IntrusionLabs IntrusionLabs
// Legal

Privacy Policy

What we collect, what we publish, what we don't, and how to exercise your rights.

Effective date: 2026-04-23 Version: 1.0-draft Governing entity: Opaque Research LLC (Ohio, USA)
Draft — pending external legal review
These pages are published in good faith to describe how we operate. They are under review by external counsel and may be updated. Material changes will be published with notice.

1. Summary

IntrusionLabs (operated by Opaque Research LLC) has two distinct categories of personal data to discuss:

  1. Customer data — information about people who register for, pay for, or use the Service. This section is the bulk of this policy.
  2. Third-party observational data — information we record about parties we do not have a customer relationship with, because they connected to one of our honeypot sensors or appear in third-party threat intelligence feeds we ingest. This is the unusual part of our data footprint and is addressed in §7 below.

2. Customer data we collect

When you use the Service, we collect:

  • Account information you provide: email address, display name (optional), and account preferences.
  • Authentication data: hashed passwords (using industry-standard key derivation); we never store plaintext passwords.
  • Service usage: IP addresses from which you access the Service, browser user-agent strings, timestamps, pages accessed, queries run, API calls made, and rate-limit counters.
  • API keys we issue to you, for authenticating programmatic access.
  • Support communications: the contents of email or other messages you send us.
  • Saved queries and workspace state, if any, that you create inside the Service.

3. What we do not collect

We do not collect, transmit, or store:

  • Payment-card numbers, expiry dates, CVV codes, or other payment instrument data;
  • Billing addresses;
  • Bank account information;
  • Tax identification numbers.

All of the above are collected and processed directly by Paddle as the Merchant of Record (see §6).

4. How we use customer data

We use customer data to:

  • Provide, operate, maintain, and improve the Service;
  • Authenticate you and secure your account;
  • Enforce rate limits and abuse-prevention controls;
  • Send you transactional email (account confirmation, password resets, billing notifications) via Postmark;
  • Respond to your support requests, takedown requests, and subject-access requests;
  • Comply with legal obligations including sanctions screening (see §9);
  • Investigate suspected fraud, abuse, or violations of our Terms.

We do not sell your personal data. We do not rent it, trade it, or share it with advertisers.

5. Subprocessors

We use a small number of third-party service providers to operate the Service. Each provider only receives the data it needs to perform its function. Our current subprocessors are listed and kept up to date at /legal/subprocessors/. At the time of writing they are:

Provider Role Data categories received
Hetzner (Germany/Finland)Primary hosting and database infrastructureAll data you submit and we generate, at rest and in transit
Linode / Akamai (global)Edge sensor hosting in multiple regionsInbound attack traffic (not customer data)
PaddleMerchant of Record — payments, tax, chargebacksYour payment data (provided directly by you to Paddle; never routed through our systems)
PostmarkTransactional email deliveryYour email address and the content of messages we send you

We will publish new subprocessors before they begin handling customer data and maintain a subscribe-able update feed for the list.

6. Payments — Paddle as Merchant of Record

All paid subscriptions are sold by Paddle as the Merchant of Record. When you pay for a subscription, you are contracting with Paddle for that transaction. Paddle collects your payment-card information and billing address directly; we never see it. Paddle handles PCI-DSS compliance, tax calculation and remittance, fraud screening, and chargebacks.

After a successful subscription, Paddle returns to us only the minimum information we need to provision your access: your customer email, transaction identifier, product and tier purchased, and subscription status. We use that information solely to operate the Service.

For a full description of Paddle's data handling, see paddle.com/legal/privacy. Questions or requests related to your payment data should be directed to Paddle; questions about how we use the account information Paddle returns to us are addressed by this policy.

7. Third-party observational data (non-customer)

This section describes data we collect and publish about parties who are not our customers. Because an IP address can qualify as personal data under some laws (including the EU GDPR when the IP is traceable to an identifiable person), this data is addressed here with the same care as customer data.

7.1 What we observe

IntrusionLabs operates a network of passive sensors and honeypots that are designed to receive unauthorized access attempts. When a device on the public Internet connects to one of our sensors, we record connection metadata, commands issued, credentials attempted, and session activity. A full description is in our Research Sensor Disclosure.

We also ingest a small set of publicly available threat intelligence sources (such as Tor exit node lists, Spamhaus DROP, abuse.ch feeds) for corroboration of what we observe on our own sensors.

7.2 What we publish

From the data above we derive and publish aggregated attribution: IP reputation records, ASN summaries, behavioral cluster reports, campaign assessments, and confidence scores, together with the evidence provenance that supports each conclusion.

