Section 01
Data Controller
The data controller responsible for the processing of your Personal Data is:
SikkerAPI
Denmark
Email: [email protected]
"Personal Data" has the meaning given in Regulation (EU) 2016/679 (General Data Protection Regulation). Where this Policy refers to "processing," it encompasses any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
Section 02
Data We Collect
We collect and process the following categories of Personal Data:
| Category | Data | Source |
|---|
| Account data | Username, email, first name, last name, country, account type, company name, VAT/Tax ID | Provided by you at registration |
| Authentication data | Hashed password, password change timestamps, failed login attempts | Generated during account use |
| Network data | IP addresses used to access the Service, registration IP address | Collected automatically |
| Device and session data | User-agent strings, session identifiers, browser and device characteristics | Collected automatically |
| Usage data | API queries, request timestamps, endpoints accessed, response metadata | Collected automatically |
| Geolocation data | Country and city derived from your IP address, ASN information | Derived via MaxMind GeoIP2 |
| Contribution data | IP reports, threat indicators, and metadata submitted by you | Provided by you voluntarily |
| Analytics data | Page views, interaction events, pseudonymous session identifiers, page referrers | Collected automatically (with consent) |
We do not collect or process special categories of Personal Data (e.g., racial or ethnic origin, political opinions, health data, biometric data) as defined under Article 9 of the GDPR.
Section 03
Legal Basis for Processing
We process your Personal Data under the following lawful bases as defined in Article 6(1) of the GDPR:
| Purpose | Lawful basis | GDPR Article |
|---|
| Account registration and management | Performance of contract | 6(1)(b) |
| Provision and operation of the Service | Performance of contract | 6(1)(b) |
| Security, fraud prevention, and abuse detection | Legitimate interest | 6(1)(f) |
| API rate limiting and access control | Legitimate interest | 6(1)(f) |
| Threat intelligence aggregation from contributions | Legitimate interest | 6(1)(f) |
| First-party analytics | Consent | 6(1)(a) |
| Anonymous audience measurement | Legitimate interest | 6(1)(f) |
| Compliance with legal obligations | Legal obligation | 6(1)(c) |
Where we rely on legitimate interest, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. The primary legitimate interest is the operation of a threat intelligence platform that contributes to collective cybersecurity defense.
Section 04
How We Use Your Data
We use the data we collect for the following purposes:
- —To create, authenticate, and manage your account.
- —To provide IP reputation lookups, threat intelligence queries, and API access.
- —To enforce rate limits, detect abuse, and prevent unauthorized access to the Service.
- —To aggregate and validate contributed threat data into the collective intelligence dataset.
- —To detect, investigate, and respond to security incidents affecting the Service.
- —To generate aggregate analytics about Service usage and threat landscape trends.
- —To communicate with you about your account, service changes, or security notifications.
- —To comply with applicable legal obligations, including law enforcement requests.
We do not use your Personal Data for profiling, automated individual decision-making with legal effects, advertising, or sale to third parties.
Section 05
Data Sharing & Disclosure
We do not sell, rent, or trade your Personal Data. We may share data in the following limited circumstances:
- —Infrastructure providers: We use third-party hosting and infrastructure services to operate the Service. These providers process data on our behalf under data processing agreements compliant with Article 28 GDPR.
- —Geolocation services: IP addresses are processed through MaxMind GeoIP2 databases hosted locally on our infrastructure. No Personal Data is transmitted to MaxMind for this purpose.
- —Law enforcement: We may disclose data when required by law, court order, or governmental authority, or where necessary to protect the rights, safety, or property of SikkerAPI, its users, or the public.
- —Aggregate threat intelligence: Contributed threat data is aggregated into the collective dataset and made available through the Service. This data does not contain Personal Data of contributors.
We do not share your registration data, account details, API usage logs, or any other Personal Data with other users of the Service.
A current list of sub-processors engaged by SikkerAPI is maintained at sikkerapi.com/sub-processors. This list is updated when sub-processors are added or removed.
