Privacy Policy
Last updated: 30 December 2025
📋 Quick Summary
- What we collect: IP addresses (for rate limiting), company domains you scan
- What we DON'T collect: Names, emails, accounts, tracking
- How long: IP addresses: max 24 hours. Domains: not stored.
- Third parties: Cloudflare (hosting, security), AI providers (Google, OpenAI, Anthropic, Mistral, DeepSeek - auto-selected based on your location)
- Cookies: Only strictly necessary (Cloudflare security) + your theme preference
Full details below. Questions? Email us at privacy.cyber.laws@gmail.com
1. Data Controller
cyber-laws.com is the data controller responsible for your personal data.
Contact for privacy inquiries:
- Email: privacy.cyber.laws@gmail.com
- Discord: discord.gg/CqNfvywNvp
- LinkedIn: Andrei Mungiu
We are based in the European Union and process data in accordance with GDPR.
2. What Data We Process
2.1 Automatically Collected Data
| Data Type | Source | Example |
|---|---|---|
| IP Address | Your device via Cloudflare | 203.0.113.42 |
| Request metadata | Your browser | URL requested, timestamp |
| HTTP headers | Your browser via Cloudflare | User-Agent, Referrer, Accept-Language |
Standard HTTP headers may be logged by Cloudflare for security purposes. See Cloudflare's Privacy Policy for details.
2.2 Data You Provide
| Data Type | When Collected | Example |
|---|---|---|
| Company domain | When using AI Scanner | microsoft.com |
| Checkbox selections | Using Applicability Checker | Stored in URL only (not on server) |
| Theme preference | When you click theme toggle | dark or light |
| Accessibility preference | When you click accessibility toggle | true or false |
2.3 Data We Do NOT Collect
- ❌ Names or personal identifiers
- ❌ Email addresses
- ❌ Phone numbers
- ❌ Payment or financial data
- ❌ Precise location (GPS)
- ❌ User accounts or passwords
- ❌ Advertising identifiers
- ❌ Behavioral profiles
3. Purposes & Legal Basis
| Purpose | Data Used | Legal Basis (GDPR Art. 6) | Retention |
|---|---|---|---|
| Rate limiting Prevent API abuse | IP address | Legitimate interest (Art. 6(1)(f)) Service protection | 60 seconds |
| Abuse prevention Block repeat offenders | IP address | Legitimate interest (Art. 6(1)(f)) Security | 24 hours max |
| AI company analysis Scanner feature | Company domain | Contract (Art. 6(1)(b)) Service you requested | Not stored (processed only) |
| Theme preference Light/dark mode | Theme setting | Consent (Art. 6(1)(a)) You click the toggle | Until you clear browser |
| Security & delivery Cloudflare CDN | IP address | Legitimate interest (Art. 6(1)(f)) DDoS protection | Per Cloudflare policy |
Legitimate Interest Assessment: We have balanced our interest in protecting the service from abuse against your privacy rights. Given the minimal data collected (IP only), short retention (max 24h), and necessity for service operation, we believe this balance favors processing.
4. Cookies & Browser Storage
We use minimal browser storage. Under the ePrivacy Directive (Article 5(3)), consent is NOT required for:
- Strictly necessary cookies (essential for the service to work)
- User-initiated storage (you explicitly request it)
| Storage | Purpose | Type | Duration |
|---|---|---|---|
theme | Your light/dark mode preference | localStorage (user-initiated) | Until cleared |
privacy-notice-seen | Remember you've seen the privacy notice | localStorage (user-initiated) | Until cleared |
accessibility | Your accessibility mode preference | localStorage (user-initiated) | Until cleared |
disclaimer-accepted | Disclaimer agreement for Applicability Checker | sessionStorage (strictly necessary) | Until tab closed |
api-disclaimer-accepted | Disclaimer agreement for API Documentation | sessionStorage (strictly necessary) | Until tab closed |
aiRegion | Your selected AI data residency region (US/EU/China) | sessionStorage (user-initiated) | Until tab closed |
scanSessionCompanies | List of companies scanned in current session | sessionStorage (strictly necessary) | Until tab closed |
userNotes | Your notes added to scan results | sessionStorage (user-initiated) | Until tab closed |
editedHints | Your edits to AI-generated explanations | sessionStorage (user-initiated) | Until tab closed |
dismissedHints | AI suggestions you dismissed | sessionStorage (user-initiated) | Until tab closed |
| Cloudflare cookies | Security, bot protection, DDoS mitigation | Strictly necessary | Session/30 days |
✓ No cookie consent banner required: All our cookies/storage fall under the "strictly necessary" or "user-initiated" exemptions. We do not use analytics, advertising, or tracking cookies.
5. Data Recipients & Third Parties
We share data with the following categories of recipients:
☁️ Cloudflare, Inc.
- Role: Infrastructure provider (hosting, CDN, security)
- Data shared: IP address, request data
- Purpose: Content delivery, DDoS protection, bot mitigation
- Location: Global (US-based company, EU data centers available)
- Safeguards: Standard Contractual Clauses, DPA
🤖 AI Service Providers (Scanner Feature)
We use multiple AI providers to power our Scanner feature. The provider is automatically selected based on your geographic location to ensure compliance with regional data residency requirements. You can also manually select a preferred region (US, EU, or China) via the data residency toggle.
🇺🇸 Google (Gemini API) - Primary
- Model: Gemini 3 Flash
- Location: United States
- Availability: 180+ countries (excludes CN, RU, BY, IR, etc.)
