Skip to content

Privacy Policy

Last updated: March 22, 2026

1. What We Collect

When you create an account, we collect:

  • Email address — for account verification and security notifications
  • Display name — shown publicly on your reports and profile
  • Password — stored as a bcrypt hash, never in plaintext

When you use the platform, we collect:

  • IOC submissions — phishing URLs, domains, IPs, emails you report
  • Votes — your confirm/reject votes on reports
  • IP address — for rate limiting and abuse prevention (not stored long-term)
  • API usage — request counts for rate limiting

2. What We Don't Collect

  • We do not use cookies for tracking or advertising
  • We use Google Analytics 4 (GA4) for anonymous, aggregated usage statistics — see Section 8 for details
  • We do not sell or share your personal data with third parties
  • We do not track your browsing activity outside of vspam.org

3. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

  • Consent — when you create an account and agree to these terms
  • Contract performance — to provide the service you registered for (account management, report submission, voting)
  • Legitimate interest — platform security, abuse prevention, rate limiting, threat intelligence operations, maintaining data quality
  • Legal obligation — responding to law enforcement requests where legally required

You may withdraw consent at any time by deleting your account. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

4. How We Use Your Data

  • Email — account verification, password reset, security alerts only
  • Display name — shown publicly alongside your reports and votes
  • IOC submissions — published in our threat database, feeds, and DNSBL
  • Votes — aggregated to determine report consensus status
  • IP addresses — rate limiting only, automatically purged from Redis

5. Public Information

The following information is publicly visible:

  • Your display name and trust tier
  • Reports you submit (IOC value, category, evidence text)
  • Your vote history (confirm/reject, visible on report pages)
  • Your reputation score and report statistics

Your email address is never publicly visible.

6. Data Storage

  • Data is stored on servers in Germany (Contabo/Hetzner)
  • Passwords are hashed with bcrypt (cost factor 12)
  • API keys are stored as SHA-256 hashes
  • All connections use TLS/HTTPS encryption
  • Database backups are encrypted at rest
  • Data controller: PlatOps Security, LLC (interim operator pending nonprofit registration)
  • Contact: privacy@vspam.org

7. Browser Extension

The vspam browser extension:

  • Only accesses the URL of the active tab when you click the extension icon
  • Does not collect browsing history
  • Stores your API key locally in browser storage (never transmitted except to api.vspam.org)
  • Screenshots are captured only when you explicitly submit a report

8. Local Storage & Cookies

We use browser local storage (not cookies) to store:

  • Authentication token (JWT) — for session management
  • Theme preference — light, dark, or system setting

These are strictly necessary for the service to function. No advertising cookies are used.

Google Analytics 4 (GA4) — We use GA4 (measurement ID: G-DJ7EVYRFJP) to collect anonymous, aggregated usage statistics such as page views, session duration, and general geographic region. GA4 uses first-party cookies (_ga, _ga_*) for this purpose. IP addresses are anonymized by default in GA4. Data is processed by Google LLC under their Privacy Policy. You may opt out by using a browser extension such as Google Analytics Opt-out or by enabling Do Not Track in your browser settings.

9. Children's Privacy

vspam.org is not intended for users under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will delete the account and all associated personal data promptly. If you believe a child has provided us with personal data, contact privacy@vspam.org.

10. International Data Transfers

Your data is stored on servers in Germany (EU). If you access the Platform from outside the EU, your data will be transferred to and processed in the EU, which provides adequate data protection under most international frameworks. We do not transfer personal data outside the EU/EEA except where necessary to respond to user requests (e.g., data export sent to the user).

11. Email Communications

We send only transactional emails:

  • Account verification
  • Password reset
  • Security alerts (e.g., suspicious login, API key compromise)

There is no marketing email list. You cannot opt out of security alerts as they are necessary for account safety, but you can delete your account to stop all emails.

12. Law Enforcement Requests

We may disclose personal data if required by law, subpoena, or court order. We will notify affected users unless prohibited by law. We do not voluntarily share data with law enforcement without legal process.

13. Data Retention

  • Account data — retained until you request deletion
  • IOC reports — retained indefinitely as part of the threat database
  • Rate limit data — automatically purged hourly
  • Verification tokens — expire after 24 hours

14. Your Rights

Under GDPR and applicable data protection law, you have the following rights:

  • Right to access — request a full export of your personal data
  • Right to rectification — request correction of inaccurate personal data
  • Right to erasure — request deletion of your account and personal data. Note: IOC reports that have been confirmed and distributed via feeds cannot be retroactively removed from third-party systems, but will be disassociated from your identity
  • Right to restrict processing — request that we limit how we use your data
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interest
  • Right to lodge a complaint — you have the right to lodge a complaint with your local Data Protection Authority if you believe your data is being processed unlawfully

We will respond to all privacy requests within 30 days. Contact privacy@vspam.org for any privacy-related requests.

15. Data Controller

The data controller is PlatOps Security, LLC (interim operator; vspam.org will transition to a registered nonprofit organization). Contact: privacy@vspam.org. You have the right to lodge a complaint with your local Data Protection Authority if you believe your data is being processed unlawfully.

16. Changes

We may update this policy. Significant changes will be announced on the platform. Continued use after changes constitutes acceptance.