Privacy Policy

The data controller for this website is:

We act as the data controller for personal data collected through this website. This means we determine the purposes and means of processing your personal data and are responsible for its protection.

We collect minimal personal data, limited to what is necessary for operating this cybersecurity research blog. We do not collect data for advertising purposes.

Information you provide

• ▶Newsletter subscription: Your email address when you subscribe to our threat intelligence briefings.
• ▶Contact communications: Any information you provide when contacting us via email or social media.

Information collected automatically

• ▶Analytics data (Plausible): Aggregate page views, referral sources, country-level location, device type, and browser. Plausible is privacy-focused and does not use cookies, does not collect personal data, and does not track individuals across sites.
• ▶Analytics data (Google Analytics): With your consent, we collect page views, session duration, traffic sources, and general demographic data. Google Analytics uses cookies and may process data in the United States. This data is only collected if you accept analytics cookies via the consent banner.
• ▶Server logs: Standard web server logs maintained by our hosting provider (Vercel), which may include IP addresses, request timestamps, and user agent strings. These are retained for operational and security purposes.

Information we do not collect

• ▶We do not require account registration to read blog content.
• ▶We do not collect payment information, government IDs, or sensitive personal data from website visitors.
• ▶We do not use advertising trackers, retargeting pixels, or social media tracking widgets.

We process your personal data for the following purposes:

• ▶Delivering content: Serving blog posts, research articles, and threat intelligence briefings.
• ▶Newsletter delivery: Sending you cybersecurity briefings, CVE alerts, and research updates that you have subscribed to.
• ▶Analytics and improvement: Understanding how visitors use the site to improve content and user experience.
• ▶Security and integrity: Protecting the site against abuse, unauthorized access, and security threats.
• ▶Legal compliance: Meeting our obligations under applicable data protection laws.

Legal basis for processing (GDPR Art. 6)

• ▶Consent: For newsletter subscriptions and Google Analytics cookies. You can withdraw consent at any time.
• ▶Legitimate interests: For privacy-focused analytics (Plausible), security monitoring, and site operation. Our legitimate interest is to understand site usage and protect against threats.
• ▶Legal obligation: Where required by applicable law.

We take a minimal approach to cookies and tracking. Here is exactly what we use:

Plausible Analytics (no consent required)

Our primary analytics tool is Plausible Analytics, a privacy-focused, open-source analytics platform. Plausible:

• ▶Does not use cookies
• ▶Does not collect or store personal data
• ▶Does not track individuals across sites or devices
• ▶Processes data in the EU and is fully GDPR, CCPA, and PECR compliant without requiring consent
• ▶Collects only aggregate metrics: page views, referral sources, country, device type, and browser

Google Analytics (consent required)

We use Google Analytics to gain additional insights into site traffic and audience. Google Analytics uses cookies and may transfer data to the United States. This tracking is only activated if you accept cookies via the consent banner displayed on your first visit. If you reject cookies, Google Analytics is never loaded and no data is sent to Google.

You can opt out of Google Analytics at any time by clearing your cookies or using the Google Analytics Opt-out Browser Add-on.

Essential cookies

Our authentication provider (Clerk) may set strictly necessary cookies for admin users who sign in to the dashboard. These cookies are required for the site to function and do not track public visitors.

We do not use

• ▶Advertising or retargeting cookies
• ▶Social media tracking pixels
• ▶Third-party marketing trackers
• ▶Fingerprinting or cross-site tracking technologies

When you subscribe to our threat intelligence briefings, we collect your email address only. Emails are delivered through Resend, our email service provider.

• ▶Subscription is opt-in only. We will never add you to our mailing list without your explicit consent.
• ▶Every email includes an unsubscribe link. You can unsubscribe at any time with one click.
• ▶Your email address is not sold, rented, or shared with any third party for marketing purposes.
• ▶Upon unsubscribing, your email address is deleted from our subscriber list.

We operate an anonymous interactive API playground at platform.dfir-lab.ch/docs/playground that allows visitors to try the DFIR Platform API without signing up. To prevent abuse of this free resource and to maintain fair availability for all users, we collect limited technical data when anonymous requests are made through the playground.

What we collect

• ▶Hashed IP address: Your public IP address is hashed using SHA-256 combined with a server-side secret (“pepper”) and stored for up to 60 days. The hashed value cannot be reversed to recover the original IP without access to the pepper.
• ▶Raw IP address: Your public IP address is stored in raw form for up to 30 days for fraud investigation and abuse mitigation. After 30 days it is automatically deleted; only the hashed form is retained.
• ▶Browser fingerprint hash: A hashed browser fingerprint computed client-side via FingerprintJS (open-source) is sent with each sandbox request. It is used solely to detect VPN-rotation patterns and coordinated abuse.
• ▶Cloudflare Turnstile cookie: On your first sandbox call per browser session, Cloudflare Turnstile may set a short-lived cookie to validate that you are not a headless bot. This cookie is managed by Cloudflare under its own privacy policy.

