Privacy Policy

Version: 2026.01.11

1. Overview

Noxtica ("we", "our", or "us") is a browser fingerprinting and bot detection platform. This Privacy Policy explains how we collect, use, store, and protect data when you interact with our Services, including:

• Our website at noxtica.com
• The demo at demo.noxtica.com
• The admin dashboard (Backoffice) at backoffice.noxtica.com
• Our collector SDK when integrated on customer websites
• Our API services

This policy also explains your rights regarding your personal data and how to exercise them.

2. Data Controller vs. Data Processor

2.1 When Noxtica is the Data Controller

Noxtica acts as the data controller for:

• Data collected on our own websites (noxtica.com, demo.noxtica.com)
• Backoffice account information (admin users)
• Contact form submissions
• Marketing and communication data

2.2 When Noxtica is the Data Processor

Noxtica acts as a data processor when:

• Our customers deploy the Noxtica SDK on their websites
• We process fingerprint data on behalf of our customers

When we act as a data processor, our customers are the data controllers. They are responsible for providing appropriate privacy notices to their end users, obtaining any required consents, and ensuring lawful processing. For data subject requests concerning fingerprint data collected on customer websites, please contact the relevant website operator.

3. What Data We Collect

3.1 Browser Fingerprint Data

When the Noxtica collector is active (on our demo or customer websites), we collect browser signals including:

• Canvas fingerprint - Rendered graphics characteristics (stored as hash)
• WebGL fingerprint - Graphics card and driver information (stored as hash)
• Audio fingerprint - Audio processing characteristics (stored as hash)
• Screen properties - Resolution, color depth, pixel ratio
• Browser information - User agent, language, timezone, plugins
• Hardware signals - Device memory, CPU cores, touch support
• JavaScript API behaviors - Feature detection and API availability

Important: Canvas, WebGL, and audio fingerprints are stored as cryptographic hashes. The original rendered content is not retained.

3.2 Server-Side Data

We automatically collect network and request metadata:

• IP address - May be hashed for privacy; used to derive location
• Geographic location - Country, region, city (derived from IP)
• Network information - ASN, ISP, connection type
• Request metadata - HTTP headers, TLS version, protocol
• Bot detection signals - Timing patterns, behavior indicators

3.3 Backoffice Account Data

If you have a Backoffice account, we collect:

• Email address - For authentication and communication
• Password - Stored using PBKDF2-HMAC-SHA256 with 100,000 iterations and random salt
• Role and permissions - Access control information
• MFA credentials - Encrypted TOTP secrets (if enabled)
• Session data - Hashed IP and user agent for security
• Audit logs - Records of administrative actions

3.4 Contact and Communication Data

When you contact us:

• Name and email address
• Message content
• Any information you voluntarily provide

4. How We Use Your Data

4.1 Fingerprint and Detection Services

• Generate device identifiers for recognition
• Calculate risk scores for bot and fraud detection
• Detect anomalous or suspicious behavior patterns
• Provide analytics and insights to customers

4.2 Service Operation

• Authenticate users and manage sessions
• Enforce rate limits and prevent abuse
• Maintain security and integrity of our systems
• Generate anonymized, aggregated analytics

4.3 Service Improvement

• Improve fingerprinting accuracy and coverage
• Enhance bot detection algorithms
• Debug and fix technical issues
• Develop new features and capabilities

4.4 Legal and Security

• Comply with legal obligations
• Respond to lawful requests from authorities
• Protect our rights and property
• Investigate potential violations

5. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), UK, and other jurisdictions requiring legal basis:

Purpose	Legal Basis
Providing the Services	Contract performance
Security and fraud detection	Legitimate interests
Account management	Contract performance
Audit logging	Legitimate interests
Legal compliance	Legal obligation
Service improvement	Legitimate interests

Our legitimate interests include: operating secure services, preventing fraud and abuse, improving our technology, and protecting our users and customers.

