PRIVACY POLICY
How 0x12DarkSandbox collects, uses and protects your data
1. Data Controller
The data controller for the purposes of the General Data Protection Regulation (GDPR) and the Spanish Organic Law 3/2018 (LOPDGDD) is:
0x12 Dark Development
Spain
privacy@0x12darksandbox.net
Last updated: May 2026
2. Data We Collect
| Category | Data | Source |
|---|---|---|
| Account | Username, email address, hashed password, account creation date, email verification status | Provided by you at registration |
| API Keys | Key prefix (first 12 characters for identification), key hash (never plaintext), label, creation date, last used date | Generated on your request |
| Sample Metadata | Cryptographic hashes (SHA256, SHA1, MD5), original filename, file size, MIME type | Derived from files you submit |
| Analysis Results | VM behavioral telemetry, AV detection results, static analysis output, job status and timestamps | Generated by the analysis pipeline |
| Credits | Credit balance, transaction history (amounts, dates, descriptions) | Generated by purchases and usage |
| Support | Ticket content and messages | Provided by you |
| YARA Rules | Rules you upload, associated metadata | Provided by you |
| Technical Logs | IP addresses and request metadata may appear in application logs with standard short-term retention | Automatically generated |
We do not collect advertising identifiers, social profiles, precise geolocation, or behavioral tracking data.
3. Submitted Binary Files
Binary files submitted for analysis are stored temporarily on our infrastructure solely for the purpose of performing the analysis. They are permanently and automatically deleted from our systems immediately after the analysis job completes, whether the job succeeds or fails.
File metadata (hashes, filename, size) is retained as part of your job history. The file content itself is never retained beyond the analysis window.
As part of the analysis pipeline, submitted files are transmitted to Kleenscan (a third-party multi-engine antivirus scanning service) for static detection analysis. By submitting a file, you acknowledge this transmission. See Section 5 for details.
4. Purpose and Legal Basis
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Providing the Service | Performance of a contract (Art. 6(1)(b)) |
| Account management and authentication | Performance of a contract (Art. 6(1)(b)) |
| Processing payments and credits | Performance of a contract (Art. 6(1)(b)) |
| Fraud prevention and abuse detection | Legitimate interests (Art. 6(1)(f)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
We do not use your data for marketing, advertising, or profiling.
5. Third-Party Processors
| Processor | Data Shared | Purpose |
|---|---|---|
| Resend | Email address | Transactional email delivery (verification, notifications) |
| Stripe | Payment card data, billing details | Payment processing. We do not store card data ourselves. |
| PayPal | PayPal account identifier | Payment processing |
| Kleenscan | The submitted binary file | Multi-engine antivirus scanning (static analysis) |
We do not sell, rent, or share your personal data with any party not listed above, except as required by law (see Section 8).
6. Data Retention
- Binary files: deleted immediately after analysis completes
- Analysis results and job history: retained while your account is active
- Account data: retained while your account is active
- After account deletion: all associated data is permanently deleted within 7 days
- After policy-based suspension: data retained for 7 days, then permanently deleted
- Payment records: retained as required by Spanish tax and accounting obligations
7. Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights:
- Access: request a copy of the personal data we hold about you
- Rectification: request correction of inaccurate data
- Erasure: request deletion of your data ("right to be forgotten")
- Restriction: request that we limit processing of your data
- Portability: request your data in a machine-readable format
- Objection: object to processing based on legitimate interests
- Lodge a complaint: with the Spanish Data Protection Authority (AEPD — aepd.es) if you believe your rights have been violated
To exercise any of these rights, contact us at privacy@0x12darksandbox.net. We will respond within 30 days.
8. Cookies
We use only strictly necessary cookies required for the operation of the Service. These include session authentication cookies that keep you logged in.
We do not use analytics, advertising, or tracking cookies. No cookie consent banner is required as we rely solely on technically necessary cookies (Recital 25, ePrivacy Directive).
9. Law Enforcement Disclosures
We will cooperate with legally binding requests from competent authorities when required to do so by applicable Spanish or EU law. We will not voluntarily disclose user data to any authority absent a valid legal requirement.
10. Security
We implement technical and organizational measures to protect your data, including password hashing, encrypted API key storage, and network-level isolation for the analysis infrastructure. No system is completely secure; in the event of a data breach affecting your personal data, we will notify you and the AEPD as required by GDPR Article 33.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via the platform's announcement system or by email. The date at the top of this page reflects the most recent revision.
12. Contact
For privacy-related requests or questions:
For abuse reports, see our Abuse Policy. For general support, use the support ticket system.