7.3 What we do not publish

We do not publish:

  • Attacker-supplied credentials (usernames, passwords, keys — even though these are typically stolen or reused);
  • Raw session transcripts;
  • Payload binaries or uploaded content;
  • The name, photograph, social-media profile, or other personal identifier of any natural person behind an IP;
  • Any data that could itself be a vehicle for further harm.

7.4 Legal basis

For third-party observational data about EU residents (to the extent the GDPR applies to our processing), we rely on our legitimate interest as the basis for processing under Article 6(1)(f) GDPR, namely: the prevention of criminal activity against the public Internet and against our customers, the operation of a network and information security service (Recital 49), and the public interest in independent, citable threat intelligence. We balance this interest against the rights of data subjects through the minimization measures described in §7.3 and the correction/erasure process described in §8.

7.5 Your rights as a third party in our data

If you believe an IP address, hostname, ASN, or other indicator attributable to you or your organization is incorrectly labeled in our data, please see our Takedown & Subject-Access Policy. We aim to acknowledge requests within 5 business days and provide a substantive response within 15 business days.

8. Your rights as a customer

Depending on where you live, you may have rights under the California Consumer Privacy Act (CCPA), the EU or UK General Data Protection Regulation (GDPR), or similar state privacy laws. These may include:

  • The right to access the personal data we hold about you;
  • The right to correct inaccurate personal data;
  • The right to request deletion of your personal data;
  • The right to export your personal data in a portable format;
  • The right to object to certain processing or to withdraw consent;
  • The right to lodge a complaint with a supervisory authority.

To exercise any of these rights, email privacy@intrusionlabs.com. We aim to respond within 30 days, or the shorter period required by applicable law.

Requests related to payment data (card numbers, billing addresses, transaction history beyond subscription status) should be directed to Paddle, which is the controller for that data. We will help you route such requests if you are unsure which party to contact.

9. Sanctions screening

Because IntrusionLabs is operated by a US entity, we screen account registrations and, at paid-tier launch, ongoing activity against US Office of Foreign Assets Control (OFAC) sanctions lists and the US Consolidated Screening List. Screening decisions are logged for five (5) years. If you believe your account was blocked in error, contact legal@intrusionlabs.com.

10. Data retention

  • Active customer accounts: retained for as long as the account is active.
  • Closed customer accounts: personal data is purged within 90 days of account closure. Backups may retain copies for up to an additional 90 days; these are overwritten on the normal backup rotation.
  • Support emails: retained for 3 years unless you request earlier deletion.
  • Sanctions screening decisions: retained for 5 years as required for compliance.
  • Honeypot raw events: retained 12–18 months for analytical replay, then purged. Aggregated attribution derived from those events is retained indefinitely, subject to the correction and erasure processes in our Takedown & Subject-Access Policy.
  • Payment transaction history: retained by Paddle per Paddle's retention policies; we hold only subscription status and transaction identifiers locally.

11. Security

We use TLS 1.2 or higher for all data in transit and AES-256 or equivalent for sensitive data at rest. We enforce least-privilege access for our team and require multi-factor authentication for administrative access. No system is perfectly secure; if we become aware of a security incident affecting your personal data we will notify you without unreasonable delay and in any event consistent with applicable law.

12. International transfers

We are based in the United States. Our primary hosting is in Finland (Hetzner). Our edge sensors are in the United States, Singapore, and other locations. By using the Service, you understand that your data may be transferred to and processed in countries other than your own. Where required for transfers of EU personal data, we rely on Standard Contractual Clauses or other lawful transfer mechanisms via our subprocessors.

13. Children

The Service is not directed to children under 16 and we do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact privacy@intrusionlabs.com and we will promptly delete it.

14. Cookies

We use a small number of strictly necessary cookies for session management and security. We do not use advertising cookies. We may use privacy-respecting first-party analytics that does not set third-party tracking cookies.

15. Changes to this policy

We may update this policy to reflect changes in our practices or in applicable law. We will post the updated policy at this URL and provide notice of material changes by email or in-product banner at least 30 days before they take effect.

16. Contact

Questions about this Privacy Policy or about our handling of personal data should be directed to privacy@intrusionlabs.com. Controller of record: Opaque Research LLC, Ohio, USA.

// See also
Legal index Terms of Service Privacy Policy Acceptable Use Research Sensors Takedown & Subject-Access Subprocessors
Questions or complaints?
General legal / privacy: legal@intrusionlabs.com
Abuse reports: abuse@intrusionlabs.com
Privacy / subject-access requests: privacy@intrusionlabs.com
Takedown / correction requests: takedown@intrusionlabs.com