Overview
This Privacy Policy describes how we handle information in connection with our services. We are committed to privacy by design and have structured our operations to minimise data collection and retention. This policy exceeds the minimum requirements under GDPR (EU/EEA/UK), PIPL (China), DPDP Act (India), LGPD (Brazil), and CCPA/CPRA (California, USA).
1. What Personal Information Do We Collect?
We do not collect, or ask for, your personal information such as name, address, email address, phone number etc on our website.
However, please note that IP addresses are considered personal data under various countries' laws. We normally do not collect IP addresses either, so a majority of our users and visitors have nothing to worry about. We only log and collect IP addresses that show aggressive or malicious behaviour.
Metadata Collected During Security Events
When IP addresses are logged due to aggressive or malicious behaviour, we also collect country code (derived from IP address via GeoIP2) for the purpose of identifying attack patterns and constructing CIDR ranges to block. This metadata is retained for the same 24-hour period as the IP addresses.
IP Addresses Under Normal Use
If you are reading this page, which constitutes normal use, we have not logged your IP address (or its country code). Likewise, when you use our DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and DNS-over-QUIC (DoQ) servers normally, we will neither log your IP, nor the domain name that you searched, or any metadata.
A typical user would resolve up to 5 domains per second. For occasional spikes in usage, we have kept a generous limit of 50 requests per second per IP address. Up to those limits, we do not log or collect anyone's IP.
What Constitutes Aggressive or Malicious Behaviour?
Imagine there was a hacker who tried to attack our servers by flooding our servers with a high volume of requests simultaneously (or within a short time frame). We treat those rates as aggressive. Exceeding rates that are already too generous will generate an error in our servers. That hacker's IP will be logged.
Also imagine there was another hacker (or a bot, or a malicious AI agent) who tried to carry out malicious attacks (XSS, SSRF, CSRF, are just a few examples). Our system operates a "zero tolerance" principle. That hacker's IP is also logged.
Domain Names (DNS Queries)
Our DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and DNS-over-QUIC (DoQ) services do not log domain name resolutions. DNS queries are not retained, recorded, or processed for any purpose.
Profiling & Behavioural Tracking
We do not collect, use, or store data for user profiling, behavioural analysis, or targeted advertising.
2. Data Location
Our servers are based in the Netherlands, and all personal data is held exclusively within the Netherlands. This ensures full compliance with GDPR requirements and provides our users with the strongest available European data protection standards.
For Users in China (PIPL)
If you are located in China and subject to the Personal Information Protection Law (PIPL), you should be aware that our data is stored outside China. Depending on the nature of your interactions with our services and the applicability of PIPL to your specific circumstances, PIPL data localisation requirements may apply to your personal information. Users concerned about PIPL compliance should review their local obligations or contact us for clarification.
3. Cookies
Strictly Necessary Technical Cookies
We use minimal session cookies to:
- Maintain service functionality
- Defend against cyber-attacks (including CSRF, XSS, and DDoS attacks)
These cookies:
- Contain only session information
- Do not contain personally identifiable information
- Are secured using HttpOnly, Secure, and SameSite=Strict settings
- Do not require explicit consent under GDPR, CCPA/CPRA, LGPD, PIPL, and DPDP Act
Cookie Removal
Users may remove these cookies at any time by visiting https://practicallyunhackable.com/remove-cookies on our website. Cookies are automatically removed upon session termination or browser closure.
4. What We Do With Aggressive and Malicious IP Addresses
Immediate Response
We exercise our legitimate rights to protect our servers and ban individual aggressive or malicious IP addresses permanently and immediately. We do not attempt to identify individuals or organisations behind these IP addresses.
Data Retention Period
Logged IP addresses are typically retained for a period up to 24 hours.
Every 24 hours (around 5 AM GMT), we analyse the aggressive and malicious IP addresses and identify whether they are coming from the same network or range of IP addresses or have engaged in serious hacking attempts. If such patterns are found, we construct the CIDR range (which is anonymised) and proactively ban those ranges to defend our servers.
All logs are deleted and emptied after our analysis. All IP addresses (but not the anonymised CIDR ranges) are unbanned.
Legal Basis for Security Processing
Security-logged IP addresses are processed as personal data under our legitimate interest lawful basis for network and information security. Specifically:
- GDPR (Article 6(1)(f)): We rely on legitimate interest as the lawful basis for security processing. Network and information security is a recognised legitimate interest under GDPR Recital 49. This processing is necessary and proportionate to defend our systems against cyber-attacks.
- PIPL, LGPD, DPDP Act, and CCPA/CPRA: All permit security-justified processing of personal data without explicit user consent. Under the DPDP Act, security logging qualifies as a legitimate processing purpose.
Collateral Impact (Noisy Neighbours Problem)
If other users on your network have demonstrated aggressive and malicious behaviour, it is possible that you may not be able to reach our services at all. As we do not have contractual obligation to provide or maintain services to anyone in the world, we give priority to our servers' protection.
If you think you are blocked from using our services despite being a normal user, please get in touch and we will suggest a solution.
5. User Rights
Right to Access
We do not maintain personal data records beyond security logs (24-hour retention) and compliance records (see Compliance Records section below). If you contact us regarding any information we may have, we will provide access to any data held within 48 hours.
Right to Be Forgotten (Right to Erasure)
Upon request, we will delete any information we may hold about you within 48 hours. To submit a deletion request, please email us at contact AT practicallyunhackable DOT com.
Compliance Records and Legal Holds
To evidence our compliance with your deletion request, we retain:
- Your deletion request email
- Confirmation of deletion completion
These compliance records are retained for 3 years maximum as required for audit, legal hold, and dispute resolution purposes, and are not used for any other purpose. This retention period aligns with applicable statutes of limitations across GDPR, PIPL, DPDP Act, LGPD, and CCPA/CPRA jurisdictions.
6. Data Protection Under Global Privacy Laws
This policy ensures compliance with and exceeds the requirements of:
| Jurisdiction | Law | Key Compliance |
|---|---|---|
| EU/EEA/UK | GDPR | Legitimate interest for security (Article 6(1)(f)); consent not required for strictly necessary cookies; right to erasure with compliance record exceptions; data held in Netherlands. |
| China | PIPL | Security-justified IP processing; no personal data collection beyond security logs; lawful processing basis; note on data localisation for Chinese users. |
| India | DPDP Act | Security logs retained for 24 hours (appropriate for non-Schedule VII purposes); compliance records capped at 3 years; right to erasure honoured within 48 hours. |
| Brazil | LGPD | Security-justified IP processing; no individual identification; transparent lawful basis for processing. |
| California, USA | CCPA/CPRA | Strictly necessary cookies exempt from consent; no sale or sharing of personal information; no targeted advertising. |
CCPA/CPRA Clarification
We do not sell, share, or otherwise transfer personal information for commercial purposes. Accordingly, the CCPA/CPRA right to "Do Not Sell or Share My Personal Information" does not apply to our services, as we do not engage in such practices.
7. Contact Us
If you have questions about this Privacy Policy or wish to exercise your rights (access, deletion, or to report a false positive blocking), please contact us at:
Email: contact AT practicallyunhackable DOT com
We will respond to requests within 48 hours.
8. Policy Updates
We will notify users of material changes to this Privacy Policy by posting updates on our website.
9. Our Commitment
We believe privacy is a fundamental right. By collecting minimal data, retaining information only as necessary, processing personal data only for legitimate security purposes, maintaining servers exclusively within the Netherlands for GDPR protection, and operating under strict security principles, we ensure that your interactions with our services remain private and secure.