Privacy Policy

Last updated: May 9, 2026

1. Introduction

ContrastCyber ("we", "us") operates ContrastAPI at api.contrastcyber.com. This Privacy Policy covers data we collect via the API surface (REST endpoints, MCP tools, MCP resources, MCP prompts), our HTML landing/docs pages, and our payment provider integrations. The scanner at contrastcyber.com is a separate property with its own Privacy Policy.

2. Data We Collect

2.1 API Usage Data

API request logs — endpoint category called (path parameters such as domain names, IPs, CVE IDs, emails, phone numbers, and usernames are stripped before logging), timestamp, and a hashed API key (for Pro users). Used for usage analytics and rate limit enforcement.
Hashed API keys — Pro API keys are stored as irreversible SHA-256 cryptographic hashes. The raw key is high-entropy (192-bit random) so brute-forcing the hash is computationally infeasible. We never store your raw API key after initial generation. The raw key is shown to you exactly once on the welcome page.
Order metadata (Pro only) — your NOWPayments invoice ID or Lemon Squeezy order ID, the creation timestamp, the expiry date, and the last-use timestamp. No payment-card data ever touches our server (handled entirely by the processors).
Query inputs are NOT stored — the actual values you query (domain names, IPs, CVE IDs, emails, phone numbers, usernames) are processed in real-time and discarded once the response is returned. Domain and IP lookups are temporarily cached (≤1 hour) to reduce upstream load and improve response times; the cache is keyed but never linked to your IP or key.

2.2 Technical Data

Hashed IP addresses — a one-way keyed HMAC-SHA256 hash of your IP (with a server-side secret as the HMAC key) is stored for aggregate analytics. The hash is irreversible and cannot be brute-forced without the server secret. No raw IP address is ever stored in the application database.
Rate limiting — raw IP addresses are stored temporarily in-memory for sliding-window rate limit enforcement and purged automatically. Never shared.
Server logs — standard nginx access logs retained for up to 24 hours. Path parameters and query strings are stripped to REDACTED at the nginx layer before the log line ever touches disk:
```
Before:  GET /v1/ip/8.8.8.8 HTTP/1.1
After:   GET /v1/ip/REDACTED HTTP/1.1

Before:  GET /v1/whois/example.com HTTP/1.1
After:   GET /v1/whois/REDACTED HTTP/1.1

Before:  GET /v1/cves?q=log4j HTTP/1.1
After:   GET /v1/cves HTTP/1.1
```
The log line itself contains: IP address, timestamp, HTTP method, sanitized path (as above), status code, response size, referrer URL, and user-agent string. A separate daily aggregate snapshot (per-day counts and ISO country codes only — no IPs, no paths, no query data) is retained indefinitely for product analytics.
Application logs (systemd journal) — application warning/error events record only the exception type (e.g. TimeoutException, HTTPStatusError) and the sanitized endpoint path. Query parameters, full exception messages, and stack traces are deliberately stripped before the line is emitted, so domain names, IPs, CVE IDs, hashes, and other inputs never reach the journal. Retained for 24 hours (MaxRetentionSec=1day in journald.conf).
MCP tool audit log — each MCP tool call is recorded as {timestamp, tool name, metadata flags}. Metadata flags are limited to result filtering, pagination, and sort options (e.g. severity, kev, limit, sort). Query inputs (CVE IDs, domains, IPs, emails, phone numbers, usernames, vendor and product names, free-text queries, ATLAS/D3FEND identifiers) are filtered at extraction time per the allowlist in mcp_proxy.py. String values are shape-checked (alphanumeric + ._-:,, ≤64 chars) so PII cannot be smuggled via control characters or whitespace. The log contains no IP address and no query inputs, so it is retained indefinitely for product usage analytics.
Geographic analysis — a local GeoIP database (MaxMind GeoLite2) maps IP addresses to country-level location only. No city, region, or precise location data is derived. No individual user is identified or profiled.

2.3 What We Do NOT Collect

No personal information (name, email, phone) — Free tier requires no signup; Pro tier captures only the order ID from the payment processor
No tracking cookies or session cookies
No third-party analytics (no Google Analytics, no Facebook Pixel, no fingerprinting)
No advertising data
We do not sell, rent, or share any data with third parties
We do not track users across sites
We do not store the content of API query responses (CVE details, threat lookups, etc.)
We do not store the raw queries you submit (domains, IPs, emails, etc.)

2.4 Verify It Yourself

Don't take our word for it. ContrastAPI exposes a transparency endpoint that returns every single row our database has about you — right now, in real time:

curl https://api.contrastcyber.com/v1/privacy/my-data

The response shows your hashed IP, your last 24 hours of endpoint activity (aggregated by endpoint category — no query parameters), your rate limit state, and a not_stored list explaining what is deliberately absent. Pro users additionally see their key record (order ID, creation date, expiry, last use). The endpoint points back to the exact source lines in db.py (hash_client_ip + normalize_endpoint) that enforce the privacy guarantees — so you can audit the code, not just the policy.

