Effective date: April 2026
CSURFACE, owner and operator of the CSURFACE Threat Sensor platform (accessible at threatsensor.csurface.io), acts as the data controller for personal data collected through the Platform, under the European Union General Data Protection Regulation (GDPR), the Brazilian General Data Protection Law (LGPD, Law 13.709/2018), and other applicable data protection legislation.
This Privacy Policy transparently describes what personal data we collect, why we collect it, how we use it, whom we share it with, how long we retain it, what rights you have over it, and how you can exercise those rights.
We take privacy seriously and adopt the principle of data minimization: we collect only the information strictly necessary to operate the Platform, ensure service security, and comply with legal obligations. We do not collect personal data without a valid legal basis.
This policy applies to all visitors, registered users (free and paid), API consumers, and any other person who interacts with the CSURFACE Threat Sensor Platform or CSURFACE's related services.
By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, you must not use the Platform.
This policy should be read together with our Terms of Service and Cookie Policy, which together form the complete set of terms governing your relationship with CSURFACE.
CSURFACE Threat Sensor is an open, free platform with no user accounts. As a result, the collection of personal data is minimal.
For service operation and security, we temporarily record technical metadata from your HTTP request:
We do not maintain accounts, do not process passwords, do not store payment data, and do not operate subscription plans. We do not use third-party tracking, advertising, or analytics cookies.
We use only strictly necessary cookies to preserve your language preference. See our Cookie Policy for complete details.
We use the connection data we collect exclusively for the following legitimate purposes:
We do not use data for: (a) third-party marketing; (b) profiling for targeted advertising; (c) training artificial intelligence models without explicit consent; (d) selling to data brokers or similar entities.
Legal bases for processing are legitimate interests (service operation, security) and legal obligation (when applicable).
Because the Platform is free, account-free, and payment-free, sharing of personal data with third parties is limited to the strict minimum necessary to operate the infrastructure.
We do not sell your personal data. CSURFACE does not sell, rent, trade, or commercialize in any way the personal data of its users with third parties. We do not share data with data brokers, advertising networks, profile aggregators, or similar entities.
We may disclose personal data when strictly necessary to: (a) comply with legal, regulatory, or tax obligations; (b) respond to subpoenas, court orders, or requests from competent authorities; (c) protect the rights, property, or safety of CSURFACE, users, or third parties; (d) investigate and prevent fraud or abuse; (e) in connection with a merger, acquisition, or asset sale, always with prior notice to users when legally permitted.
Whenever legally possible, we will notify you before disclosing your data in response to government requests, except when prohibited by law or when such notification could harm an ongoing investigation.
Our infrastructure uses hosting, storage, and CDN providers that process data on our behalf under data processing agreements (DPAs). These subprocessors are subject to strict security and confidentiality requirements.
We retain connection data only for as long as necessary to fulfill the purposes described in this policy, except when a longer period is required or permitted by law. The main retention periods are:
| Data Category | Retention Period |
|---|---|
| Operational logs (IP, User-Agent, URL path, timestamp) | 90 days |
| Audit logs (infrastructure security events) | 24 months |
| Encrypted backups (disaster recovery) | 30 days |
Aggregated and fully anonymized data, which cannot be linked to an individual, may be retained for longer periods for statistical purposes, research, and service improvement.
In cases of legal disputes, ongoing investigations, or active regulatory obligations, we may retain specific data beyond standard periods, for the time strictly necessary.
Under LGPD, GDPR, and other applicable data protection laws, you have the following rights regarding your personal data processed by CSURFACE:
To exercise any of these rights, you may:
We will respond to requests within 15 days (LGPD) or 30 days (GDPR), extendable in case of complex or high-volume requests, always with justification.
You also have the right to lodge a complaint with the National Data Protection Authority (ANPD, Brazil) or the competent data protection authority in your jurisdiction, if you believe that the processing of your data infringes applicable legislation.
We implement robust technical and organizational measures to protect your personal data against unauthorized access, improper disclosure, alteration, loss, or destruction. Our main measures include:
Despite all efforts, no system is 100% secure. If we become aware of a personal data breach that represents a risk to your rights, we will notify you and the competent data protection authority within applicable legal deadlines (72 hours under GDPR, reasonable period under LGPD).
You also play an important role in the security of your data: use strong and unique passwords, enable 2FA, do not share credentials, keep your browser and operating system updated, and report suspicious activity to [email protected].
CSURFACE may process and store personal data on servers located in jurisdictions different from yours, including countries outside Brazil or the European Union, depending on the location of our infrastructure and subprocessor providers.
[PLACEHOLDER — Specific list of countries where data is processed will be published here after final legal review, including information about the hosting provider and geographic regions used.]
When we transfer personal data to jurisdictions that do not offer a level of protection considered adequate by Brazilian or European authorities, we adopt appropriate safeguard mechanisms, such as:
You may request more information about specific international transfers applicable to your data and the safeguard mechanisms adopted through [email protected].
The CSURFACE Threat Sensor Platform is not intended for users under 18 years of age. We do not intentionally collect personal data from minors under 18, since the content and nature of the platform (professional threat intelligence) are intended exclusively for adult professionals.
If we become aware that we have inadvertently collected personal data from a minor under 18 without proper legal authorization, we will take measures to delete such information from our systems as soon as possible.
If you are a parent, legal guardian, or caretaker and believe that a minor under your responsibility has provided us with personal data, contact us immediately at [email protected] so that we can remove the relevant information.
This Privacy Policy may be updated periodically to reflect changes in our practices, new Platform features, changes in legal requirements, or improvements in data protection measures.
When we make material changes to this policy, we will notify you by email to the address associated with your account, with reasonable advance notice of the effective date of the new practices. The date of the last update will always be displayed at the top of this page.
For significant changes that affect how we use your data, we may request your explicit consent again, when legally required.
Continued use of the Platform after the effective date of the changes constitutes your agreement with the updated version of this policy. If you do not agree with the changes, you must discontinue use of the Platform and may request deletion of your account.
Previous versions of this Privacy Policy may be made available upon request to [email protected] for historical reference and transparency purposes.
For privacy questions, exercise of data subject rights, deletion or data access requests, or complaints related to the processing of personal data, contact us:
We will respond to all legitimate requests within applicable legal deadlines. For urgent requests related to security incidents, use [email protected].
Effective date of this Policy: April 2026