Section 06
International Data Transfers
SikkerAPI is based in Denmark and primarily processes data within the European Economic Area (EEA). Where data is transferred outside the EEA, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:
- —European Commission adequacy decisions (Article 45 GDPR).
- —Standard Contractual Clauses approved by the European Commission (Article 46(2)(c) GDPR).
You may request information about the specific safeguards applied to international transfers by contacting us at the address provided in the Contact section.
Section 07
Data Retention
We retain Personal Data only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law.
| Data category | Retention period |
|---|
| Account data | Lifetime of account + 12 months after deletion |
| Authentication data | Lifetime of account, deleted on account deletion |
| Network and device data | 24 months from collection |
| API usage logs | 24 months from collection |
| Geolocation data | 24 months from collection |
| Contribution data | Raw reports retained for 30 days; aggregated into threat intelligence dataset and purged after 30 days of inactivity |
| Analytics data | 24 months from collection |
| Anonymous audience metrics | 13 months from collection |
Contribution data is aggregated into the threat intelligence dataset at the time of submission. Raw individual reports are retained for 30 days and then permanently deleted. The aggregated threat indicators are purged after 30 days of inactivity from all sources (sensors and contributors).
When data reaches the end of its retention period, it is permanently deleted or irreversibly anonymized within 30 days.
Section 08
Listing Corrections & Public Visibility Removal
If an IP address appears on our public listings and you believe it is inaccurate or outdated, you may request a listing correction. Corrections remove public visibility and search results for that IP.
Listing corrections are granted only for verified control and valid reasons (e.g., false positives, IP ownership changes, or dynamic reassignment). They do not delete internal telemetry or aggregated security signals retained for threat analysis and abuse prevention.
Submit a request via our removal form at sikkerapi.com/removeme.
Section 09
Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights:
- —Right of access (Article 15): You may request a copy of the Personal Data we hold about you.
- —Right to rectification (Article 16): You may request correction of inaccurate or incomplete Personal Data.
- —Right to erasure (Article 17): You may request deletion of your Personal Data, subject to legal retention obligations and the exceptions set out in Article 17(3).
- —Right to restriction (Article 18): You may request that we restrict processing of your data while a dispute or verification is pending.
- —Right to data portability (Article 20): You may request a machine-readable export of the Personal Data you provided to us.
- —Right to object (Article 21): You may object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
- —Right to withdraw consent (Article 7(3)): Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days, as required by Article 12(3) GDPR. We may request verification of your identity before processing your request.
You also have the right to lodge a complaint with a supervisory authority. The relevant authority for SikkerAPI is the Danish Data Protection Agency (Datatilsynet): datatilsynet.dk.
Section 10
Cookies, Storage & Analytics
The Service uses strictly necessary cookies for authentication and session management, and optional first-party analytics tracking subject to your consent. We do not use advertising cookies, third-party tracking pixels, or third-party analytics services.
| Name | Purpose | Duration | Storage type |
|---|
| access_token | Short-lived JWT that authenticates your requests to the Service | 15 minutes | Strictly necessary cookie (HttpOnly, Secure, SameSite=Lax) |
| refresh_token | Maintains your session and issues new access tokens without requiring re-authentication | 24 hours, or 30 days if "remember me" is selected | Strictly necessary cookie (HttpOnly, Secure, SameSite=Lax) |
| ska_analytics_consent | Records your analytics consent preference (granted or denied) | 1 year | Consent management cookie (Secure, SameSite=Lax) |
| _ska_sid | Pseudonymous session identifier used to group analytics events within a single browser session | Browser session | Analytics (sessionStorage, consent required) |
Both authentication cookies are set with the HttpOnly flag, meaning they are not accessible to client-side JavaScript. The Secure flag ensures they are only transmitted over encrypted HTTPS connections. Refresh tokens are hashed before server-side storage; plaintext tokens are never persisted.
Strictly necessary cookies (authentication and session management) do not require consent under Article 5(3) of the ePrivacy Directive (2002/58/EC), as they are essential for the functioning of the Service.
