Draft — review with qualified counsel before publishing. This document describes PubSentry's actual data practices in plain language so a lawyer can adapt it into a binding policy. It is not legal advice and is not the final policy. Bracketed placeholders must be completed before this page goes live.
This Privacy Policy explains how [LEGAL ENTITY NAME] ("PubSentry," "we," "us") collects, uses, and protects information when you use the PubSentry service, dashboard, and website. It is written to reflect what the system actually does — a fraud-detection product is unusual in that it processes visitor signals on behalf of our customers, and we want that processing described honestly.
Effective date: [EFFECTIVE DATE] Data controller / contact: [LEGAL ENTITY NAME], [REGISTERED ADDRESS] — questions to [DPO/CONTACT EMAIL]. Governing law: This policy is governed by the laws of [GOVERNING JURISDICTION].
Who this applies to
There are two distinct relationships, and the privacy implications differ:
- Publishers (our customers). People who hold a PubSentry account, install the tag, and use the dashboard. For their account data, we are the data controller.
- Visitors to a publisher's site. End users whose page loads are scored for invalid traffic. For this visitor signal, the publisher is the controller and PubSentry is the processor — we process it under the publisher's instruction to detect fraud, and a Data Processing Agreement governs that relationship for plans that include one.
What we collect, and what we deliberately do not keep
Visitor signals (processed on the publisher's behalf)
When the PubSentry tag fires on a page, the browser sends a beacon containing only client-knowable fields (timing, automation/environment/behavioral signals, a non-PII device fingerprint hashed with fnv1a). Our ingest service enriches that beacon using the request's IP address and User-Agent header to derive datacenter / ASN / coarse geography from an offline dataset (iptoasn).
The privacy-critical design choice: raw IP address and User-Agent are hashed server-side with HMAC-SHA256 and then dropped. They are never written to storage in raw form. What persists is a one-way keyed hash used for reputation and velocity correlation, plus the derived non-identifying attributes (ASN, datacenter flag, country). Our IP intelligence is the offline ASN/geo dataset only — we do not run residential-proxy, VPN, or Tor detection, and those classifications stay unknown.
Scored events are stored in ClickHouse (our analytics event store). Short-lived reputation, velocity counters, per-site configuration, and account/session records are stored in Redis.
Publisher account data (we are the controller)
To operate your account we collect: your email address, a password stored only as a scrypt hash (never in plaintext), your site IDs and configuration, billing status, and opaque session identifiers. Sessions are cookie-based and same-origin to the dashboard at app.pubsentry.com.
Payments
Billing is handled by DodoPayments, our merchant of record. When you purchase a plan you are redirected to DodoPayments' hosted checkout; we do not receive or store your card number. We retain a customer/subscription reference and your plan + billing status so we can apply the right limits. DodoPayments processes your payment data under its own privacy policy.
Transactional email (account, billing, and alert notifications) is sent through Resend, which processes the recipient address and message content to deliver mail on our behalf.
Website analytics
Our public marketing site uses Google Analytics 4 (GA4) to understand aggregate traffic. GA4 may set cookies and process usage data under Google's terms. The authenticated dashboard is not the place we run third-party marketing analytics.
Cookies
We use cookies sparingly:
- Session cookies — strictly necessary to keep you logged into the dashboard. Without them the product cannot authenticate you.
- Analytics cookies — set by GA4 on the marketing site to measure visits.
The PubSentry detection tag installed on a publisher's site is not an advertising or cross-site tracking cookie; it sends a fraud-scoring beacon and is governed by the publisher's own cookie/consent notices.
Legal bases for processing (where GDPR/UK GDPR applies)
- Contract — operating your account, processing payments, and providing the service.
- Legitimate interests — fraud and invalid-traffic detection (the core purpose of the product), security, and preventing abuse of the service, balanced against visitor rights by our minimization-by-design (hash-and-drop) approach.
- Consent — non-essential cookies such as GA4 analytics, where required.
- Legal obligation — retaining limited billing records as required by tax/accounting law.
Data retention
- Scored events (ClickHouse) are retained according to the publisher's plan history window — 7, 30, 90, or 365 days depending on tier. The analytics window is clamped server-side to the plan's retention; older data ages out.
- Hashed reputation/velocity data (Redis) is short-lived and TTL-bounded.
- Account and billing records are retained for the life of the account and for any period afterward required by law.
- Raw IP/User-Agent is never retained — it is hashed and discarded at ingest, as described above.
How we share data
We do not sell personal data. We share it only with sub-processors who help us run the service, under contract and instruction:
| Sub-processor | Purpose | Data involved |
|---|---|---|
| DodoPayments | Payments / merchant of record | Billing and card data (handled by them, not us) |
| Resend | Transactional email delivery | Email address, message content |
| Google (GA4) | Marketing-site analytics | Aggregate usage, analytics cookies |
| Hosting / infrastructure provider | Running ClickHouse, Redis, and the application | Event and account data at rest |
We may also disclose information where required by law or to protect the security and rights of PubSentry, our customers, or the public.
International transfers
PubSentry's infrastructure and some sub-processors (for example, Google and DodoPayments) may process data in countries other than yours. Where personal data is transferred out of the EEA, UK, or other restricted regions, we rely on appropriate safeguards such as Standard Contractual Clauses or an adequacy decision. [Confirm with counsel which mechanism and processing locations apply to [LEGAL ENTITY NAME].]
Your rights
Depending on your location (for example, under GDPR, UK GDPR, or CCPA/CPRA), you may have the right to:
- Access the personal data we hold about you;
- Rectify inaccurate data;
- Erase your data ("right to be forgotten");
- Restrict or object to certain processing;
- Port your data to another service;
- Withdraw consent where processing is consent-based;
- Not be discriminated against for exercising these rights.
A structural note that matters for these requests: because we hash-and-drop raw IP and User-Agent, we usually cannot re-identify an individual visitor from a stored event — the data is pseudonymized by design. Visitor rights requests are typically directed to the publisher (the controller of that data); we will assist publishers in responding. Publisher account-holders can exercise their own rights directly with us.
To make a request, contact [DPO/CONTACT EMAIL]. We will respond within the timeframe required by applicable law. If you believe we have mishandled your data, you may also lodge a complaint with your local supervisory authority.
Security
Passwords are hashed with scrypt; raw IP/UA is hashed with HMAC-SHA256 and dropped; backend services bind to localhost behind a reverse proxy and are not directly reachable from the public internet; every authenticated API request is session-scoped to the account that owns the relevant site; and outbound webhooks include an SSRF guard against private targets. No system is perfectly secure, but data minimization is our first line of defense — we try hard to never hold data we don't need.
Children
The service is a business product not directed at children, and we do not knowingly collect personal data from anyone under the age required by [GOVERNING JURISDICTION].
Changes to this policy
We may update this policy as the product and our sub-processors change. Material changes will be reflected by a new effective date and, where appropriate, a notice to account-holders.
Contact
Questions, requests, or concerns: [DPO/CONTACT EMAIL] — [LEGAL ENTITY NAME], [REGISTERED ADDRESS].
Draft for internal review. Do not treat any statement here as final or as legal advice until [LEGAL ENTITY NAME] has had it reviewed by qualified counsel.