TSA staging

Privacy Notice

Phase-0 staging — last updated 2026-04-28

TSA (Tactical and Situational Awareness) is a counter-surveillance service operated by Strategic Advice Group SRL (Romania, EU). This notice summarises what we collect, why, and how we protect it. The canonical version of this notice and the underlying DPIA / LIA are available on request.

1. Controller

Strategic Advice Group SRL, Bucharest, Romania. Data Protection contact: dpo@strategicadvicegroup.ro.

2. What we collect from your devices

  • Direct observations — radio identifiers visible to your registered TSA agent (e.g. Bluetooth / Wi-Fi MAC addresses, received signal strength). These are pseudonymised at the source using a rotating salt; the raw MAC never leaves the device.
  • Sighting metadata — coarse location (≥ 100 m bins by default), timestamp truncated to the minute, ambient features (channel, transmit interval).
  • Account data — handle, salted-HMAC of optional recovery email, WebAuthn public-key credentials, refresh-token IDs bound to sessions you can revoke at any time.

We do not collect: contents of network traffic, audio/video, contact lists, browsing history, or precise GPS unless you explicitly enable a "high-precision" profile.

3. Why we process this data

Lawful basis: legitimate interest (Art. 6(1)(f) GDPR), grounded in your interest in detecting surveillance directed at you. The full Legitimate Interest Assessment (LIA) is documented and re-evaluated each release.

Specifically we process the data to:

  • Correlate observations across your registered devices;
  • Detect anomalous co-presence patterns (the "threats" view);
  • Operate the service (anti-abuse, rate limits, audit log).

4. Retention

Sightings expire 5 days after observation. Salt epochs rotate every 30 days (with a short shoulder window for cross-epoch correlation). Audit log entries — which contain only pseudonymised identifiers — are kept for 180 days. Account records persist while your account is active and are deleted on request within 30 days.

5. Where the data lives

Primary storage is in the European Union (Cloudflare EU region pinning + EU-located D1 / R2 buckets). A cold copy is replicated to an EU AWS region for archival. No data is processed outside the EU.

6. Your rights

Under GDPR you can: access the data we hold on you, request its rectification or erasure, object to processing, request portability, and lodge a complaint with the Romanian DPA (ANSPDCP).

To exercise any of these rights: dpo@strategicadvicegroup.ro. We respond within 30 days.

7. Changes

Material changes are versioned in our DECISIONS log and announced in-app. The version of this notice corresponds to the release tag of the platform you are using.

Phase-0 disclosure: this product is in private staging. The geographical allowlist is currently set to RO; access from other countries is refused at the edge.