Frequently asked questions
Answers to common questions about how BLACKEYES works, what data sources we use, GDPR compliance, accuracy, and account management.
Reports are tools, not conclusive judgements
Every finding is drawn from public sources, historical data breaches, and third-party APIs including Companies House. Those sources can be incomplete, outdated, or — in the case of breach data — associated with the wrong person. BLACKEYES is not responsible for third-party data accuracy.
The platform combines traditional API lookups with AI-driven analysis. We apply multi-stage verification, entity gating, and Skeptic review before a finding reaches the report — but AI systems can still misattribute or misinterpret. You should independently verify every finding before making employment, tenancy, legal, financial, or investigative decisions.
BLACKEYES is not liable for how reports are used or for decisions taken based on report content. You remain responsible for the lawful basis of your processing and for the consequences of relying on the findings.
Legal & Compliance
Is the underlying data lawful to access?
BLACKEYES only aggregates information from publicly available sources, historical data breaches already in public circulation, and third-party APIs such as Companies House. The sources themselves are lawful to access. How you use the resulting report is your responsibility — your organisation determines the lawful basis for processing under UK GDPR and is responsible for that decision.
Is candidate or subject consent required?
This depends on your use case and is a decision for you as Data Controller. In employment or tenancy contexts, firms typically rely on legitimate interest and disclose the check in their privacy notice. For investigative and due-diligence use, consent is often impractical and other lawful bases apply. BLACKEYES does not advise on your specific lawful basis — that is for your firm's Data Protection or legal function to determine and document.
Is BLACKEYES GDPR compliant for my use case?
BLACKEYES secures, encrypts, and minimises data on our side. We act as Data Processor on your instruction. The lawfulness of YOUR use is a separate question — it depends on your lawful basis, purpose, and safeguards, which only you can determine. We don't certify third-party use cases as compliant. If you need assurance that a specific workflow meets your regulatory requirements, consult your DPO or legal counsel.
Can I use BLACKEYES reports in employment decisions?
Yes, but the report is one input — never a sole determinant. Verify material findings independently, apply screening consistently, disclose the check in your candidate privacy notice, and don't rely on AI-generated findings without human review. The employer remains responsible for the employment decision and its GDPR lawfulness.
Can reports be used in legal proceedings?
Reports are source-cited with references to underlying public sources. They've been used to support litigation. Admissibility and evidential weight depend on the tribunal, the matter, and whether the specific findings have been independently verified. For contentious litigation, consult counsel on chain-of-custody and expert-witness framing. BLACKEYES is not liable for how reports are used in proceedings.
Who is liable if a finding is incorrect?
Findings can be incorrect — third-party API data can be out of date, breach data can be misattributed, and AI analysis can misinterpret public signals despite our multi-stage verification. BLACKEYES is not liable for third-party data accuracy or for decisions made on the basis of report contents. You should independently verify material findings before making consequential decisions.
Are we a Data Controller or Processor?
BLACKEYES acts as Data Processor for investigations you run — we process personal data on your instructions. You or your organisation act as Data Controller and determine the purpose, means, and lawful basis of the processing. Our Data Processing Agreement forms part of the Terms of Service.
Accuracy & Methodology
How accurate are the reports?
Every finding is source-cited so you can see where it came from. The pipeline combines traditional API lookups (breach databases, Companies House, phone intelligence) with AI analysis across social and digital-footprint signals. We apply multi-stage verification including entity gating and a Skeptic agent that challenges weak attribution. Despite this, AI systems can misinterpret ambiguous signals, third-party data can be out of date, and breach records can be misattributed. Treat the report as a strong starting position — not a final verdict. Verify consequential findings independently before acting on them.
What happens if the system identifies the wrong person?
Wrong-person attribution is the most significant risk in automated OSINT. The pipeline includes an entity-gating verification system designed to catch it before publication. The report distinguishes between verified findings (high-confidence cross-references), potential matches (worth investigating further), and excluded sources (actively ruled out) — each categorised in an appendix with reasoning. If a finding looks wrong, flag it through the feedback system and we'll re-examine the investigation. And always independently verify before acting on material findings.
Do you verify findings independently?
