PRIVACY POLICY

Privacy Policy

How we handle personal data — yours, not your clients'. Engagement-specific data handling is covered separately in our Engagement Terms.

Last updated: May 2026 · Effective: May 2026
// IN PLAIN ENGLISH

We collect the minimum data needed to run the website and respond to inquiries. We never sell your data, never train AI models on it, and never share it with advertising networks. You can email us anytime to see what we have on you or to have it deleted. Our free Arsenal tools run inputs through audited infrastructure with zero retention — your prompts and documents are processed and discarded.

// WHAT WE COLLECT
// FROM WEBSITE VISITORS
  • IP address, browser type, operating system, pages visited, and referrer URL.
  • Approximate location (country and region only) inferred from IP — the raw IP address is not stored.
  • Session duration and scroll depth, collected in aggregate and anonymized.
  • Cookies — session and CSRF tokens only; no advertising or tracking cookies. Details below.
// FROM PEOPLE WHO CONTACT US
  • Name, email address, company name, and role.
  • The content of your message or audit scoping request.
  • Any documents, system prompts, or files you choose to share.
// FROM ARSENAL FREE TOOL USERS
  • The inputs you submit — system prompts, documents, or text.
  • The results returned to your session.
  • Anonymized scan metadata: timestamp, tool used, and severity score.

What we do not log from tool use:

  • Your IP address alongside your inputs.
  • Your inputs linked to your email address — tool use is never tied to your identity unless you are signed in and explicitly save results.
  • Any data that could re-identify you from a scan result.
// COOKIES

We use two cookies:

  • Session cookie — keeps you signed in to your LogicLeak account. Expires on sign-out or after 30 days of inactivity.
  • CSRF token — protects form submissions from cross-site request forgery. Not used for tracking.

No Google Analytics, Meta Pixel, advertising trackers, cross-site tracking cookies, or browser fingerprinting. You can block all cookies in your browser — the only effect is that you cannot stay signed in.

// HOW WE USE IT
  • To respond to your inquiries and deliver paid engagements.
  • To run, secure, and improve the website and Arsenal tools.
  • To send the Threat Briefing newsletter — only if you subscribed. Every email includes a one-click unsubscribe.
  • To meet legal obligations: tax records, compliance requirements, or valid court orders.
// WHAT WE DO NOT DO
  • We do not sell or rent your data to any third party, ever.
  • We do not train AI models on client data, user inputs, or engagement materials — ever.
  • We do not run advertising networks or share data with ad partners.
  • We do not enrich your data using third-party data brokers.
  • We do not build behavioural profiles or use your data for retargeting.
// WHO WE SHARE WITH

We share data only with the infrastructure providers listed below, each bound by a data processing agreement. That is the complete list — no marketing partners, no data brokers, no AI training partnerships.

// SUBPROCESSORS
VercelSite hosting and edge deliveryGlobal (EU + US)
SupabaseDatabase and authenticationEU (Frankfurt)
PostmarkTransactional email deliveryUS
PlausiblePrivacy-first website analyticsEU (Germany)
// LEGAL PROCESS

We may disclose data to law-enforcement or regulatory authorities when required by a valid court order, subpoena, or equivalent legal process. Where legally permitted, we will notify you before disclosing.

// YOUR RIGHTS
// UNIVERSAL RIGHTS
  • Right to access — request a copy of any personal data we hold about you.
  • Right to correction — ask us to fix anything inaccurate or incomplete.
  • Right to deletion — request that we remove your data (limited exceptions apply for legal retention obligations).
  • Right to portability — receive your data in a structured, machine-readable format.
  • Right to object — to specific uses of your data, including direct communications.
  • Right to withdraw consent — for anything you opted into: newsletter, optional analytics.
// GDPR — EU / UK

If you are in the EU or UK, the General Data Protection Regulation gives you the additional right to lodge a complaint with your national supervisory authority. Our legal bases for processing personal data are:

  • Contract performance — processing necessary to deliver an engagement you requested.
  • Legitimate interest — site analytics, security monitoring, and improving the Arsenal tools.
  • Consent — newsletter subscription and optional analytics cookies.
  • Legal obligation — tax records and compliance requirements.
// CCPA — CALIFORNIA
  • Right to know what personal information we collect, use, and disclose.
  • Right to opt out of the sale of personal information — we do not sell data, so there is nothing to opt out of.
  • Right to non-discrimination for exercising any of your privacy rights.
// HOW TO EXERCISE YOUR RIGHTS

Email privacy@logicleak.io with your name and the right you wish to exercise. We respond within 30 days. For GDPR requests, we may ask you to verify your identity before disclosing any data.

// RETENTION
Website analytics
13 monthsthen aggregated and anonymized
Inquiry emails
24 months after inquiry closes
Newsletter subscribers
Until unsubscribed + 30 days
Arsenal tool inputs
Zero retentiondiscarded immediately after processing
Engagement materials
See Engagement Termstypically 30 days post-close unless retention requested

Engagement materials retention is governed by our Engagement Terms.

// INTERNATIONAL TRANSFERS

Our primary infrastructure runs in the EU (Supabase Frankfurt; Vercel's primary region). Some requests are served by Vercel's global edge network, which may result in transient processing outside the EEA. We do not intentionally route EU personal data to non-EEA regions for storage or processing.

// TRANSFER MECHANISMS
  • EU Standard Contractual Clauses (SCCs) are in place with all subprocessors that may process EU personal data.
  • UK International Data Transfer Agreements (IDTAs) cover UK-origin data where applicable.
  • All subprocessor regions are listed in the table above.
// CONTACT

For any privacy question, right request, or concern, email privacy@logicleak.io. Include your name and the nature of your request so we can locate the relevant data efficiently. We respond within 30 days; formal data subject requests under GDPR or CCPA receive a response within the applicable statutory period.

// DATA CONTROLLER

LogicLeak (trading name). For GDPR purposes, LogicLeak is the data controller for personal data collected via this website.

// DATA PROTECTION CONTACT

We do not have a formally designated Data Protection Officer — our processing volume does not trigger the GDPR Article 37 DPO requirement. All privacy queries are handled at privacy@logicleak.io.

// CHANGE LOG

We track substantive changes below. Minor edits — typos, formatting — are not logged.

MAY 12 2026Clarified Arsenal tool zero-retention practice.
FEB 15 2026Added explicit statement that we do not train AI models on client data.
JAN 08 2026Initial publication.
Questions about this policy? privacy@logicleak.io
SEE ENGAGEMENT TERMS →