Privacy Policy

• We collect the minimum needed to run the service: your account email and the IP queries you make.
• We never sell your data, share it with advertisers, or run third-party trackers.
• Account data lives in our own Postgres on our own server. Not on a marketing CDP, not in a CRM, not in BigQuery.
• You can delete your account at any time and we wipe everything within 30 days.

When you create an account: email address, hashed password (argon2), display name (optional), created-at timestamp.

When you use the API: the IP you queried, the timestamp, your API key (hashed), and response time. We log this for rate-limiting, abuse detection, and your usage dashboard.

When you submit a report: the IP, the report kind, your comment, your email if provided, and your submitter IP for dedup.

Server-side: standard request logs (IP, user-agent, status, latency) for operational debugging. Rotated weekly.

• No third-party trackers (Google Analytics, Facebook Pixel, Hotjar, etc.).
• No third-party fonts or scripts that phone home. Inter and JetBrains Mono are self-hosted.
• No fingerprinting libraries. We don't fingerprint our own visitors.
• No cross-domain tracking cookies. Our cookie is httpOnly + same-site.

• Operating the service: rate limiting, fraud detection on the auth endpoints, deduplication of community reports.
• Your usage dashboard: showing you what you've queried.
• Aggregate metrics: total queries per day, server load. Never per-user.
• Email. Only when something material happens: verification, account changes, hitting limits, or terms updates. No marketing emails.

Nothing. We don't sell, rent, or syndicate user data. We don't share with affiliates, partners, advertisers, or analytics vendors (we don't use any).

The only exception: we comply with valid subpoenas under the jurisdiction of our hosting country (Germany / EU). If we ever receive one we'll publish a transparency report unless legally gagged.

Public threat intel: IPs you report via /report may appear in the public database, but never linked to your account or email.

Controller: Obsidian UG (haftungsbeschränkt), Leopoldstr. 2-8, 32051 Herford, Germany. HRB 20982, Amtsgericht Bad Oeynhausen. See our Impressum for full legal entity details.

Account and usage data live on Contabo servers in Germany (Düsseldorf region). We use Postgres for the primary store; backups are encrypted at rest and stored in the same region. No third-country transfers without legal basis.

• Account data: as long as your account is active. Deleted within 30 days of deletion request.
• Query logs: 90 days, then anonymized into aggregate counters.
• Reports: kept indefinitely as part of the threat intel database, but the reporter identity (your email/IP) is dropped after 12 months unless we needed it for moderation.
• Server logs: 14 days, rotated.

• Access. Ask us what we hold about you. We respond within 30 days.
• Correct. Update inaccurate data through your dashboard or by emailing us.
• Delete. Hit the delete-account button or email us. We wipe within 30 days.
• Portability. Ask for an export of your account data; we send a JSON file.
• Object. Opt out of any processing. Since we only do operational processing, opt-out usually means deleting your account.

To exercise any of these, write to [email protected].

We set a small number of httpOnly, same-site cookies for session management: ffraud_token (your JWT, 7-day life), ffraud_key (your primary API key for the dashboard), ffraud_admin (only set when an admin signs in, 8-hour life). No tracking cookies.

We may update this policy. Material changes are emailed to registered accounts 14 days before they take effect. The "last updated" date at the top is the source of truth.

See also our Terms of Service and Impressum.