Within the pipeline, yes — findings surfaced by one agent are cross-referenced by others, and the Skeptic and Two-Key verification stages filter weak claims before the report is assembled. But internal verification is not external verification. You should still independently verify any finding that will drive a significant decision. The report's source citations make that independent verification practical.
What if no results are found?
If the pipeline finds no breach data, no social presence, and no corroborating public records, a "clean check" credit is used instead of a full investigation credit. Every paid credit pack includes an equal number of clean-check credits at no extra cost. You only pay for full investigations that return findings.
Data Sources
Where does the data come from?
The pipeline pulls from five main source categories: historical data breach databases (3.8B+ records spanning 2008 to present), public social media profiles across major platforms, corporate registries such as Companies House and international equivalents, public records and open web sources, and inferred digital footprint signals. Every finding cites the source it originated from.
Do you access the dark web?
BLACKEYES uses breach data aggregated from dark-web leak disclosures — data that has already been exposed publicly. We do not operate active dark-web crawlers, do not purchase data from illicit marketplaces, and do not access any source that requires authentication into dark-web services. The data we work with is historical and already in public circulation.
Do you hack accounts or scrape private data?
No. BLACKEYES never attempts unauthorised access to any account, system, or private source. We do not scrape data that requires authentication. All data is drawn from publicly available sources, historical data breaches already in public circulation, and legitimate APIs of public-records services.
Are you a DBS provider?
No. BLACKEYES is not a Disclosure and Barring Service provider and does not issue statutory DBS, Enhanced DBS, or Standard DBS checks. Those must be obtained through DBS-registered umbrella bodies. BLACKEYES provides a digital OSINT layer that complements statutory checks — not a replacement.
Account & Pricing
What does one credit cover?
One credit runs one full investigation from an email address and returns a complete 4,000-6,000 word report across 11 sections. Every credit pack also includes an equal number of free clean-check credits, used automatically when no breach data is found.
Do credits expire?
Credits from one-time packs do not expire. Monthly subscription credits reset at the end of each billing cycle and do not roll over.
How do clean check credits work?
Every purchase includes a matching number of clean-check credits at no extra cost. When an investigation returns no breach data, a clean-check credit is used instead of a paid credit — so you only pay when a full investigation delivers findings.
Can I cancel my subscription?
Yes. Cancel from the customer portal at any time. You keep access to your plan features until the end of the current billing period. No cancellation fees.
Do you offer refunds?
If a technical failure prevents a report from being generated, the credit is automatically refunded. For subscription cancellations, the current billing period is not refunded but no further charges are taken. For specific refund queries, contact support.
Security & Privacy
Who can see my investigations?
Only you. Investigations are stored against your authenticated account and are never visible to other customers. BLACKEYES staff do not read customer report contents except where strictly required for support, with your explicit request.
How long do you store report data?
Reports are retained in your account indefinitely while your account is active, so you can reference past investigations. You can delete individual reports at any time. Full account deletion removes all associated reports and personal data subject to any statutory retention requirements.
Is data encrypted?
Yes. Data is encrypted both in transit and at rest, using modern transport-layer encryption between your browser and our infrastructure. Regular encrypted backups are in place. Enterprise customers can request infrastructure detail under NDA for procurement or risk-review purposes.
Are targets notified when investigated?
No. BLACKEYES operates purely passively. The subject of an investigation is never contacted, notified, or made aware that a report has been generated. All data is gathered from public sources and historical breaches — the subject's accounts are never touched.
Platform & Integrations
How long does a report take?
Typically around 15 minutes from email submission to completed report. The pipeline runs parallel agents across multiple sources, so complex cases occasionally take up to 30 minutes. You can submit multiple investigations in parallel from one account — up to five queued at a time.
How many investigations can I run in parallel?
Up to five concurrent investigations per account, with additional reports queued automatically. High-volume customers on the Agency or Business subscriptions can request higher concurrency — contact support.
Do you have an API?
A REST API is on the roadmap. Contact sales for early access, integration requirements, or Enterprise volume pricing.
What formats can I export reports in?
Reports are exportable as PDF from any completed investigation. Text-based export formats are on the roadmap. Reports are retained in your dashboard indefinitely for later reference.
Didn't find your answer?
Get in touch for pricing questions, enterprise requirements, API access, or anything else.