Legal

Privacy Policy

What data Acloak handles, the difference between your account data and your visitors' data, who we share it with, and your rights.

Last updated

This Privacy Policy explains how Acloak ("Acloak", "we") handles personal data in connection with acloak.com and the Service. You can reach us anytime through our contact form.

In plain terms: There are two very different kinds of data here. (1) Data about you, our customer — your account and billing — where we decide how it's used. (2) Data about your website visitors, which we only process for you and on your instructions. Knowing which is which is the whole point of this page.

1. Two roles: who's responsible for what

In plain terms: For your account data, we're the "controller". For your visitors' data, you are the controller and we are just your "processor".

  • Your account & billing data — Acloak is the controller. We decide how this data is used to run your account and provide the Service.
  • Your visitors' data — you are the controller, Acloak is the processor. When the loader on your site sends us visitor data so we can make a filtering decision, we act only on your instructions. You are responsible for having a lawful basis and for giving your visitors the required privacy notices. Visitors who want to exercise their rights should contact the operator of the site they visited (our customer), not Acloak — though we will help our customer respond.

2. Data we collect as controller (your account)

We collect:

  • Account data: your name, email address, and a securely hashed password (or an OAuth identifier if you sign in with a provider), plus session information.
  • Support data: messages and tickets you send us.
  • Billing data: for card payments, a Stripe customer reference (Stripe holds your card details, not us); for crypto payments, the receiving address, amount, and on-chain transaction id of your order. We never hold your crypto private keys.
  • Product usage: logs and metadata about how you use the dashboard, for security and to improve the Service.

Why and on what basis: to provide and secure the Service and process payments (performance of our contract with you); to prevent fraud and abuse and improve the product (our legitimate interests); to send service messages; to meet tax, accounting, and anti-money-laundering obligations (legal obligation); and, where required, with your consent.

3. Visitor data we process for you (as your processor)

In plain terms: To filter traffic, we look at signals about each visitor. IP addresses and location are personal data — we don't pretend otherwise — and we only use them to do the job you hired us for.

On your behalf and on your instructions, we process the following about visitors to your sites, solely to perform real-time traffic filtering and bot/fraud detection for you:

  • visitor IP address and derived geolocation (country, city, ASN, ISP);
  • device, operating system, browser, language, timezone, and connection type (derived from the user-agent);
  • VPN / proxy / datacenter and bot signals;
  • required campaign parameters (e.g. URL query parameters you configure) and per-IP click counts.

This is stored as visit logs and daily roll-ups, and cached temporarily for performance. We do not use visitor data for our own purposes, and we do not sell it or use it for cross-context behavioral advertising.

4. Sub-processors

In plain terms: A few trusted vendors help us run the Service. We keep them to a minimum.

We use the following sub-processors and keep this list current:

  • ip-api — IP geolocation lookups.
  • IPHub — VPN/proxy/datacenter intelligence.
  • Stripe — card payment processing.
  • CoinGecko — crypto exchange-rate quotes.
  • Transactional email provider — sends account and billing emails.
  • Cloudflare — CDN and web-application-firewall.
  • Hetzner — server hosting.

5. International transfers

We host the Service in the European Union (Hetzner, Germany). Some sub-processors may process data outside your country (for example, Stripe in the US); where that happens, we use appropriate safeguards for the transfer.

6. How long we keep data

In plain terms: We keep traffic logs only as long as useful, and billing records longer because the law requires it.

  • Visitor visit logs: retained for up to 90 days, then deleted or aggregated.
  • Daily roll-ups (aggregated analytics): retained for reporting.
  • Cache: short-lived and cleared automatically.
  • Account & billing records: kept while your account is active, and afterward as required for legal, tax, and anti-fraud purposes.

On termination, we delete or return your data within 30 days, except where we must retain it by law.

7. Security

We use technical and organizational measures including encryption in transit, hashed passwords, access controls, and a Cloudflare WAF/CDN layer. No system is perfectly secure, but we work to protect your data and will notify affected customers of a personal-data breach as required by law.

8. Your rights

In plain terms: You can access, correct, or delete your data, and object to certain uses. For your visitors' requests, point them to the site they visited — but we'll help you handle them.

For your account data (we are controller): depending on where you live, you may have the right to access, correct, delete, restrict, or port your data, to object to processing, to withdraw consent, and to complain to a supervisory authority. Under US laws such as the CCPA/CPRA, you may have rights to know, delete, correct, and opt out of "sale" or "sharing" — Acloak does not sell or share personal information and does not use it for cross-context behavioral advertising.

For visitor data (you are controller): we will assist you, as your processor, in responding to your visitors' requests and will route any visitor request we receive back to you.

To exercise account rights, send us a request through our contact form.

9. Cookies on acloak.com

Our own website and dashboard use essential cookies for authentication and sessions, and limited analytics to keep the product reliable. This is separate from the visitor data we process on your sites (Section 3). You can control cookies in your browser; blocking essential cookies may break sign-in.

10. Children & business scope

The Service is a business tool and is not directed to children or to consumers. We do not knowingly collect data from children.

11. Changes & contact

We may update this Policy; we'll change the "last updated" date and, for material changes, provide notice. For privacy questions or requests, reach us through our contact form. See also our Terms of Service and Refund Policy.