Legality & data protection

How we work within the law

Argus gathers information only from open and legally accessible sources: state registries, court databases, sanctions lists, public data leaks, satellite imagery, web archives. We do not hack, do not run physical surveillance, do not impersonate officials.

We process data under GDPR and Ukrainian personal-data law: only what the case requires, with a limited retention period.

Important: Argus provides facts and analysis, not legal advice. The legal conclusion and decision are made by your lawyer. Admissibility of evidence in a specific case is determined by the court.

Legality of methods Data protection & GDPR Scope & limits Engagement & firewall Privacy policy

01 · Legality of methods

What we do and what we never do

Open sources hold enough material to give a lawyer the full picture. Shady methods offer a short edge and a long risk — the court rejects such evidence, the firm's reputation suffers, liability falls on the party that commissioned it.

We do

State registries. Corporate registry, real-estate registry, vehicle records, court registries, debtor lists, Prozorro.
Sanctions lists. OFAC, EU, UN, UK, Ukraine NSDC.
Public data leaks. Only those already publicly available and not obtained by Argus directly from an attack.
Satellite imagery and web archives. Commercial imagery providers, Wayback Machine, search-engine caches.
Open profiles and publications. Websites, social media without bypassing privacy settings, media, corporate disclosures.
Timestamped capture. Screenshots with date, URL and hash fixed — ready for the case file.

We never do

No hacking of accounts, mailboxes, databases, corporate systems. No buying access to any of those.
No physical surveillance. No tailing, no covert filming, no movement tracking, no wiretaps.
No impersonation of officials, bank staff, state bodies, state-media journalists, or the target's clients.
No payments for "lookups", access to closed registries, insider extracts from banks or telecom operators.
No support for harassment of journalists, activists, whistleblowers, witnesses, IDPs, and other protected groups.
No engagement with work whose goal is sanctions evasion, laundering, or any plainly bad-faith purpose.

02 · Data protection

GDPR and Ukrainian law — practice, not a declaration

Personal data taken from open sources is still personal data. So we operate the way the GDPR and Ukraine's Personal Data Protection Law require: defined legal basis, minimisation, clear retention period, respect for data-subject rights.

A · Legal basis

Client's legitimate interest — weighed in a balancing test

Article 6(1)(f) GDPR. Before we step into a case, we assess whether the purpose is lawful, whether the data scope matches the task, whether processing would override the subject's reasonable expectations. If the balance does not hold, we decline the engagement.

B · Minimisation

Only what the case requires

We don't build "profiles in reserve". If the request is about a counterparty's corporate links, we do not collect medical or family data. If the request is about assets, we do not pry into private life without a legal basis.

C · Retention

Working files — up to 90 days. The report stays with the client.

Draft data, search logs, interim artefacts are deleted within 90 days after delivery. The final report stays with the client; we keep a copy only if the contract calls for it.

D · Data-subject rights

Access, rectification, erasure, objection

If you are mentioned in an Argus report, you have the right to know that processing took place, get a copy, request correction of errors or erasure (subject to limits set by GDPR/local law). Contact [email protected].

03 · Scope & limits

Argus is not a private detective agency or a law firm

Open-source intelligence and licensed private detective work are different legal regimes in Ukraine. Argus operates as an analytical service. We do not hold a private detective licence and do not perform its functions — no surveillance, no missing-person search on private petition, no evidence gathered through private operative work.

What we are not

Not a private detective (no licence, no surveillance, no missing-person search).
Not a law firm (we do not file lawsuits, do not represent in court, do not draft procedural documents).
Not a bank/financial monitor (our report does not replace an institution's internal compliance decision).
Not a law-enforcement body (nothing in our material automatically becomes evidence in a criminal case — that is for the investigation and the court).

What we are

An analytical service that collects and structures information from open sources.
A supplier of a factual base for a decision the client or the client's lawyer will make.
An executor with a documented method (Intelligence Cycle, Argus Score, a fixed report format).

04 · Engagement letter, conflict check, firewall

At the start of a project we fix four things

01 · Engagement letter

Written agreement — subject, purpose, scope, deadline, confidentiality

No "on a phone call" starts. Before we begin — a letter of engagement covering the subject of the check, the client's purpose, scope of work, deadlines, report format, confidentiality, limitations.

02 · Client warranty

Client warranty on a lawful purpose

The client confirms in writing that the report's purpose is the protection of their own rights or interests (contracting, litigation, enforcement, compliance) — not harassment, blackmail, competitive harm, or any other unlawful action.

03 · Conflict check

Conflict-of-interest check — before we start

Before accepting a job, we cross-check the subject against current and former clients. If the subject is a current client or has been one recently, we decline. If there is an adjacent conflict, we disclose it before we begin.

04 · Firewall

Client DD data never flows into public investigations

Between B2B intelligence and the journalistic sub-brand there is a rule: client-job materials are not used in open cases. We do not publicly investigate anyone who is or has been our client. This is fixed in an internal protocol.

05 · Privacy Policy

How we handle personal data

Data controller

Argus Intel, contact person — Oleksandr Lukashevych, [email protected]. Use this address for any data-related requests.

What data we process

Data from the site's lead forms (email, Telegram, request text, subject of the check — provided by the client). Open-source data on the subject of the check, only as needed for the specific case. GA4 site metrics — for statistics without identifying individual visitors.

Lawful basis

Performance of the contract with the client (Art. 6(1)(b) GDPR), legitimate interest of the client and Argus in counterparty checks and protection of rights (Art. 6(1)(f) GDPR), consent — for analytics cookies.

Retention periods

Working drafts and case search logs — up to 90 days after report delivery.
Final report — held by the client; a copy at Argus only if the contract provides for it, never longer than 12 months without a separate basis.
Contracts and payment records — for the periods set by tax and accounting law.

Who we share data with

Only with parties the service cannot run without: payment processing (Stripe / Wise / Plata), email and messaging (Google Workspace, Telegram), site analytics (Google Analytics 4), cloud infrastructure (Cloudflare). We do not sell data and do not pass it to third parties for marketing.

Your rights

Right to know we process your data and to obtain a copy.
Right to correct inaccurate data.
Right to request erasure (subject to limits set by law and the need to keep legal and accounting records).
Right to object to processing based on legitimate interest.
Right to lodge a complaint with a supervisory authority (in Ukraine — the Verkhovna Rada Commissioner for Human Rights; in the EU — your national DPA).

How to contact us about data

Email: [email protected]. We reply within 30 days. Add "GDPR" or "Personal data" to the subject line for priority sorting.