Privacy Policy

Public reference copy · BlackCrypt legal · Version 2026.2

Privacy Policy
0 Overview & key points

This Privacy Policy explains how BlackCrypt (the provider of the Service defined in the Online Service Terms) processes personal data when you visit the website, create an account, purchase credits, upload PCAP files, run analyses, and otherwise interact with the Service.

  • Controller vs processor: BlackCrypt acts as data controller for account, billing, security logs, support communications and platform telemetry. For network captures and related analysis data (Customer Data), BlackCrypt acts as processor or sub-processor, as applicable, as described in the DPA.
  • Data we collect: we process account and profile data, billing and purchase records, security and authentication data (including MFA and recovery-code usage), analysis metadata, operational logs, and communications you send us.
  • PCAP handling: uploaded PCAP files are stored in a dedicated per-analysis directory with restricted permissions and are deleted from disk once the analysis is completed or has irrecoverably failed.
  • Analysis results: derived analysis results, metadata and generated report artefacts are stored encrypted and retained for 90 days by default while the analysis remains available in the Service, unless deleted earlier or retained longer where legally or operationally required.
  • Security focus: we implement strict file validation, isolation of analysis artifacts, encryption for sensitive fields (for example MFA secrets and encrypted analysis payloads), and detailed security logging to protect accounts and the Service.
  • No training on Customer Data: consistent with the DPA, we do not use Customer Data, PCAPs, derived Results, Reports, or personal data contained in Customer Data to train, retrain, fine-tune, benchmark, or evaluate general-purpose detection, AI, or machine-learning models reused across customers, unless a separate explicit written opt-in agreement applies.
  • Your rights: you have rights under data-protection law, including to access, correct or erase your personal data, and to object to or restrict certain processing. Section 9 explains how to exercise these rights.
0.1 How this Privacy Policy relates to the OST and DPA

This Privacy Policy should be read together with the Online Service Terms (“OST”) and the Data Processing Agreement (“DPA”). Capitalised terms such as “Customer”, “Service” and “Customer Data” have the meaning given in the OST/DPA unless stated otherwise.

In particular:

  • The OST governs use of the Service and sets the commercial and liability framework between you and BlackCrypt.
  • The DPA governs BlackCrypt’s processing of Customer Data, including personal data in PCAP files and derived analysis outputs, as processor or sub-processor under data-protection law.
  • This Privacy Policy covers BlackCrypt’s processing of personal data as independent controller, for example in relation to account management, billing, security logs, platform telemetry and communications with you.

Where there is a conflict between this Privacy Policy and the OST or DPA on Customer Data processing roles, instructions, sub-processing, deletion or return, the OST/DPA will prevail to the extent of that conflict. This Privacy Policy remains the primary notice for personal data that BlackCrypt processes as independent controller.

BlackCrypt is operated by Emir FATTOUM, an independent professional established in Luxembourg and trading under the name BlackCrypt, with establishment address at L-1329, Luxembourg, business authorisation number N° 10172173 / 0, VAT identification number: pending registration with the Luxembourg Registration Duties, Estates and VAT Authority (AED). It will be added once issued. Legal contact: contact@blackcrypt.ai.

1 Data controller and scope

Unless stated otherwise in this Privacy Policy or the DPA, BlackCrypt acts as data controller for personal data processed in connection with:

  • visits to the public website and landing page;
  • creation and management of user accounts and profiles;
  • billing, credit purchases and invoicing;
  • security, authentication and audit logging for the Service;
  • platform telemetry and non-identifying aggregated statistics; and
  • communications with you, including support interactions and transactional emails.

For Customer Data within PCAP files and derived analysis outputs, BlackCrypt acts as processor or sub-processor, as applicable, as described in the DPA.

For privacy questions or rights requests, contact us through the Service support channel or at contact@blackcrypt.ai. We may ask for information necessary to verify your identity and account before responding to rights requests.

2 Personal data we process
2.1 Account and profile data

When you register and use the Service we process account and profile data, including: your username, email address, full name, organisation or company name, role, and optional contact details such as phone number. Your profile may also contain primary address information (for example street, city, postal code and country) and invoice-specific address or recipient details that you choose to provide.

2.2 Billing and purchase data

When you purchase credits or other paid features we process billing and transaction data, such as the selected package, number of credits, price, currency, purchase status, and identifiers associated with our payment provider (for example customer and payment-intent IDs). We also store limited technical information such as the IP address and user-agent observed at the time of purchase. We do not store full payment card details on our systems; these are handled by our payment provider.

2.3 Security and authentication data

To protect accounts and the Service, we process security and authentication data, including password hashes, multi-factor authentication (“MFA”) configuration, and information about the use of one-time recovery codes (for example the time of use, IP address and user-agent). Recovery codes are stored only in hashed form and are not kept in plaintext. We also maintain data about login attempts, lockout status and related security events.

