GDPR Notice
Data protection rights for individuals in the European Economic Area. PhishDestroy is committed to GDPR compliance.
This notice applies to individuals in the European Economic Area (EEA) and United Kingdom. PhishDestroy respects your privacy and processes personal data in accordance with the General Data Protection Regulation (EU) 2016/679.
Data Controller
PhishDestroy is a volunteer-driven, non-profit anti-phishing project. For the purposes of GDPR, the PhishDestroy project acts as the data controller for any personal data processed through our services. Contact our data protection point of contact at privacy@phishdestroy.io.
What Personal Data We Process
We collect and process minimal personal data, limited to what is strictly necessary for our anti-phishing mission:
- Threat report submissions: Domain names, URLs, wallet addresses, and any evidence you voluntarily provide when reporting a threat.
- Technical data: IP addresses, user agent strings, and access timestamps collected automatically for security and abuse prevention.
- Analytics data: Anonymized usage statistics through Google Analytics (Google Tag Manager) to understand how our services are used.
- Communication data: Email addresses or Telegram usernames when you contact us directly.
We do not collect financial data, identity documents, or any special categories of personal data (Article 9 GDPR).
Legal Basis for Processing
We process personal data under the following legal bases as defined in Article 6(1) GDPR:
- Legitimate interest (Art. 6(1)(f)): Processing threat intelligence data, IP addresses, and technical metadata to protect internet users from phishing and fraud. Our legitimate interest is the prevention of cybercrime and protection of the public.
- Consent (Art. 6(1)(a)): When you voluntarily submit a threat report or contact us. You may withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)): When we are required to comply with lawful requests from authorities or court orders.
Your Rights Under GDPR
As a data subject in the EEA/UK, you have the following rights:
- Right of access (Art. 15): Request a copy of your personal data we hold.
- Right to rectification (Art. 16): Request correction of inaccurate personal data.
- Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
- Right to restriction (Art. 18): Request that we limit processing of your data.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interest.
- Right to withdraw consent (Art. 7(3)): Withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email privacy@phishdestroy.io with the subject line "GDPR Request". We will respond within 30 days as required by law. No fee is charged for reasonable requests.
Data Retention
We retain personal data only as long as necessary for our stated purposes:
- Threat intelligence data: Retained indefinitely as part of the public record of phishing infrastructure. Domain names, URLs, and associated technical indicators are not considered personal data of the reporter.
- Server logs (IP, user agent): Retained for up to 90 days for security and abuse prevention, then automatically purged.
- Communication records: Retained for up to 12 months after last interaction, unless ongoing correspondence requires longer retention.
- Analytics data: Anonymized and aggregated; individual-level data is not retained beyond what Google Analytics processes under its own data retention settings.
International Data Transfers
PhishDestroy infrastructure is distributed across multiple jurisdictions. When personal data is transferred outside the EEA, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Adequacy decisions where applicable (e.g., transfers to countries with adequate data protection).
- Necessity for the performance of our public-interest mission (Art. 49(1)(d) GDPR) in limited cases.
Third-Party Services
We use the following third-party services that may process personal data:
- Cloudflare: CDN, DDoS protection, and DNS services. Cloudflare Privacy Policy.
- Ahrefs: SEO analytics and website performance monitoring. Ahrefs Privacy Policy.
- Google Analytics (via GTM): Anonymized website analytics. Google Privacy Policy.
- Telegram Bot API: For threat report submissions. Telegram Privacy Policy.
Security Measures
We implement appropriate technical and organizational measures to protect personal data, including encrypted connections (TLS/HTTPS), access controls, and regular security reviews. See our Security Policy for details.
Right to Lodge a Complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. A list of EU Data Protection Authorities is available at edpb.europa.eu.
Changes to This Notice
We may update this GDPR notice to reflect changes in our practices or applicable law. The "Last Updated" date in the page metadata will be revised accordingly. Continued use of our services after changes constitutes acceptance of the updated notice.
Contact
For all data protection inquiries, requests, or complaints:
- Email: privacy@phishdestroy.io
- Subject line: GDPR Request (for formal requests) or Privacy Inquiry (for general questions)