LIVE_FEED
--:--:--[HIGH]shop-***-deals.comMagecart skimmer (Group 7)// US-EAST--:--:--[HIGH]wp-***-blog.netDrive-by iframe → exploit kit// EU-WEST--:--:--[MEDIUM]cdn-***-helper.ioObfuscated cryptominer (CoinIMP)// AP-SOUTH--:--:--[HIGH]auth-***-login.coCredential phishing kit (16shop)// EU-CENTRAL--:--:--[MEDIUM]media-***-files.orgMalicious redirect chain → ClickFix// US-WEST--:--:--[HIGH]support-***-desk.comFakeUpdates / SocGholish payload// US-EAST--:--:--[LOW]track-***-pixel.appUnauthorized 3rd-party tracker// EU-NORTH--:--:--[MEDIUM]img-***-host.ruDrive-by download (TLD reputation)// EU-EAST--:--:--[HIGH]api-***-stats.xyzC2 beacon (Cobalt Strike profile)// AP-EAST--:--:--[LOW]promo-***-coupon.shopAffiliate cloaking + cookie stuff// US-CENTRAL--:--:--[HIGH]shop-***-deals.comMagecart skimmer (Group 7)// US-EAST--:--:--[HIGH]wp-***-blog.netDrive-by iframe → exploit kit// EU-WEST--:--:--[MEDIUM]cdn-***-helper.ioObfuscated cryptominer (CoinIMP)// AP-SOUTH--:--:--[HIGH]auth-***-login.coCredential phishing kit (16shop)// EU-CENTRAL--:--:--[MEDIUM]media-***-files.orgMalicious redirect chain → ClickFix// US-WEST--:--:--[HIGH]support-***-desk.comFakeUpdates / SocGholish payload// US-EAST--:--:--[LOW]track-***-pixel.appUnauthorized 3rd-party tracker// EU-NORTH--:--:--[MEDIUM]img-***-host.ruDrive-by download (TLD reputation)// EU-EAST--:--:--[HIGH]api-***-stats.xyzC2 beacon (Cobalt Strike profile)// AP-EAST--:--:--[LOW]promo-***-coupon.shopAffiliate cloaking + cookie stuff// US-CENTRAL
Поверителност

Какво събираме, какво не и защо.

Обхождаме публични уеб страници и съхраняваме криминални артефакти. Ние не продаваме данни, не проследяваме крайни потребители и изтриваме при поискване.

В сила от: 2026-05-01 · Версия 3.2

1. Who we are

ExploitShield ("we", "us") provides a SaaS platform that continuously monitors third-party connections on customer websites to detect embedded malware. This page explains how we handle personal data in connection with that service. The data controller for customer account data is ExploitShield, registered in the European Union. Contact: dancho.danchev@hush.com.

2. What data we collect

(a) Customer account data: name, work email, company name, billing address, payment metadata (we do not store full card numbers — payment processing is delegated to a PCI-DSS Level 1 processor). (b) Operational telemetry: dashboard usage events, feature adoption, support interactions, audit logs of administrative actions. (c) Scan data: the third-party domains, scripts, and network requests observed by our crawler on the URLs you configure us to monitor. We do NOT collect data about your real visitors — our crawler is a synthetic visitor.

3. What we do not collect

We do not deploy any tracker, beacon, cookie, or script on your monitored websites. We never observe your real users' sessions, IP addresses, identities, form inputs, or behavior. The data flow is one-directional: our crawler visits your public URL the same way any internet user would.

4. Lawful basis (GDPR)

We process customer account data on the basis of contract performance (Article 6(1)(b)). Operational telemetry is processed on the basis of legitimate interest in operating, securing, and improving the service (Article 6(1)(f)). Marketing communications, when applicable, are processed on the basis of consent (Article 6(1)(a)) which you can withdraw at any time.

5. Data retention

Account data: retained for the lifetime of the account plus 12 months for tax and audit purposes. Scan data and forensic artifacts (HAR, screenshots, console logs): default 90 days, configurable down to 7 days on Professional and Enterprise tiers. Audit logs: retained for 24 months. Backups follow a 35-day rolling window.

6. Sub-processors

We use a small set of audited sub-processors: a PCI-DSS Level 1 payment processor (Stripe), a transactional email provider (Postmark), a managed PostgreSQL provider (US/EU regions), and a content delivery network for the marketing site. The full sub-processor list with regions and DPAs is published at /sub-processors and updated at least 30 days before any change.

7. International transfers

EU data residency is available on Professional and Enterprise tiers — when enabled, scan data, forensic artifacts, and account data remain in the European Economic Area. Where transfers outside the EEA occur, they are protected by Standard Contractual Clauses (SCCs) and supplementary technical measures (encryption in transit and at rest, access logging).

8. Your rights

Under GDPR, UK GDPR, and the California Consumer Privacy Act (where applicable), you have the right to access, correct, port, restrict, delete, and object to the processing of your personal data. Exercise any right by emailing dancho.danchev@hush.com. We respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

9. Cookies on this website

Our marketing site uses only strictly necessary cookies (session, CSRF) and a single privacy-respecting analytics signal (page view count, no individual fingerprinting, no cross-site tracking). We do not run third-party advertising tags, retargeting pixels, or behavioral profiling.

10. Children

The service is not directed to individuals under the age of 16, and we do not knowingly collect personal data from children.

11. Security

We protect personal data with technical and organizational controls described in detail on our Security page, including TLS 1.3 in transit, AES-256 at rest, hardware-backed KMS, role-based access with hardware MFA, SOC 2 Type II audit, and ISO 27001 alignment.

12. Changes to this policy

We will notify customers by email at least 30 days before any material change. The current version, effective date, and a changelog are always available on this page.

Въпроси относно тази политика или искане от субект на данни? Изпратете имейл на dancho.danchev@hush.com.