6. Data Storage and Security

6.1 Infrastructure

All data is stored on Cloudflare's global infrastructure with:

• Encryption at rest and in transit (TLS 1.2+)
• Geographic data residency options (where applicable)
• Redundancy and high availability

6.2 Security Measures

We implement industry-standard security practices:

• Password security - PBKDF2-HMAC-SHA256 with 100,000 iterations and random salt
• Session security - HttpOnly, Secure, SameSite=Strict cookies
• API security - Hashed API keys, short-lived tokens (5-minute expiry)
• Access control - Role-based permissions and multi-tenant isolation
• Rate limiting - Protection against abuse and brute force
• Audit logging - Comprehensive logging of sensitive operations

6.3 Privacy-Enhancing Measures

• IP addresses may be hashed before storage
• Fingerprint signals are stored as one-way hashes
• User agents are hashed for session tracking
• Configurable data retention periods

7. Data Retention

7.1 Fingerprint Data

• Default retention: 30 days
• Configurable: Customers can set shorter or longer periods
• Automatic cleanup: Daily job removes expired data

7.2 Account Data

Retained while your account is active. Deleted upon account termination (after reasonable backup period).

7.3 Audit Logs

Retained for 90 days by default. May be retained longer for legal or security purposes.

8. Data Sharing and Disclosure

8.1 We Do Not Sell Data

We do not sell, rent, or trade personal data to third parties for marketing purposes.

8.2 Service Providers

We share data with service providers who assist in operating our Services. See our Subprocessors page for the current list.

8.3 Legal Requirements

We may disclose data when required by law or legal process, including court orders, regulatory requests, and law enforcement requests (with appropriate legal process).

8.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, data may be transferred. We will notify affected users of any change in ownership or control.

9. Cookies and Similar Technologies

9.1 Our Websites

Our websites use minimal cookies:

• Session cookies - Essential for login and security (Backoffice)
• No tracking cookies - We do not use third-party analytics or advertising trackers

9.2 Noxtica SDK

The SDK itself does not set cookies. It may use localStorage or sessionStorage (configurable).

For full details, see our Cookie Policy.

10. International Data Transfers

If you are located outside the region where our servers are located, your data may be transferred internationally. We ensure appropriate safeguards:

• Standard Contractual Clauses (SCCs) where applicable
• Adequacy decisions (for transfers to approved countries)
• Other lawful transfer mechanisms

11. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Right to Access - Request a copy of the personal data we hold about you
• Right to Rectification - Request correction of inaccurate or incomplete data
• Right to Erasure - Request deletion of your personal data, subject to legal retention requirements
• Right to Restriction - Request that we limit processing of your data in certain circumstances
• Right to Data Portability - Receive your data in a structured, machine-readable format
• Right to Object - Object to processing based on legitimate interests
• Right to Withdraw Consent - Where processing is based on consent, withdraw consent at any time

How to Exercise Rights

To exercise these rights, contact us at:

• Email: [email protected]
• Subject line: Include "Privacy Request" for faster routing

We will respond within 30 days (or as required by applicable law).

Note: For fingerprint data collected on customer websites, please contact the website operator (data controller) directly.

12. Customer Responsibilities

If you are a Noxtica customer deploying our SDK, YOU ARE SOLELY RESPONSIBLE for:

• Complying with applicable privacy laws (GDPR, CCPA, etc.)
• Providing clear notices to end users about fingerprinting
• Obtaining any legally required consent
• Including fingerprinting disclosure in your privacy policy
• Responding to data subject requests from your users
• Configuring appropriate data retention periods

Noxtica provides the technology; you are responsible for its lawful use.

13. Children's Privacy

The Services are not directed to children under 16 (or applicable age of consent). We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us for prompt deletion.

14. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by:

• Posting the updated policy on our website
• Updating the "Last Updated" date
• For significant changes, sending email notification

Your continued use of the Services after changes constitutes acceptance.

15. Contact Us

For questions, concerns, or requests regarding this Privacy Policy:

• Email: [email protected]
• Website: noxtica.com/contact

For EU/EEA representatives or DPO inquiries, contact us at the email above with "GDPR" in the subject line.

This Privacy Policy is effective as of the Last Updated date above.