BotSigged
Legal

Privacy Policy

How we collect, use, and protect your data

Last updated: December 2025

This Privacy Policy describes how BotSigged (“we,” “us,” or “our”) collects, uses, and handles data in connection with our bot detection and fraud prevention services (the “Services”).

1. Who We Are

BotSigged provides bot detection and fraud prevention services to businesses (“Customers”). We act as a data processor on behalf of our Customers, who integrate our Services into their websites and applications.

If you are an end user visiting a website that uses BotSigged, that website’s operator is the data controller responsible for your personal data. This policy explains what data we process on their behalf.

2. Data We Process

When you visit a website using BotSigged, we may process the following data to determine whether traffic is from a human or a bot:

Connection Data

  • IP address
  • Timestamp of request

Device and Browser Data

  • User agent string
  • Browser type and version
  • Operating system
  • Screen resolution
  • Language and timezone settings
  • Installed fonts and plugins (where available)

Behavioral Data

  • Mouse movement patterns
  • Keystroke dynamics (timing patterns, not content)
  • Scroll behavior
  • Touch interactions on mobile devices
  • Navigation patterns

We do not collect:

  • Names, email addresses, or account credentials
  • Payment information
  • Content you type or submit on websites
  • Data from cookies (we do not set cookies)

3. How We Use Data

We process data solely to:

  • Distinguish human visitors from automated bots
  • Detect and prevent fraud, abuse, and unauthorized access
  • Provide threat intelligence and analytics to our Customers
  • Improve and maintain our Services

We do not:

  • Sell personal data
  • Use data for advertising
  • Track users across different websites
  • Build profiles for purposes other than bot detection

4. Legal Basis for Processing

We process personal data on behalf of our Customers based on their legitimate interest in protecting their websites and users from bots, fraud, and abuse. Security and fraud prevention are recognized as legitimate interests under GDPR Recital 47.

5. Data Retention

We retain raw personal data (including IP addresses) for a maximum of 30 days for active threat detection and analysis.

After this period, data is either deleted or aggregated and anonymized for longer-term analysis and service improvement. Anonymized data cannot be used to identify individuals.

Upon termination of a Customer agreement, we delete their data within 90 days.

6. Data Sharing

We do not sell personal data. We may share data with:

Customers: We provide our Customers with bot scores, threat classifications, and aggregated analytics about traffic to their sites.

Subprocessors: We use third-party service providers to host and operate our Services. Current subprocessors include:

  • Fly.io — Infrastructure and data storage

Legal Requirements: We may disclose data if required by law, regulation, or legal process.

7. International Data Transfers

Our Services may process data in countries outside the European Economic Area (EEA). When we transfer personal data internationally, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the European Commission
  • Transfers to countries with adequacy decisions

8. Data Security

We implement appropriate technical and organizational measures to protect personal data, including:

  • Encryption in transit using TLS 1.2 or higher
  • Encryption at rest
  • Access controls and authentication requirements
  • Regular security assessments and monitoring
  • Incident response procedures

9. Your Rights

If you are located in the EEA, UK, or other jurisdictions with data protection laws, you may have rights regarding your personal data, including:

  • Access: Request information about data we process about you
  • Deletion: Request deletion of your personal data
  • Rectification: Request correction of inaccurate data
  • Portability: Request a copy of your data in a portable format
  • Objection: Object to processing based on legitimate interest
  • Complaint: Lodge a complaint with a supervisory authority

Because we act as a processor, requests related to data collected through Customer websites should be directed to that website’s operator. We will assist our Customers in responding to such requests.

For data related to your direct relationship with BotSigged (e.g., if you are a Customer), contact us at the address below.

10. No Cookies

BotSigged does not set cookies or use browser-based storage mechanisms (localStorage, sessionStorage) on end-user devices. Our detection operates through real-time analysis of connection and behavioral signals without persistent client-side tracking.

11. Children’s Privacy

Our Services are not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us for deletion.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated policy on this page with a revised “Last Updated” date. Material changes will be communicated to Customers via email or through our Services.