Privacy Policy
This Privacy Policy explains how 0Day Labs ("0Day Labs", "we", "us", "our") collects, uses, discloses, and protects personal data when you visit our website, create an account, or use our API (together, the "Service"). It should be read together with our Terms of Service.
Who is the controller
0Day Labs is the controller of personal data processed under this Policy. Our identifying legal-entity details are disclosed on onboarding where required, or on written request. For day-to-day matters you can reach us through the contact channel published on our website.
What we collect
We collect only what we need to operate, secure, and bill the Service.
2.1 Information you provide at signup
- Account identity · email address, full name, chosen role or title (optional), and chosen passphrase (stored as a salted hash, never in plaintext).
- Organization profile · organization name, company website URL, country of operation, and (optionally) a business-registration number, VAT ID, or equivalent identifier.
- Company description · a free-form description of what your company does.
- Intended use case · a specific, free-form description of what you intend to do with the Service. Generic descriptions are declined.
- Target Domains · the list of destination websites you intend to exercise through the Service. We store this list, use it to review your admission, load it into your per-customer whitelist, and use each entry as the basis of individual per-domain approval decisions.
- Volume and concurrency declarations · your expected requests per day, requests per month, and peak concurrent requests.
- Launch timeline · when you expect to begin calling the API.
- Referral source · optional, how you heard about us.
- Attestations · your express confirmations that you are authorized to exercise the listed Target Domains, that your information is accurate, and that you accept these Terms and this Policy.
- Billing information · where applicable, tax-status information. Paddle (Paddle.com Market Ltd, Malta / Paddle.com Inc., US) acts as our Merchant of Record: card and bank details used to settle invoices are collected and processed directly by Paddle, and we do not store or see raw payment-instrument data. We provide Paddle with your email address, display name, and an internal customer identifier for invoicing and reconciliation.
- Correspondence · the content of any email, support ticket, or form submission you send us.
2.2 Information we collect automatically
- Signup-context signals · the IP address and User-Agent of the device used to submit your signup, captured on the customer record for anti-abuse screening and admission review.
- Session-context signals · the IP address and User-Agent observed when a session is established, stored with the session record for audit purposes.
- Anti-abuse fingerprints · counters and in-memory records used to enforce per-IP signup limits, per-email-domain burst limits, and a disposable-email blocklist. These are held only in worker memory and are not persisted beyond the rate-limit window.
- API-usage metadata · for each call to the API we record the internal customer identifier, the API key identifier (never the plaintext key), the Target Domain that was exercised, the HTTP status, round-trip latency, an error code if any, and the fee accrued. We do not persist the caller's IP address, User-Agent, request path, or response body in these per-call records.
- Aggregated usage · per-domain call counts, error counts, and queue-wait metrics used for metering, billing, abuse detection, and admission-compliance checks, stored as append-only per-day records.
- Session state · a random session identifier set as a cookie after you sign in (see §7). Two independent session cookies are supported so a customer session and an admin session can coexist in the same browser. No advertising, analytics, or cross-site trackers are set by the Service itself.
2.3 Processing we perform
We do process the Target Domains you provide against our admission policies, against each other (for consistency with your declared use case and volumes), and against the per-request metadata we log once you are active. If the way you actually use the Service drifts materially from the Target Domains, use case, volumes, or concurrency you declared at signup, that divergence is itself a processing output that informs admission and enforcement decisions.
2.4 What we do not collect
We do not intentionally collect special-category data (race, religion, health, sexual orientation, political opinion, trade-union membership, biometric identifiers, genetic data) and we do not knowingly collect personal data from children. The Service is not directed at children and must not be used by anyone under the age of 18. If you believe a child has provided personal data to us, contact us through the channel published on our website and we will delete it.
How we use personal data
| Purpose | Legal basis (EEA/UK) |
|---|---|
| Create, authenticate, and maintain your account | Performance of a contract with you |
| Operate the API, route requests, and return Payloads | Performance of a contract with you |
| Meter usage, raise invoices, and process payment | Performance of a contract with you; compliance with tax and accounting law |
| Review new signups, assess the declared identity, organization, use case, Target Domains and volumes, and make a discretionary admission decision | Legitimate interest in onboarding only customers whose use is consistent with our Terms and our ethical expectations |
| Review each Target Domain on your whitelist and decide, individually, whether to approve, reject, or leave pending | Legitimate interest in admitting only authorized use against each destination site |
| Continuously compare ongoing API usage (Target Domains actually exercised, volume, concurrency, key activity) against the scope declared at signup. We have assessed this processing as meeting the legitimate-interest balancing test: the monitoring is limited to metadata (customer and key identifiers, domain identifier, call count, error count, latency), is strictly necessary to detect scope-drift and abuse, and customers are informed of this monitoring at onboarding. | Legitimate interest in keeping customers within the scope of their admission and protecting us, other customers, and third parties |
| Detect and act on suspicion of unauthorized, unethical, or policy-violating use · including suspension, termination, key revocation, and whitelist removal | Legitimate interest in a secure and trustworthy service; compliance with legal obligation; fraud prevention |
| Prevent signup abuse through per-IP and per-email-domain limits and a disposable-email blocklist | Legitimate interest in the integrity of the admission process |
| Respond to support requests and legal or regulatory enquiries | Legitimate interest in supporting customers; compliance with legal obligation |
| Produce aggregate, de-identified metrics used to improve the Service | Legitimate interest in product improvement |
| Send service announcements, admission-decision notifications, and security notices to the email on your account | Legitimate interest in keeping customers informed of material changes |
We do not use personal data for advertising, behavioural profiling, or automated decision-making that produces legal or similarly significant effects. Signup admission and per-domain whitelist decisions are made by a human admin, informed by the information you provide and by the anti-abuse signals described in §2.2. Admission is at our sole discretion and may be refused without explanation.