2.4 Customer Data, analyses and results

When you upload PCAP files to run analyses, those files and derived analysis data are considered Customer Data under the OST and DPA. We store PCAP files in a dedicated per-analysis directory with restricted permissions. During processing we derive encrypted-traffic metadata such as session counts, flagged sessions, severity assessments, model scores, indicators, and malware family/type labels where applicable. Certain parts of the analysis output are stored in encrypted form to support dashboards and reports in the Service.

For this category, BlackCrypt generally acts as processor or sub-processor, as applicable, under the DPA. This Privacy Policy still describes technical measures and retention behaviour at a high level so you can understand how the Service operates.

2.5 Operational logs, notifications and telemetry

We keep logs and telemetry about how the Service is used, for example records of logins, uploads, analysis submissions, system errors, and other significant actions. These logs typically contain timestamps, user identifiers, IP addresses and user-agent strings, as well as short descriptions or structured metadata about the event.

The Service also includes an in-app notification system for events such as analysis completion, low credit balance and other account-related alerts. Notification records are stored with basic metadata (for example title, body, severity and timestamps) so they can be displayed in your account. Aggregated intelligence (for example counts of malicious sessions per country) is built from analysis results using thresholds and clamping to avoid exposing low-volume or identifying information.

2.6 Website interactions, cookies and communications

When you visit the website or landing page, our systems receive standard technical information such as your IP address, browser type, operating system and the pages you access. The Service uses cookies and similar technologies that are necessary to provide secure login sessions and protect against cross-site request forgery. We do not describe any additional analytics or advertising cookies here; if such tools are added in future, they will be documented in an updated version of this Privacy Policy or a dedicated cookie notice.

When you contact us (for example via support channels or email) we process the information you choose to provide, such as your contact details, message content and any attachments, in order to respond and keep a record of the interaction.

3 Purposes and legal bases for processing

We process personal data for the following purposes and under the following legal bases:

  • Providing the Service and managing your account (contract): to register users, authenticate logins, run PCAP analyses, display dashboards, manage credits and generate invoices. This processing is necessary to perform our contract with you or to take steps at your request prior to entering into a contract.
  • Billing, tax and compliance (legal obligation and contract): to issue invoices, record purchases, account for VAT or similar taxes and meet applicable accounting and retention obligations.
  • Security, fraud prevention and abuse detection (legitimate interest and contract): to protect accounts and the Service, detect and investigate suspicious activity, enforce usage limits, apply rate-limiting and prevent misuse. This includes processing security logs, lockout data, recovery-code usage and operational logs.
  • Service quality, reliability and improvement (legitimate interest): to monitor performance, debug issues, plan capacity and improve the usability and reliability of the Service, using aggregated and non-identifying telemetry where possible.
  • Communications (legitimate interest and contract): to send you transactional communications such as account notices, password resets, analysis-complete notifications, low-credit warnings, and responses to support requests.
  • Legal claims and compliance (legitimate interest and legal obligation): to establish, exercise or defend legal claims, to respond to lawful requests from public authorities and to comply with laws that apply to us.
4 Customer Data and other personal data

The distinction between Customer Data and other personal data is important:

  • Customer Data generally includes PCAP files you upload and the personal data contained in those captures, derived analysis results and related metadata generated by the Service on your behalf.
  • Other personal data includes account and profile data, billing and invoice information, security and log data, and communications that relate to your use of the Service rather than to the content of the network traffic you submit.

For Customer Data, BlackCrypt acts as processor or sub-processor, as applicable, and processes such data only on documented instructions as set out in the DPA and OST. For other personal data described in this Privacy Policy, BlackCrypt acts as controller and determines the purposes and means of processing.

We do not use Customer Data, PCAPs, derived Results, Reports, or personal data contained in Customer Data to train, retrain, fine-tune, benchmark, or evaluate general-purpose detection, AI, or machine-learning models reused across customers, unless a separate explicit written opt-in agreement applies.

5 Sharing and disclosures

We do not sell personal data. We may share personal data with the following categories of recipients as necessary for the purposes described in this Privacy Policy, the OST and the DPA:

  • Service providers and sub-processors: such as hosting and infrastructure providers, database and storage providers, backup, logging, monitoring, email delivery, support, Geo-IP, and IP reputation or threat-intelligence providers that help us operate the Service.
  • Payment providers: to process payments and manage credit purchases. These providers receive limited billing information and transaction metadata as necessary to perform payment processing and fraud prevention.
  • Security and analytics providers: providers that help us monitor infrastructure health and security. Where possible we use aggregated or pseudonymised data.
  • Customer-chosen integrations: where you explicitly connect the Service with other tools or systems, we may share data according to your configuration and instructions.
  • Professional advisers: such as lawyers, accountants or auditors, where necessary for the establishment, exercise or defence of legal claims or for compliance.
  • Public authorities: where required to do so by law or where disclosure is necessary to protect the rights, property or safety of you, us or others.

For Customer Data, our use of sub-processors and any international transfers are further detailed in the DPA and the applicable sub-processor information made available through the Service, legal documentation, or on request.

