials). Evidence reports are GPG-signed for integrity verification. Security disclosure contact: [email protected] — see /.well-known/security.txt.

9. Changes to this policy

Material changes are announced 30 days in advance via email to all active accounts. The version number and effective date at the top of this page always reflect the current version.

10. Contact

Data Protection inquiries: [email protected]
Security disclosure: [email protected]
Sales / commercial: [email protected]