Privacy Policy
Last updated: 14 July 2026
This Privacy Policy explains how DSEC Labs (“DSEC Labs”, “we”, “us”, or “our”) collects, uses, and protects personal data when you visit dseclabs.xyz or contact us through it. We process personal data in accordance with the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data-protection laws. As an offensive-security firm, data protection is not an afterthought for us; it is part of the job.
1. Who is responsible for your data
DSEC Labs is the data controller for the personal data described in this policy. For any privacy request, question, or complaint, contact us through our contact form and mark your message as a privacy request. We do not require you to create an account or provide payment details to browse this site.
2. What data we collect, and when
Data you give us through the contact form
When you submit the contact form we collect the information you choose to provide: your name, work email address, the primary service you are interested in, the topic or reason for your message, and the free-text message itself. Please do not include sensitive personal data or confidential material in this first message; a scope-limited, NDA-backed channel is set up before any engagement.
The form is delivered by Web3Forms, which relays your submission to us by email. To prevent spam and automated abuse, the form uses a hidden honeypot field and, where enabled, an hCaptcha challenge (operated by Intuition Machines, Inc.); solving it may involve a short interaction and a verification token.
Data collected automatically
- Technical and security data. Our hosting and CDN provider, Cloudflare, Inc., processes standard connection data such as your IP address, user-agent, and request metadata to deliver the site and protect it against attacks. This is handled at the infrastructure level and is necessary to serve the site securely.
- Analytics (only with your consent). If you accept analytics in our cookie banner, we load a privacy-friendly, cookieless analytics tool (Umami) that records aggregate, non-identifying usage signals such as page views, referrers, and approximate country. It does not set cookies, does not build a profile of you, and does not track you across other websites. If you reject or ignore the banner, no analytics is loaded. See our Cookie Policy for details.
3. Why we process your data, and our legal basis
- To respond to your inquiry and scope a possible engagement. Legal basis: performance of a contract or steps taken at your request prior to entering one (Art. 6(1)(b) GDPR), and our legitimate interest in responding to prospective clients (Art. 6(1)(f)).
- To keep the site available, performant, and secure. Legal basis: our legitimate interest in protecting our systems and visitors (Art. 6(1)(f)), including anti-spam and anti-abuse measures on the form.
- To measure aggregate site usage. Legal basis: your consent (Art. 6(1)(a)), which you may withdraw at any time via the cookie banner without affecting the lawfulness of prior processing.
4. Who we share it with (processors and recipients)
We do not sell your personal data, and we do not use it for advertising. We share it only with service providers that process data on our behalf, under contract and appropriate safeguards:
- Web3Forms for delivery of contact-form submissions.
- Cloudflare, Inc. for hosting, CDN, and DDoS/security protection.
- Intuition Machines, Inc. (hCaptcha) for bot and abuse prevention on the form, where enabled.
- Umami Software, Inc. for cookieless analytics, only if you consent.
We may also disclose data where we are legally required to (for example, in response to a lawful request from a competent authority), or to establish, exercise, or defend legal claims.
5. International transfers
Some of the providers above are based in, or process data in, the United States or other countries outside the EEA/UK. Where personal data is transferred internationally, we rely on an appropriate transfer mechanism, such as the European Commission’s Standard Contractual Clauses, the EU and US Data Privacy Framework where applicable, or an adequacy decision, together with supplementary technical measures where needed.
6. How long we keep it
We keep contact-form data only as long as necessary to handle your inquiry and, where it leads to a relationship, to manage that engagement and meet our legal obligations. Inquiries that do not lead to an engagement are deleted or anonymized once they are no longer relevant, typically within 24 months. Security and CDN logs are retained by our provider for a short period for operational and security purposes. Cookieless analytics data is aggregate and is retained in a non-identifying form.
7. Your rights
Subject to the conditions in applicable law, you have the right to:
- access the personal data we hold about you;
- have inaccurate data corrected;
- have your data erased;
- restrict or object to certain processing, including processing based on our legitimate interests;
- receive your data in a portable format;
- withdraw consent (for analytics) at any time; and
- lodge a complaint with your data-protection supervisory authority.
To exercise any of these rights, contact us through our contact form. We will respond within the timeframe required by law (generally one month). We may ask you to confirm your identity before acting on a request.
8. How we protect your data
We apply technical and organizational measures appropriate to the risk, including HTTPS/TLS encryption in transit, a strict Content Security Policy, hardened HTTP security headers, least-privilege access to any data we hold, and minimization by design (we collect as little as possible and keep the site free of advertising and cross-site tracking). No method of transmission or storage is perfectly secure, but we treat client and prospect data with the same rigor we expect of the organizations we assess.
9. Cookies and similar technologies
This site is designed to run without advertising or cross-site tracking cookies. For a full breakdown of the local storage and cookies involved, and how to change your choices, see our Cookie Policy.
10. Children
This site and our services are intended for businesses and professionals. They are not directed at children, and we do not knowingly collect personal data from anyone under 16.
11. Changes to this policy
We may update this policy to reflect changes in our practices, providers, or legal obligations. Material changes will be reflected by the “last updated” date at the top of this page. We encourage you to review it periodically.