Lawful basis

We process this data under the lawful basis of legitimate interest (GDPR Art. 6(1)(f)) — specifically, our legitimate interest in preventing fraud, abuse, and denial-of-service against a free public resource. We have assessed that this processing is necessary, minimal in scope, and does not override the fundamental rights of visitors since no directly identifying data (name, email, account) is linked to sandbox activity.

Sharing and disclosure

No raw IP addresses collected through the sandbox playground are shared with third parties for marketing purposes. We do not sell, rent, or use this data for advertising. Data may be shared only with the sub-processors that operate the storage layer (e.g., Upstash Redis) strictly for the purpose of enforcing per-IP weekly quotas.

Deletion requests

Because sandbox data is anonymous (no account, email, or name is collected), identifying a specific record for deletion requires you to provide the approximate timestamp and IP address used. You can request deletion by emailing privacy@dfir-lab.ch. This is a manual process and we will respond within 30 days.

We use the following third-party services to operate this website. Each has been selected for its reliability and privacy posture.

All third-party service providers are bound by their own privacy policies and, where applicable, data processing agreements. We do not share your personal data with these services beyond what is necessary for their stated purpose.

We do not sell your personal data. We do not share your personal data with third parties for marketing or advertising purposes.

We may disclose personal data only in these circumstances:

• ▶Service providers: With the sub-processors listed above, solely to operate this website and deliver our services.
• ▶Legal obligations: When required by law, court order, or governmental regulation.
• ▶Safety and security: To protect against fraud, abuse, or security threats to the site or its users.

Our VPS infrastructure is hosted by Hetzner Cloud in Nuremberg, Germany, within the European Economic Area.

Some of our service providers (Vercel, Convex, Clerk, Resend, Google) are based in the United States. Where personal data is transferred outside the EEA, we rely on:

• ▶EU-U.S. Data Privacy Framework (DPF) for providers that are certified under this framework.
• ▶Standard Contractual Clauses (SCCs) approved by the European Commission where the DPF does not apply.

We retain personal data only as long as necessary for the purposes described in this policy:

• ▶Newsletter subscribers: Email addresses are retained until you unsubscribe. Upon unsubscription, your email is deleted promptly.
• ▶Plausible Analytics: Aggregate data is retained indefinitely. No personal data is stored.
• ▶Google Analytics: Data retention is set to 14 months, after which it is automatically deleted by Google.
• ▶Server logs (Vercel): Retained according to Vercel's data retention policy, typically up to 30 days.
• ▶Threat intelligence data: Retained indefinitely for ongoing security research. This data relates to automated threats, not website visitors.
• ▶Contact communications: Retained as long as necessary to respond to your inquiry, then deleted.

Depending on your location, you may have the following rights regarding your personal data:

Under the EU/UK GDPR

• ▶Right of access: Request a copy of the personal data we hold about you.
• ▶Right to rectification: Request correction of inaccurate or incomplete data.
• ▶Right to erasure: Request deletion of your personal data, subject to legal retention obligations.
• ▶Right to restrict processing: Request that we limit how we use your data.
• ▶Right to data portability: Receive your data in a structured, machine-readable format.
• ▶Right to object: Object to processing based on legitimate interests.
• ▶Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

Under the California Consumer Privacy Act (CCPA)

If you are a California resident, you have the right to:

• ▶Know what personal information we collect and how it is used
• ▶Request deletion of your personal information
• ▶Opt out of the sale of personal information (we do not sell personal data)
• ▶Non-discrimination for exercising your privacy rights

How to exercise your rights

To exercise any of these rights, please contact us at privacy@dfir-lab.ch. We will respond to your request within 30 days.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction.

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These include:

• ▶Encryption in transit (TLS/HTTPS) for all website traffic
• ▶Encrypted storage for sensitive configuration and credentials
• ▶Access controls and authentication for administrative functions
• ▶Regular security monitoring of our infrastructure
• ▶Minimal data collection as a first principle

No system is 100% secure. If you discover a security vulnerability on this site, please report it responsibly to security@dfir-lab.ch.

This website is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If you believe that a child under 16 has provided us with personal data, please contact us at privacy@dfir-lab.ch and we will promptly delete it.

We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page.

We encourage you to review this policy periodically. Continued use of the site after changes constitutes acceptance of the updated policy.

If you have any questions about this privacy policy, your personal data, or would like to exercise your rights, please contact us:

We aim to respond to all privacy-related inquiries within 30 days.