Privacy Policy
Effective date: 2026-05-26
Dataforge Inc. ("Dataforge," "we," "us")
6-783 King Road, Burlington, Ontario L7T 3K7, Canada
legal@dataforge.on.ca
This Privacy Policy describes how Dataforge handles personal information in connection with Dataforge Honeypot (the Service): the hosted director, user portal, public API, and related documentation at honeypot.app.dataforgecanada.com, and the detector clients you deploy on your networks.
Related document: End User Agreement
1. Who this policy applies to
This policy applies to:
- Portal users who create an account, sign in, manage detectors, configure alerts, or subscribe to the Service;
- Platform administrators authorized by Dataforge to operate the Service; and
- Third parties whose information may appear in honeypot event data when they interact with decoy systems you operate.
Dataforge acts as controller for account data, billing data, and data about how you use the Service (authentication, security, system logs), unless a separate written agreement states otherwise. For honeypot event payloads your decoys capture from third parties, you are typically the controller and Dataforge acts as a processor storing and displaying that data on your behalf.
2. Personal information we collect
| Category | Examples | Typical use |
|---|---|---|
| Account | Email address, hashed password, optional organization name, role, account creation and last-seen timestamps | Registration, authentication, support |
| Authentication and security | TOTP secret (encrypted), MFA backup codes (hashed), trusted-browser tokens (up to 30 days), session cookies, password-reset and email-verification tokens, IP address (including via your network proxy), browser user-agent | Sign-in, MFA, rate limiting, abuse prevention |
| Billing | PayPal subscription ID, plan ID, currency, subscription status, trial and billing dates | Subscriptions and billing. We never see your PayPal password or your payment card details — PayPal handles all payment processing. |
| Honeypot operational data | Device labels, API key hashes, detector configuration, event payloads (source/destination IP and port, protocol, service name, captured banner or command text), upload batch metadata, keepalive timestamps | Security monitoring, portal display, alerts |
| Optional integrations | Telegram bot tokens and chat IDs you configure (stored encrypted at rest) | Alert delivery you enable |
| Support | Content of emails you send to legal@dataforge.on.ca | Responding to your requests |
Honeypot payloads may incidentally contain personal information if a third party interacts with a decoy (for example, an email address in SMTP dialog or an IP address assigned to an individual). Such data is processed for defensive security purposes on systems you authorize.
3. How we use personal information
We use the information above to:
- Provide, operate, and improve the Service;
- Authenticate users and detector clients;
- Process subscriptions and billing through PayPal;
- Send verification, password-reset, billing, and alert emails;
- Deliver optional Telegram or webhook notifications you configure;
- Detect, prevent, and respond to abuse, fraud, and security incidents;
- Comply with applicable law and enforce our End User Agreement.
We do not sell personal information and do not use the Service for advertising.
4. Legal bases for processing
Depending on your jurisdiction and the type of data, we rely on one or more of the following:
| Basis | Examples |
|---|---|
| Performance of a contract | Creating and operating your account, providing the portal and API, billing your subscription |
| Legitimate interests | Securing the Service, preventing abuse, operating reCAPTCHA risk scoring, maintaining logs for troubleshooting |
| Consent | Optional Telegram integrations and similar features you enable |
| Legal obligation | Tax and billing record retention, responding to lawful requests |
Where consent is required and we rely on it, you may withdraw consent by disabling the relevant feature or contacting us, without affecting processing already performed.
5. Service providers we share data with
We do not sell personal information. We share data only as needed to operate the Service:
| Provider | Purpose | Notes |
|---|---|---|
| PayPal | Subscription billing and payment status | Subject to PayPal's privacy notice |
| Google reCAPTCHA Enterprise | Bot and abuse detection on signup, login, password reset, email verification, and MFA pages | Subject to Google's privacy policy. Disclosed on relevant auth forms. |
| Docker Hub (Docker, Inc.) | Distribution of detector container images | Decoys you deploy connect outbound to Docker Hub to pull container images. Docker Hub may log the IP address of the host where you run a detector |
| Telegram | Optional alert delivery | Only when you configure a bot integration; messages are sent to the bot and chat you specify |
| Law enforcement and regulators | Legal compliance | When required by applicable law or valid legal process |
Transactional email (verification, password reset, alerts) is sent from Dataforge-operated mail infrastructure.