Disclosure
We disclose personal data only in the following limited circumstances:
- Paddle (Paddle.com Market Ltd, Malta / Paddle.com Inc., US) · our Merchant of Record and payment processor. We transmit your email address, display name, and an internal customer identifier; Paddle returns transaction events, subscription status, and tax/invoice metadata. Paddle's own terms and privacy policy govern its handling of the payment transaction.
- Other service providers · hosting, infrastructure, and email delivery providers acting on our instructions under written data-processing terms. We use the minimum set of processors necessary to run the Service.
- Target Domain operators, rights-holders, regulators, or law-enforcement bodies · where we receive a credible complaint, takedown request, subpoena, or lawful enquiry relating to your use of the Service, we may disclose information reasonably necessary to respond, including your identity, the Target Domains on your whitelist, the scope of your declared use, and relevant usage metadata.
- Professional advisors · lawyers, accountants, and auditors bound by confidentiality, where needed to protect or enforce our rights.
- Corporate transactions · in connection with a merger, acquisition, insolvency, or sale of all or substantially all of our assets, subject to equivalent privacy commitments.
We do not sell personal data and we do not share it for behavioural advertising.
International transfers
Our infrastructure and processors may be located outside the country in which you are based, including in jurisdictions that have not received an adequacy decision from your local regulator. Where such transfers occur from the United Kingdom, the European Economic Area, or Switzerland, we rely on the Standard Contractual Clauses (or, where applicable, the UK International Data Transfer Addendum) as the transfer mechanism, together with additional technical and organizational measures where required.
Retention
We retain personal data for the period reasonably necessary for the purposes described in §3. In practice:
- Account records · persist while the account is active and for a reasonable period afterwards to allow for dispute resolution, account-reactivation requests, and fraud-prevention screening.
- Signup-review material for rejected or abandoned applications · retained for a reasonable period to evidence our admission decisions and to enable us to detect repeat-offence signups.
- Billing, tax, and transactional records · retained for the period required by applicable tax and accounting law (typically six to ten years).
- Application, session, and security logs · retained on a rolling basis calibrated to our operational and security needs.
- Usage metadata (per-call records of customer, key, domain, status, latency, and cost) · retained for the period necessary to meter usage, reconcile billing, support customer enquiries, and defend against fraud and abuse.
- Aggregated, de-identified metrics · may be retained indefinitely.
Where you exercise a valid deletion right (§8) we will delete or anonymise personal data held about you, except data we are required or permitted to retain for tax, accounting, legal-claim, or fraud-prevention purposes.
Cookies & similar technologies
We use strictly-necessary session cookies after you sign in, to keep
your browser authenticated. Two independent session cookie names are
used so that a customer account and an admin account can be held
simultaneously in the same browser without collision. Session cookies
are set with the HttpOnly flag (inaccessible to
JavaScript), the Secure flag in production (sent only
over HTTPS), and an appropriate SameSite attribute
(Lax or None) depending on the deployment
topology. Sessions have a bounded lifetime after which the cookie and
the server-side session record expire.
We do not set any advertising, analytics, or third-party tracking cookie through the Service itself. Because these cookies are strictly necessary, we do not ask for consent to use them, but you can remove them at any time by signing out or clearing your browser state · doing so will end the session.
Your rights
Subject to applicable law, you have the right to: (a) access the personal data we hold about you, (b) request correction of inaccurate or incomplete data, (c) request deletion, (d) object to, or ask us to restrict, processing that is based on our legitimate interest, (e) request the export of the data you provided in a portable format, (f) withdraw any consent you have given (without affecting the lawfulness of prior processing), and (g) lodge a complaint with your local data-protection authority. Requests can be made to privacy@0daylabs.co. For residents of the United Kingdom and the European Economic Area, we will respond within one (1) month of receipt (extendable by a further two months where the request is complex, subject to notice). We may need to verify your identity before we act.
Some rights are not absolute: for example, we may refuse to delete data we are required to keep for tax or fraud-prevention purposes, or data we need to defend a legal claim.
Security
We use commercially reasonable technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, and destruction. These include transport encryption over TLS, account passwords stored as scrypt- derived hashes with per-credential random salts (plaintext passwords are never logged or stored), API keys stored as one-way hashes with only the key identifier retained for linkage, least-privilege access controls, segmentation of the payload-generation service from the website control plane, and logging of administrative decisions affecting account state. No Internet-facing system is fully secure, and we cannot guarantee the absolute security of personal data · but we will notify you and, where required, the relevant authority of any personal-data breach affecting you within the timeframe imposed by applicable law.
Role when you use the API
The Service's API contract does not require, and is not documented to accept, third-party personal data in request inputs. To the limited extent you transmit personal data in a documented input field (for example, a User-Agent string you want reflected in the generated Payload), we process that data only as reasonably necessary to generate and return the Payload, do not retain it beyond the transient request context, and act as a processor with respect to it. You act as the controller of that data and must have a lawful basis and, where required, complete data-subject notices for any such transmission. A Data Processing Addendum is available on request for customers with a documented processor-engagement requirement. In respect of our own account records, usage metadata, and billing data described in this Policy, we are the controller.
Changes to this Policy
We may update this Policy from time to time. Where a change is material we will give reasonable notice by email to the address on your account and by publishing the revised Policy in your console. The "Effective" date at the top of this page reflects the current version. Continued use of the Service after the effective date of a change constitutes acceptance of the revised Policy.
Contact
For any matter under this Policy · including exercise of your rights and breach notifications · email privacy@0daylabs.co. For general support or commercial enquiries use hello@0daylabs.co.