Privacy Policy

The administrator of personal data collected through the NetKrypton services is Igor Oprządek.

• Address: Bągart 14A, Poland
• E-mail: privacy@weborbiton.com

No Data Protection Officer has been formally appointed.

NetKrypton is an independent Polish internet safety project operated by the WebOrbiton Team. It provides a continuously updated database of dangerous and suspicious domains for use in phishing, malware, and fraud protection. The project encompasses three distinct product surfaces:

• NetKrypton Cloud API — a cloud-hosted REST API (Developer, Pro, Business plans) allowing developers and businesses to query the domain threat database programmatically.
• NetKrypton Self-Hosted — a freely downloadable edition of the database for deployment on private infrastructure. No data is transmitted to NetKrypton servers during queries against a self-hosted instance.
• NetKrypton Report (report.netkrypton.com) — a web form through which any user may submit a domain for threat review.

By design, NetKrypton does not perform user profiling, does not build user histories, and does not sell data to third parties.

Cloud API subscribers (Developer, Pro, Business plans)

Using the NetKrypton Cloud API requires creating a paid account via our billing partner. The following data may be processed:

• Account data: e-mail address, subscription plan and status.
• Payment data: transactional data processed by the authorised Payment Processor. We do not store full credit card details on our servers.
• API usage data: API key identifier, request timestamps, queried domain strings, response codes, and monthly request counts — used exclusively for quota enforcement, billing accuracy, abuse prevention, and service diagnostics.
• Technical data: IP address of the requesting server, date and time of request, HTTP client identifier.

Self-Hosted edition

The Self-Hosted edition involves no data transmission to NetKrypton servers at query time. The only processing that may occur is download of database update files, which involves a standard server-side IP address visible in our download logs. No personal data beyond the requesting IP is collected in this context.

When a user submits a domain report via report.netkrypton.com, the following data is collected and stored in a server-side JSON file:

• Name (as provided by the submitter)
• E-mail address
• Reported domain name
• Threat type category
• Free-text explanation
• Submission timestamp
• Interface language at time of submission

This data is used exclusively to investigate the reported domain and, if verified, to add it to the NetKrypton threat database. E-mail addresses may be used to follow up on the report if clarification is required. Report data is not shared with third parties, is not used for marketing, and is not sold.

NetKrypton web properties may use a privacy-first, self-hosted analytics system — PriviMetrics — operated by the WebOrbiton Team.

• No cookies or cross-site tracking identifiers are used.
• Only aggregated, non-personal metrics are collected (visit counts, country, browser type).
• No individual user sessions are reconstructed or stored.

• Service provision (account management, API access, quota enforcement) — Art. 6(1)(b) GDPR
• Security and infrastructure integrity (abuse detection, rate limiting, DDoS mitigation) — Art. 6(1)(f) GDPR
• Billing and payment processing — Art. 6(1)(b) GDPR
• Privacy-focused traffic analysis via PriviMetrics — Art. 6(1)(f) GDPR
• Processing domain report submissions — Art. 6(1)(a) GDPR (consent given at submission)
• Database update delivery for Self-Hosted edition — Art. 6(1)(b) GDPR

Web servers hosting NetKrypton services record standard access logs containing the requesting IP address, timestamp, HTTP method, path, response code, and user-agent string. These logs are retained for security and diagnostic purposes only, for a maximum of 30 days, after which they are automatically purged.

NetKrypton uses the following external service providers:

Infrastructure & Payments

• Hostinger — hosting provider. Service files and subscriber account data are stored on servers located in Lithuania (primary), with backups in France. Both locations are within the European Economic Area (EEA). A global CDN may serve static assets from edge nodes outside the EEA; no personal data is stored or processed at CDN nodes.
• Polar.sh (Polar Software Inc.) — payment processor and authorised reseller. Acts as Merchant of Record for all transactions.

Threat Intelligence Sources (no user data transmitted)

• External threat feed providers and blocklist aggregators used to compile and verify the NetKrypton database receive no personal data of NetKrypton users. They receive only domain strings for reputation lookup, originating from NetKrypton's own servers.

NetKrypton web properties use minimal, functional browser storage only:

• A session cookie may be set for authenticated API dashboard sessions.
• A language preference cookie (nk_lang) is set on the Report page to remember the user's selected interface language. It has a 365-day lifetime, is HttpOnly and Secure, and contains no personal data.

No advertising cookies, tracking pixels, or third-party analytics scripts are used on any NetKrypton property.

• Server access logs: up to 30 days
• API subscriber account data: for the duration of the subscription, plus up to 60 days following account deletion or expiry
• API request logs: up to 90 days (used for quota enforcement and abuse investigation)
• Domain report submissions: indefinitely, as they form part of the threat investigation record; submitters may request deletion by contacting privacy@weborbiton.com
• Analytics data (PriviMetrics): up to 12 months in aggregated, non-personal form
• Payment transaction records: as required by applicable accounting and tax law (typically 5–7 years)

Under the GDPR, you have the right to:

• Access, rectify, and erase your personal data
• Restrict or object to processing
• Data portability
• Withdraw consent at any time (where processing is consent-based)
• Lodge a complaint with a supervisory authority — in Poland: PUODO (Urząd Ochrony Danych Osobowych, uodo.gov.pl)

To exercise your rights, contact: privacy@weborbiton.com

Providing account data is voluntary, but necessary to access the paid Cloud API service. Submitting a domain report is entirely voluntary and may be done without an account.

NetKrypton does not use profiling or automated decision-making that produces legal or similarly significant effects on users, as defined under Art. 22 GDPR. Automated threat classification of domains is performed on domain strings, not on personal data of users.

Account data and service files are physically hosted within the EEA (Lithuania primary, France backup).

The following may involve processing outside the EEA:

• Hostinger CDN — static technical assets only. No personal data stored or transmitted through CDN nodes.
• Polar.sh (Polar Software Inc.) — United States. Subject to Standard Contractual Clauses or equivalent GDPR safeguards.

All transfers involving personal data are conducted in accordance with Chapter V of the GDPR using appropriate safeguards.

We reserve the right to update this policy to reflect changes in our services or applicable law. Subscribers will be informed of significant changes via e-mail. The current version is always available at netkrypton.com/privacy.