Access within Dataforge is limited to personnel with a legitimate operational need.
6. Cookies and tracking technologies
We use cookies and similar technologies as follows:
| Type | Examples | Purpose |
|---|---|---|
| Strictly necessary | Session cookie (signed, HTTPOnly), CSRF cookie, MFA trusted-browser cookie (up to 30 days) | Keep you signed in, protect forms, remember trusted devices for MFA |
| Third-party (functional/security) | Google reCAPTCHA Enterprise scripts on authentication pages | Fraud and abuse prevention |
| Third-party (analytics) | Google Analytics (gtag.js), Ahrefs Web Analytics on all site pages | Understand site usage and improve the service |
| Payment flow | Cookies set by PayPal on its own domain when you complete subscription setup or return from PayPal | Complete billing setup |
We use Google Analytics and Ahrefs Web Analytics to measure how visitors use the site. These providers may set measurement cookies or use similar technologies on your browser. We do not use advertising cookies.
You can control cookies through your browser settings. Disabling strictly necessary cookies may prevent you from signing in or completing billing setup.
7. Retention
| Data | Retention period |
|---|---|
| Account data | While your account is active; deleted within 30 days of account closure, subject to billing-record obligations |
| Honeypot events and detector data | While your account is active; deleted when the account is deleted |
| Billing records | 7 years (Canadian tax and record-keeping requirements) |
| Application and server logs | Approximately 30 days |
| Email verification and password-reset tokens | A few hours to a few days; deleted when used or expired |
You may request earlier deletion where we are not required to retain data by law.
8. International transfers
The Service runs on Dataforge infrastructure in Canada. Some service providers (PayPal, Google, Docker Hub, Telegram) operate globally and may process data in the United States and other countries under their own privacy safeguards and contractual terms.
9. Security
We protect the Service with HTTPS, hashed passwords, encrypted integration credentials, per-device API keys, rate limiting, and access controls. You are responsible for securing your portal password, MFA devices, API keys, and deploy commands, and for securing the hosts where you run detectors.
No method of transmission or storage is completely secure. If you believe your account or credentials have been compromised, contact us promptly and rotate affected keys.
10. Your rights
Depending on your jurisdiction, you may have the right to:
- Access the personal information we hold about you;
- Request correction of inaccurate information;
- Request deletion, subject to legal retention requirements;
- Export your account-related data where technically feasible;
- Withdraw consent where processing is consent-based;
- Object to or restrict certain processing;
- Lodge a complaint with a supervisory authority.
In Canada, you may contact the Office of the Privacy Commissioner of Canada. If you are in another jurisdiction, you may contact your local data protection authority.
To exercise your rights, email legal@dataforge.on.ca from the address associated with your account. We aim to respond within 30 days. We may need to verify your identity before fulfilling a request.
If you interact with a decoy system operated by your organization, direct related requests to your organization's privacy contact as well.
11. Data breach notification
If we become aware of a breach of security safeguards involving personal information under our control that creates a real risk of significant harm, we will notify affected users and regulators as required by applicable law, as soon as feasible after we determine that the breach meets the notification threshold.
12. Children
The Service is not directed to individuals under 18. Do not create an account on behalf of a minor.
13. Changes to this policy
We may update this policy from time to time. We will post the revised version at /legal/privacy and update the "Effective date" at the top. For material changes, we will provide additional notice (for example, by email or a banner in the portal) before the change takes effect.
14. Contact
Dataforge Inc.
6-783 King Road, Burlington, Ontario L7T 3K7, Canada
Email: legal@dataforge.on.ca
© Dataforge Inc. All rights reserved.