Privacy Policy

Last updated: December 17, 2025

1. Introduction

WebDecoy ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our bot detection services, website, APIs, SDKs, and related software (collectively, the "Service").

By using the Service, you consent to the data practices described in this policy. If you do not agree with these practices, please do not use the Service.

2. Information We Collect

We collect different types of information depending on how you interact with our Service:

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Name (optional)
  • Company name (optional)
  • Password (stored securely using industry-standard hashing)
  • Billing information (processed by our payment provider)

2.2 Bot Detection Data

To provide bot detection services, we collect and analyze technical signals from visitors to websites using our Service. This includes:

  • Network Information: IP addresses, geolocation data (country, region, city), ASN, and ISP information
  • Device Fingerprints: Browser type and version, operating system, screen resolution, timezone, language settings, and installed plugins
  • TLS Fingerprints: JA3/JA4 fingerprints derived from TLS handshake characteristics
  • Behavioral Signals: Mouse movements, scroll patterns, keystroke dynamics, form interaction timing, and click patterns
  • HTTP Headers: User-Agent, Accept headers, referrer, and other standard HTTP headers
  • JavaScript Environment: Browser API availability, WebGL renderer, canvas fingerprint, and automation markers
  • Session Data: Timestamps, page views, navigation patterns, and session duration

This data is collected to distinguish legitimate human visitors from automated bots and is processed in real-time to generate threat scores.

2.3 Usage Information

We automatically collect information about how you use our dashboard and website:

  • Pages visited and features used
  • Time spent on pages
  • Clicks and interactions
  • Error logs and performance data

2.4 Communications

When you contact us, we collect:

  • Email correspondence
  • Support tickets and chat logs
  • Feedback and survey responses

3. How We Use Your Information

We use the collected information for the following purposes:

3.1 Providing the Service

  • Detect and mitigate bot traffic on your websites
  • Generate threat scores and risk assessments
  • Deliver real-time alerts and reports
  • Process API requests and SDK integrations

3.2 Improving the Service

  • Train and improve our bot detection algorithms
  • Identify new bot patterns and attack vectors
  • Analyze aggregate trends in bot activity
  • Develop new features and capabilities

3.3 Account Management

  • Create and manage your account
  • Process payments and billing
  • Send service-related communications
  • Provide customer support

3.4 Security and Compliance

  • Protect against fraud and abuse
  • Enforce our Terms of Service
  • Comply with legal obligations
  • Respond to lawful requests from authorities

4. Data Sharing and Disclosure

We do not sell your personal information. We may share information in the following circumstances:

4.1 Service Providers

We share data with third-party vendors who assist in providing the Service, including:

  • Cloud infrastructure providers (hosting, storage)
  • Payment processors
  • Analytics services
  • Customer support tools

These providers are contractually obligated to protect your data and use it only for the services they provide to us.

4.2 Aggregated Data

We may share aggregated, anonymized data that cannot identify individuals. This includes:

  • Industry reports on bot traffic trends
  • Research publications
  • Marketing materials

4.3 Legal Requirements

We may disclose information when required by law or to:

  • Comply with legal process or government requests
  • Protect our rights, property, or safety
  • Prevent fraud or illegal activity
  • Enforce our Terms of Service

4.4 Business Transfers

If WebDecoy is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or use of your information.

5. Data Retention

We retain data for different periods depending on the type:

  • Account Data: Retained while your account is active and for 30 days after deletion request
  • Bot Detection Logs: Retained for 90 days by default (configurable per plan)
  • Aggregated Analytics: Retained indefinitely in anonymized form
  • Billing Records: Retained for 7 years as required by law

You may request deletion of your data by contacting us. Note that some data may be retained as required by law or for legitimate business purposes.

6. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption: Data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Role-based access with multi-factor authentication
  • Infrastructure: SOC 2 compliant cloud infrastructure
  • Monitoring: 24/7 security monitoring and intrusion detection
  • Auditing: Regular security audits and penetration testing

While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Your Rights and Choices

Depending on your location, you may have the following rights:

7.1 Access and Portability

You can request a copy of the personal data we hold about you in a structured, machine-readable format.

7.2 Correction

You can update your account information through the dashboard or request corrections to inaccurate data.

7.3 Deletion

You can request deletion of your personal data. We will comply unless we have a legal obligation to retain it or a legitimate business need.

7.4 Opt-Out

You can opt out of:

  • Marketing emails (via unsubscribe link)
  • Non-essential cookies (via cookie preferences)
  • Certain data processing activities (contact us)

7.5 Complaints

If you believe we have violated your privacy rights, you may file a complaint with your local data protection authority.

8. International Data Transfers

WebDecoy is based in the United States. If you access our Service from outside the US, your data may be transferred to and processed in the US or other countries where our service providers operate.

For transfers from the European Economic Area (EEA), UK, or Switzerland, we rely on:

  • Standard Contractual Clauses approved by the European Commission
  • Data Processing Agreements with our service providers
  • Other legally recognized transfer mechanisms

9. GDPR Compliance (EEA Users)

For users in the European Economic Area, we process data under the following legal bases:

  • Contract: Processing necessary to provide the Service you requested
  • Legitimate Interest: Bot detection, security, and service improvement
  • Consent: Marketing communications and optional data collection
  • Legal Obligation: Compliance with applicable laws

You have additional rights under GDPR including the right to object to processing based on legitimate interests and the right to data portability.

10. CCPA Compliance (California Users)

California residents have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: What personal information we collect and how we use it
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: We do not sell personal information
  • Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise these rights, contact us at [email protected].

11. Cookies and Tracking

We use cookies and similar technologies for:

  • Essential Cookies: Required for the Service to function (authentication, security)
  • Analytics Cookies: Help us understand how users interact with our website
  • Preference Cookies: Remember your settings and preferences

You can control cookies through your browser settings. Note that disabling certain cookies may affect the functionality of the Service.

12. Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

13. Children's Privacy

Our Service is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

15. Data Processing for Customers

If you use WebDecoy to detect bots on your website, you act as the data controller for your visitors' data, and WebDecoy acts as a data processor. We provide:

  • Data Processing Agreements (DPA) upon request
  • Documentation of our security measures
  • Support for your compliance obligations
  • Data export and deletion capabilities

You are responsible for providing appropriate privacy notices to your users and obtaining any necessary consents for bot detection data collection.

16. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

For data subject requests (access, deletion, correction), please include sufficient information to verify your identity and specify the nature of your request.