Privacy

Dark Data Labs (“DDL,” “we,” “us”) is an independent cybersecurity research lab. This Privacy Policy explains what information we collect from visitors and clients, how we use it, and the rights you have over it.

From visitors: standard web request data (IP address, user agent, referring URL, timestamps) and, where loaded, privacy-respecting analytics events (page paths, anonymized visit counts). We do not use third-party advertising trackers.

From inquiries and clients: contact information you provide when emailing us or submitting an intake form (name, work email, company, role), engagement scope (domains, executive names, supplier names you ask us to investigate), and operational records of any engagement.

From our collection systems: publicly accessible and commercially licensed data about the targets you authorize us to investigate. This data is processed under the terms documented in our Scope & Terms.

We use information to:

• Deliver engagements and produce the reports you contracted for.
• Respond to inquiries and operate our service.
• Improve methodology, internal tooling, and the quality of our research (using anonymized, non-identifying patterns only).
• Comply with legal obligations and respond to lawful process.

We do not sell personal information. We do not share client data with third parties except as required to deliver the service (subprocessors listed below) or compelled by law.

This site does not use advertising cookies or cross-site tracking. We may use a privacy-respecting analytics tool (such as Plausible) that does not set persistent cookies and does not collect personally identifying information. Where analytics is loaded, data is aggregated, anonymized, and used solely to measure traffic and content effectiveness.

We use a small number of vendors to host, deliver, and operate the service. Each is contracted under terms that prohibit independent use of client data:

• Cloudflare — site hosting, DNS, edge security.
• Mailcow on DDL-operated infrastructure — transactional and inbound email.
• Vercel or equivalent — application hosting for client-facing dashboards (when applicable).
• Stripe — payment processing for engagements (when applicable).
• Commercial intelligence vendors — licensed breach and exposure data sources, contracted with confidentiality obligations.

Client data, intake submissions, evidence, and reports are encrypted in transit and at rest. Access is limited to the analyst assigned to your engagement and the lab principal. We follow reasonable industry practice for credential management, authentication, and access logging. No system is perfectly secure; if a breach affects your data, we will notify you in line with applicable law.

Evidence vaults are retained for twelve (12) months by default, then purged. You may request earlier purge at any time in writing. Operational records (contracts, scope authorizations, invoices, legal correspondence) are retained for the period required by applicable law and standard business practice.

Depending on your location, you may have the right to access, correct, delete, or restrict processing of your personal information, to object to processing, or to request portability. To exercise any of these rights, contact privacy@darkdatalabs.com. We will respond within the timeframes required by applicable law.

California residents: we do not sell personal information. CCPA-related requests can be submitted via the privacy email above.

EU/UK residents: for GDPR/UK-GDPR requests, contact the privacy email above. Our lawful bases are typically contract performance (delivering engagements) and legitimate interest (operating the business and improving methodology).

This site and our services are not directed to individuals under 16. We do not knowingly collect information from anyone under 16. If you believe a child has provided information, contact us and we will delete it.

We operate from the United States. If you contact us or engage with our service from outside the U.S., your information will be processed in the U.S. By using the site or engaging the service, you consent to this transfer.

We may update this Privacy Policy from time to time. The “Last updated” date above reflects the current version. Material changes will be communicated to active clients directly.

Privacy questions: privacy@darkdatalabs.com. Legal questions: legal@darkdatalabs.com. Engagement questions: intel@darkdatalabs.com.