- Safeguards: EU-US Data Privacy Framework
- Retention: Up to 55 days for abuse monitoring
🇺🇸 Anthropic (Claude API) - Fallback
- Model: Claude Haiku 4.5
- Location: United States
- When used: When Gemini is unavailable in your region
- Safeguards: Standard Contractual Clauses
- Retention: Up to 30 days for abuse monitoring
🇺🇸 OpenAI (GPT API) - Fallback
- Model: GPT-4o Mini
- Location: United States
- When used: When Gemini and Anthropic are unavailable
- Safeguards: EU-US Data Privacy Framework
- Retention: Up to 30 days for abuse monitoring
🇪🇺 Mistral AI - EU Option
- Model: Mistral Small
- Location: European Union (France)
- When used: When you select "EU" data residency
- Safeguards: EU-based, GDPR compliant
- Retention: Up to 30 days for abuse monitoring
🇨🇳 DeepSeek - China Option
- Model: DeepSeek Chat
- Location: China
- When used: When you select "China" data residency, or as final fallback
- Safeguards: Governed by Chinese law
- Retention: Not specified in ToS
- Note: Unlike other providers, DeepSeek's ToS does not explicitly prohibit use of API data for model training
📍 How provider selection works: We automatically detect your country from your IP address and select the first available provider in this order: Gemini → Anthropic → OpenAI → DeepSeek. You can override this by using the data residency toggle on the Scanner page.
⚠️ Important: Most AI providers retain API requests for abuse monitoring (30-55 days). Your data is NOT used to train AI models when using paid API tiers (except DeepSeek, whose ToS does not explicitly prohibit this).
Note: We do NOT sell your data. We do NOT use advertising networks. We do NOT share data with data brokers or marketing companies.
6. International Data Transfers
Your data may be processed outside the European Economic Area (EEA). We ensure adequate protection through:
| Recipient | Location | Transfer Mechanism |
|---|---|---|
| Cloudflare | USA / Global | Standard Contractual Clauses (SCCs) |
| Google (Gemini API) | USA | EU-US Data Privacy Framework |
| Anthropic (Claude API) | USA | Standard Contractual Clauses (SCCs) |
| OpenAI (GPT API) | USA | EU-US Data Privacy Framework |
| Mistral AI | France (EU) | No transfer (EU-based) |
| DeepSeek | China | Explicit user selection only |
You can request a copy of the safeguards by contacting us.
7. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| IP address (rate limiting) | 60–120 seconds | Active rate-limit window is 60s; may be retained up to 120s for cleanup |
| IP address (blocklist) | 24 hours maximum | Temporary block for abuse prevention |
| Company domains (Scanner) | Not retained | Processed in memory, not stored |
| Theme preference | Until you clear browser data | localStorage on your device only |
Practical note: Given our short retention periods, most data will be automatically deleted before any data subject request can be processed. This is by design — we minimize data collection.
8. Your Rights Under GDPR
Under GDPR, you have the following rights:
📖 Right of Access (Art. 15)
Request a copy of your personal data we hold.
✏️ Right to Rectification (Art. 16)
Request correction of inaccurate personal data.
🗑️ Right to Erasure (Art. 17)
Request deletion of your personal data ("right to be forgotten").
⏸️ Right to Restriction (Art. 18)
Request we limit processing of your data in certain circumstances.
📦 Right to Portability (Art. 20)
Receive your data in a machine-readable format.
🚫 Right to Object (Art. 21)
Object to processing based on legitimate interests.
How to Exercise Your Rights
Email us at privacy.cyber.laws@gmail.com with your request. Information will be provided without undue delay under Art. 12 in conjunction with Art. 15 GDPR (and at the latest within one month).
Verification: We may ask you to verify your identity. Given we don't collect identifying information, verification may be limited to confirming your IP address (if still retained).
9. Right to Lodge a Complaint
If you believe we have violated your data protection rights, you have the right to lodge a complaint with a supervisory authority, in particular:
- In the EU Member State of your habitual residence
- In the EU Member State of your place of work
- In the EU Member State where the alleged infringement occurred
Example supervisory authorities:
10. Automated Decision-Making
AI Scanner: When you use our AI Scanner feature, we use AI services (Google Gemini, Anthropic Claude, OpenAI GPT, Mistral, or DeepSeek - selected automatically based on your location) to analyze company domains, uploaded documents, or pasted text and suggest applicable regulations. This is:
- NOT automated decision-making with legal effects (Art. 22)
- A suggestion tool only — you review and modify the results
- Based on company information (NOT your personal data)
Content Filtering: We apply automated content filtering to reject submissions containing clearly illegal content patterns. This filtering:
- Uses pattern matching only (no AI involvement)
- Blocks requests before they reach the AI service
- Does not store or log the blocked content
Rate limiting: Our abuse prevention system automatically blocks IPs that exceed rate limits. This is:
- Temporary (max 24 hours)
- Based on objective criteria (request count)
- Necessary for service protection (legitimate interest)
11. Children's Privacy
Our website is intended for business professionals assessing regulatory compliance. We do not knowingly collect personal information from children under 16.
If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we make changes:
- We update the "Last updated" date at the top
- For significant changes, we may show a notice on the website
- Previous versions are available in our Git history
13. Contact Us
For privacy-related inquiries:
- Email: privacy.cyber.laws@gmail.com
- Discord: discord.gg/CqNfvywNvp
- LinkedIn: Andrei Mungiu
We will respond to privacy inquiries without undue delay under Art. 12 in conjunction with Art. 15 GDPR (and at the latest within one month).