First-Party Analytics
With your consent, we collect pseudonymous usage data to understand how visitors interact with the Service. This analytics system is entirely first-party — no data is shared with or collected by third-party analytics providers. The data collected includes:
- —Pages viewed and navigation patterns
- —Interaction events (e.g., button clicks, form submissions)
- —Pseudonymous session identifiers stored in sessionStorage (not cookies)
- —Client IP address and user agent string (logged server-side)
- —Page referrer information
Analytics tracking is disabled by default and only activates after you provide explicit consent via the banner displayed at the bottom of the page. Your preference is stored in a cookie named ska_analytics_consent shared across all sikkerapi.com subdomains. You may withdraw consent at any time by clearing this cookie from your browser, after which the consent banner will reappear.
Consent decisions and timestamps may be logged server-side for compliance purposes, in accordance with Article 7(1) GDPR which requires the controller to demonstrate that consent was given. The lawful basis for analytics processing is consent under Article 6(1)(a) of the GDPR and Article 5(3) of the ePrivacy Directive (2002/58/EC).
Anonymous Audience Measurement
For visitors who do not consent to analytics, we collect minimal, pseudonymous audience measurement data under GDPR Legitimate Interest (Article 6(1)(f)), following the CNIL exemption criteria for audience measurement tools.
This processing computes a daily-rotating hash from your IP address and browser user agent string. The raw IP address and user agent are used only for this computation and are immediately discarded — they are never stored. The resulting hashed identifier changes every day, making it impossible to track any individual across days.
The only data stored is:
- —A 16-character pseudonymous visitor hash (rotated daily, not reversible)
- —Page path visited
- —Referrer domain only (not the full URL)
- —Country code (derived from IP via local geolocation lookup; IP discarded after)
This processing does not use cookies or any client-side storage. It does not enable cross-site tracking (the hash is scoped to this domain). Data is retained for a maximum of 13 months and then permanently deleted. It is used solely to measure aggregate audience size, bounce rate, top pages, country distribution, and referrer sources. It cannot be used to identify or re-identify any individual visitor.
You may object to this processing at any time under Article 21 GDPR by contacting [email protected].
Section 11
Children's Privacy
The Service is designed for cybersecurity professionals, organizations, and technical users, and is not directed at children. In accordance with Article 8 of the GDPR and the Danish implementation setting the age of digital consent at 16, we do not knowingly collect Personal Data from individuals under the age of 16.
If we become aware that we have collected Personal Data from a child under 16 without valid parental consent, we will take steps to delete that data promptly. If you believe a child under 16 has provided data to us, contact us at [email protected].
Section 12
Security Measures
We implement appropriate technical and organizational measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction, in accordance with Article 32 of the GDPR. These measures include:
- —Passwords are hashed using Argon2id with per-user salts. Plaintext passwords are never stored or logged.
- —All data in transit is encrypted using TLS 1.2 or higher.
- —API authentication is enforced on all non-public endpoints.
- —Account lockout mechanisms are in place to mitigate brute-force attacks.
- —Access to production systems and databases is restricted to authorized personnel on a need-to-know basis.
- —Geolocation lookups are performed against locally hosted databases. No user IP addresses are transmitted to third-party geolocation services.
- —Security response headers are enforced on all endpoints, including clickjacking protection (X-Frame-Options), MIME-type sniffing prevention (X-Content-Type-Options), strict transport security (HSTS), and referrer policy controls.
No system is completely secure. In the event of a data breach affecting your Personal Data, we will notify you and the relevant supervisory authority in accordance with Articles 33 and 34 of the GDPR.
Section 13
Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, the Service, or applicable law. Material changes will be communicated via email to the address associated with your account or through a prominent notice on the Service.
The "Effective date" at the top of this Policy indicates when it was last updated. We encourage you to review this Policy periodically. Continued use of the Service after changes take effect constitutes acceptance of the revised Policy.
Section 14
Contact
For privacy inquiries or to exercise your data protection rights, contact:
SikkerAPI
Email: [email protected]