3. DNT & Global Privacy Control

We respect the Do Not Track (DNT) and Global Privacy Control (Sec-GPC) headers. If your browser sends either signal, we do not store any hashed IP data with your request. The API still works normally — we simply skip the analytics hash.

4. How We Use Data

Rate limiting: hashed IP (Free) or hashed key (Pro) enforces fair usage limits. Rate limit state is sliding-window and purged automatically.
Per-target throttle: we count requests per registrable domain (eTLD+1) on web-intelligence endpoints to protect third-party origins. The counter is keyed by the target, not by you.
Analytics: hashed IPs are salted with a random value, irreversible, and cannot be traced back to individual users. Used for aggregate counters (total requests/day) only.
Geographic analytics: country-level data is used for aggregate traffic analysis. Never linked to individual users or shared externally.
Pro key billing: order ID is matched against the payment processor's webhook to provision your key and confirm the payment lifecycle.

5. Data Retention

API usage logs (per-endpoint counters keyed by hashed IP): retained for 90 days, then permanently deleted (hard DELETE from the database, not anonymization).
API query caches (domain, IP): cached for up to 1 hour to improve response times, then automatically expired and purged.
Rate limit data: purged automatically (sliding window, in-memory).
Server logs (nginx access): rotated and deleted after 24 hours (forced midnight UTC rotation, rotate 1).
Application logs (systemd journal): capped at 24 hours (MaxRetentionSec=1day).
MCP tool audit log: rotated daily for compression; retained indefinitely (no IP addresses, no query inputs — only tool name + result-filter metadata for product usage analytics).
Pro API keys (hashed) + order metadata (order ID, created_at, expires_at, last_used_at): retained while the key is active. Crypto-paid keys carry an expires_at field 30 days after payment; expired keys reject requests but the row remains until manual purge. Card-paid keys are deleted upon cancellation request. To request immediate deletion of your key + order row at any time, contact us.

6. Payment Processors

We use two payment processors for Pro subscriptions:

Lemon Squeezy for card payments. Lemon Squeezy receives only the payment information you provide directly to them; we receive only the order ID and status. See Lemon Squeezy's Privacy Policy.
NOWPayments for cryptocurrency payments. NOWPayments receives only the invoice and payment data; we receive a webhook with the invoice ID, payment status, and amount. See NOWPayments Privacy Policy.

We do not share any usage data, IP addresses, queries, or response contents with either processor.

7. International Data Transfers

Our server is located in Germany (EU). If you access the Service from outside the EU, your requests are processed on this EU-based server. We do not transfer data to servers outside the EU. Payment processors operate their own infrastructure in their own jurisdictions.

8. GDPR (EU/EEA Users)

If you are located in the European Union or European Economic Area:

Legal basis: we process data based on legitimate interest (Article 6(1)(f) GDPR) — specifically, operating and securing a public API service, preventing abuse, and understanding aggregate usage patterns. For Pro subscribers, processing of order metadata is based on contract performance (Article 6(1)(b)).
Data minimization: we collect only what is necessary. IP addresses are hashed with a random salt immediately and never stored in raw form in our database. Query inputs are never persisted.
Your rights: you have the right to access, rectification, erasure, restriction of processing, data portability, and objection. Since we do not maintain user accounts and cannot link hashed data back to individuals (Free tier), most of these rights are satisfied by design.
Right to erasure: Free tier — call /v1/privacy/my-data to confirm what is held; rows are hard-deleted automatically after 90 days. Pro tier — contact us at the address below to delete the order record and revoke the key. We process requests within 30 days.
Data Protection Officer: given our small scale and minimal data processing, we have not appointed a DPO. Contact us directly for any privacy concerns.

9. KVKK (Turkish Users)

If you are located in Turkey, your rights under the Personal Data Protection Law (KVKK, Law No. 6698) are respected. You have the right to learn whether your personal data is processed, request information about processing, learn the purpose and whether data is used accordingly, know third parties to whom data is transferred, request correction or deletion, and object to automated processing. Contact us at the address below to exercise these rights.

10. Security

All data is transmitted over HTTPS. The origin uses Cloudflare Authenticated Origin Pulls (mTLS) so direct-origin bypass is rejected. We employ industry-standard server hardening, intrusion detection, file integrity monitoring, fail2ban with custom nginx-blocklist actions, and audit logging. The application is open source and available for public audit.

11. Open Source

ContrastAPI is fully open source under the MIT License. You can review exactly what data is collected by reading the source code:

github.com/UPinar/contrastapi

12. Children's Privacy

Our Service is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has used our Service, contact us and we will delete any associated data.

13. Changes

We may update this Privacy Policy. Changes will be posted on this page with an updated date. Material changes will be communicated via the website.

14. Contact

For privacy questions or to exercise your rights: [email protected]