6 International transfers

Depending on the location of our infrastructure and service providers, personal data may be processed in countries outside your own. When we transfer personal data from the European Economic Area (“EEA”) or a similar jurisdiction with data-transfer restrictions, we will ensure that appropriate safeguards are in place, such as the use of standard contractual clauses or other mechanisms recognised by applicable law.

Further information about sub-processors and their locations may be provided in the DPA, the Service, legal documentation, or a dedicated sub-processor list.

7 Retention of personal data

We keep personal data only for as long as necessary for the purposes described in this Privacy Policy, for our legitimate business needs, and to comply with legal obligations. In practice this means:

  • PCAP files and capture-derived raw artefacts: uploaded PCAPs and capture-derived raw artefacts used solely for analysis are deleted automatically after the analysis completes or irrecoverably fails, subject only to technical backup cycles.
  • Analysis results, metadata and report artefacts: derived analysis outputs, metadata and generated report artefacts are encrypted at rest and retained for 90 days by default while the analysis remains available in the Service, unless deleted earlier by you or retained longer where required by law, security investigation, dispute handling, or an agreed enterprise retention setting.
  • Reports: reports can be generated while the relevant analysis exists. Once an analysis is deleted or expires, new reports can no longer be generated and stored report artefacts are removed according to Results retention.
  • Operational, security, support and audit logs: logs that may contain IP addresses, user identifiers, user-agent strings and technical identifiers are retained for up to 180 days by default, unless longer retention is required for legal, tax, security, incident-response or dispute reasons.
  • Backups: deletion propagates to backups within 30 days according to the backup lifecycle, unless backup isolation is legally or operationally required.
  • Notifications: in-app notifications may be automatically pruned after a configurable retention period and capped per user to limit stored volume.
  • Billing and purchase records: records of successful purchases, invoices, tax records and accounting records are kept for the duration required by tax, accounting and legal obligations. Failed or pending purchase attempts may be pruned after a shorter operational retention period.
  • Account and profile data: account and profile data is kept while your account is active and for a reasonable period afterwards where necessary to resolve outstanding matters, prevent abuse, comply with legal obligations, or establish, exercise or defend legal claims.
  • Support communications: support tickets and related communications are retained while needed to respond to requests, maintain support history, investigate issues, improve support processes, and establish, exercise or defend legal claims.

Where data is kept beyond the active life of an account for legal, security, dispute, tax, accounting, or technical reasons, we limit access to that data and apply appropriate safeguards.

8 Security of processing

We take the security of the Service and the data we process seriously and implement technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse or alteration. These measures include, among others:

  • encryption of sensitive fields such as MFA secrets and selected analysis payloads;
  • isolation of PCAP files and analysis artifacts in per-analysis directories with restricted permissions;
  • strict validation of uploaded files, including size, extension and magic-number checks;
  • authentication and authorisation controls, including support for multi-factor authentication;
  • rate-limiting and upload limits to reduce abuse and protect resources;
  • structured logging of significant actions for security and audit purposes; and
  • operational practices for patching and maintaining the underlying infrastructure.

No system can be completely secure, but we continuously monitor and improve our security measures in light of technical developments and the nature of the Service.

9 Your data-protection rights

Depending on your location and subject to applicable law, you may have the following rights in relation to personal data we process as controller:

  • Access: to obtain confirmation as to whether we process personal data about you and to receive a copy of that data.
  • Rectification: to request correction of inaccurate or incomplete personal data.
  • Erasure: to request deletion of personal data in certain circumstances (for example where it is no longer needed for the purposes described above).
  • Restriction: to request that we restrict processing of personal data in certain circumstances.
  • Objection: to object to processing based on our legitimate interests, on grounds relating to your particular situation.
  • Portability: to receive personal data you provided to us in a structured, commonly used and machine-readable format and to transmit it to another controller where technically feasible.

You also have the right to lodge a complaint with a supervisory authority if you believe our processing of personal data infringes applicable law. In Luxembourg, the supervisory authority is the Commission nationale pour la protection des données (CNPD). You may contact us first if you want us to try to resolve the issue, but this is not required before lodging a complaint.

10 How to contact us

If you have questions about this Privacy Policy or our data-processing practices, or if you wish to exercise your rights, contact us through the Service support channel or at contact@blackcrypt.ai.

BlackCrypt has not appointed a Data Protection Officer at this stage. If this changes, the relevant contact details will be added to this Privacy Policy.

When contacting us, please provide enough information to allow us to identify your account and understand your request. We may ask for additional information to verify your identity where this is necessary to protect your data.

11 Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes to the Service, to our processing activities or to applicable law. If we make material changes, we will take appropriate steps to inform you, such as displaying a notice in the Service, updating the version indicator, or sending you a communication where suitable.

The updated Privacy Policy applies from the effective date indicated in the Service or document. Where required by law, we will provide additional notice or request any required consent before materially changing how we process personal data.