Overview
This Privacy Policy describes how we handle information in connection with our services. We are committed to privacy by design and have structured our operations to minimise data collection and retention. This policy exceeds the minimum requirements under GDPR (EU/EEA/UK), PIPL (China), DPDP Act (India), LGPD (Brazil), and CCPA/CPRA (California, USA).
1. What We Do Not Collect
IP Addresses
We do not log, store, or retain visitor IP addresses for operational purposes. This applies to all standard user interactions with our services.
Domain Names (DNS Queries)
Our DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and DNS-over-QUIC (DoQ) services do not log domain name resolutions. DNS queries are not retained, recorded, or processed for any purpose.
Profiling & Behavioural Tracking
We do not collect, use, or store data for user profiling, behavioural analysis, or targeted advertising.
2. Data Location
Our servers are based in the Netherlands, and all personal data is held exclusively within the Netherlands. This ensures full compliance with GDPR requirements and provides our users with the strongest available European data protection standards.
For Users in China (PIPL)
If you are located in China and subject to the Personal Information Protection Law (PIPL), you should be aware that our data is stored outside China. Depending on the nature of your interactions with our services and the applicability of PIPL to your specific circumstances, PIPL data localisation requirements may apply to your personal information. Users concerned about PIPL compliance should review their local obligations or contact us for clarification.
3. Cookies
Strictly Necessary Technical Cookies
We use minimal session cookies to:
- Maintain service functionality
- Defend against cyber-attacks (including CSRF, XSS, and DDoS attacks)
These cookies:
- Contain only session information
- Do not contain personally identifiable information
- Are secured using HttpOnly, Secure, and SameSite=Strict settings
- Do not require explicit consent under GDPR, CCPA/CPRA, LGPD, PIPL, and DPDP Act
Cookie Removal
Users may remove these cookies at any time by visiting https://practicallyunhackable.com/remove-cookies on our website. Cookies are automatically removed upon session termination or browser closure.
4. Cybersecurity & Attack Prevention
Automated Threat Detection
We automatically detect and log IP addresses of suspected attackers, including:
- Botnets and malicious actors
- Port scanners and vulnerability probes
- Denial-of-service (DoS/DDoS) attacks
- SQL injection and cross-site scripting (XSS) attempts
IP Address Bans & CIDR Range Blocking
Detected malicious IP addresses are automatically banned. We analyse attack frequency across IP ranges (CIDR /24 blocks) and proactively block those ranges to prevent future attacks.
Legal Basis for Security Processing
Security-logged IP addresses are processed as personal data under our legitimate interest lawful basis for network and information security. Specifically:
- GDPR (Article 6(1)(f)): We rely on legitimate interest as the lawful basis for security processing. Network and information security is a recognised legitimate interest under GDPR Recital 49. This processing is necessary and proportionate to defend our systems against cyber-attacks.
- PIPL, LGPD, DPDP Act, and CCPA/CPRA: All permit security-justified processing of personal data without explicit user consent. Under the DPDP Act, security logging qualifies as a legitimate processing purpose.
Data Retention for Security
Security logs containing IP addresses are retained for 24 hours only.
Logs are used solely for identifying attack trends and blocking malicious CIDR ranges.
We do not attempt to identify individuals or organisations behind these IP addresses. After 24 hours, all security logs are permanently deleted.
Collateral Impact
In rare cases, legitimate users may be blocked if their IP address is within a banned CIDR range. We do not have a contractual obligation to provide uninterrupted access. Users who believe they have been incorrectly blocked may contact us to report false positives.
5. User Rights
Right to Access
We do not maintain personal data records beyond security logs (24-hour retention) and compliance records (see Section 5 below). If you contact us regarding any information we may have, we will provide access to any data held within 48 hours.
Right to Be Forgotten (Right to Erasure)
Upon request, we will delete any information we may hold about you within 48 hours. To submit a deletion request, please email us at contact AT practicallyunhackable DOT com.
Compliance Records and Legal Holds
To evidence our compliance with your deletion request, we retain:
- Your deletion request email
- Confirmation of deletion completion
These compliance records are retained for 3 years maximum as required for audit, legal hold, and dispute resolution purposes, and are not used for any other purpose. This retention period aligns with applicable statutes of limitations across GDPR, PIPL, DPDP Act, LGPD, and CCPA/CPRA jurisdictions.
6. Data Protection Under Global Privacy Laws
This policy ensures compliance with and exceeds the requirements of:
| Jurisdiction | Law | Key Compliance |
|---|---|---|
| EU/EEA/UK | GDPR | Legitimate interest for security (Article 6(1)(f)); consent not required for strictly necessary cookies; right to erasure with compliance record exceptions; data held in Netherlands. |
| China | PIPL | Security-justified IP processing; no personal data collection beyond security logs; lawful processing basis; note on data localisation for Chinese users. |
| India | DPDP Act | Security logs retained for 24 hours (appropriate for non-Schedule VII purposes); compliance records capped at 3 years; right to erasure honoured within 48 hours. |
| Brazil | LGPD | Security-justified IP processing; no individual identification; transparent lawful basis for processing. |
| California, USA | CCPA/CPRA | Strictly necessary cookies exempt from consent; no sale or sharing of personal information; no targeted advertising. |
CCPA/CPRA Clarification
We do not sell, share, or otherwise transfer personal information for commercial purposes. Accordingly, the CCPA/CPRA right to “Do Not Sell or Share My Personal Information” does not apply to our services, as we do not engage in such practices.
7. Contact Us
If you have questions about this Privacy Policy or wish to exercise your rights (access, deletion, or to report a false positive blocking), please contact us at:
Email: contact AT practicallyunhackable DOT com
We will respond to requests within 48 hours.
8. Policy Updates
We will notify users of material changes to this Privacy Policy by posting updates on our website.
9. Our Commitment
We believe privacy is a fundamental right. By collecting minimal data, retaining information only as necessary, processing personal data only for legitimate security purposes, maintaining servers exclusively within the Netherlands for GDPR protection, and operating under strict security principles, we ensure that your interactions with our services remain private and secure.