Privacy Policy
Data Controller: IQGroup Adam Buhl, NIP: 9910389442, ul. Luboszycka 36/1, 45-128 Opole, Poland, email: privacy@iqshield.io
Introduction
This Privacy Policy describes how IQShield processes personal data of:
- Clients (website owners using the IQShield service)
- End Users (visitors to Protected Sites where the IQShield widget is installed)
IQShield was designed with privacy-by-design principles — we minimize data collection, do not use tracking cookies, do not build user profiles, and all data is processed within the European Union.
Part A: Client Data (Account Holders)
1. What data we collect
| Data | Purpose | Legal basis |
|---|---|---|
| Email, account name | Registration, login, communication | Art. 6(1)(b) GDPR — performance of contract |
| Company name, tax ID, address | Invoicing | Art. 6(1)(b) + Art. 6(1)(c) GDPR — contract + legal obligation |
| Login IP address | Account security, audit log | Art. 6(1)(f) GDPR — legitimate interest |
| Payment data | Subscription management (processed by Stripe/Paddle) | Art. 6(1)(b) GDPR |
| Dashboard usage data | Analytics, service improvement | Art. 6(1)(f) GDPR |
2. How long we retain
| Data | Retention period |
|---|---|
| Account data | Until account deletion + 30 days |
| Billing data (invoices) | 5 years (tax obligation) |
| Audit log (account operations) | 12 months |
| Payment data | Stored by Stripe/Paddle per their policy |
3. Authentication
Account authentication is handled by Supabase Auth (Supabase Inc.). Supabase processes: email, hashed password, session metadata. Supabase uses AES-256 encryption and stores data in the EU (Frankfurt region).
Part B: End User Data
This is the key section — IQShield as a CAPTCHA system processes certain End User data on behalf of the Client (as a Data Processor).
4. What data we process
IQShield processes the following data during challenge verification:
| Data | Type | Purpose | Storage |
|---|---|---|---|
| IP address | Personal data | Risk scoring (datacenter vs residential), rate limiting | Redis: challenge duration (max 60s) + PostgreSQL: verification_log (retention below) |
| User-Agent | Pseudonymized | Automation detection, environment scoring | PostgreSQL: verification_log |
| Device type | Anonymized (category) | Statistics | PostgreSQL: verification_log |
| Interaction signals | Anonymized (metrics) | Behavioral scoring | In-memory only (RAM), NOT stored to database |
| Environment fingerprint | Pseudonymized | Headless browser detection | In-memory only, NOT stored |
| Score (0.0–1.0) | Non-personal | Verification result | PostgreSQL: verification_log |
| Solve time | Non-personal | Timing analysis | PostgreSQL: verification_log |
5. What we do NOT do
❌ No cookies — zero cookies, including third-party
❌ No user profiling — each verification is independent
❌ No cross-site tracking — we do not track users across sites or sessions
❌ No data sales — we never sell data to anyone
❌ No data transfers outside EEA — all infrastructure is in the EU
❌ No navigation data — we do not know where users came from or where they go
❌ No form content processing — we only see interaction signals, not what users type
6. Behavioral signal processing details
The IQShield widget collects the following aggregated metrics (not raw data):
| Signal | What we measure | What we do NOT measure |
|---|---|---|
| Mouse movements | Shannon entropy (randomness), movement count | Specific x/y coordinates, trajectory |
| Keyboard | Keystroke count (capped at 200) | Which keys, field content |
| Scroll | Event count, scroll depth | Specific positions |
| Focus | Focus/visibilitychange event count | Which tabs are open |
| Environment | Language, CPU cores, platform, resolution, timezone (aggregated into one string) | Full browser fingerprint |
| Automation | Flags: WebDriver, Chrome DevTools Protocol, Nightmare, headless (yes/no) | Configuration details |
| Honeypot | Whether a hidden field was filled (boolean) | Field content |
All behavioral signals are processed exclusively in server memory and are never permanently stored. Only the final numerical result (score 0.0–1.0) is written to the database.
7. End User data retention
| Data | Retention | Justification |
|---|---|---|
| Challenge (Redis) | Max 60 seconds (TTL) | Time to solve PoW |
| Token (Redis) | Max 300 seconds (TTL) | Time for Client server to verify |
| Rate limit counters (Redis) | 60-second window | DDoS protection |
| Verification log (PostgreSQL) | 90 days, then automatically deleted | Client statistics, anomaly detection |
| Behavioral signals | 0 seconds (RAM only) | Processed and discarded immediately |
8. Legal basis for End User data processing
IQShield processes End User data as a Data Processor on behalf of the Client, who is the Data Controller.
- Legal basis on the Client side: Art. 6(1)(f) GDPR — legitimate interest (protecting forms against bots and spam)
- Processing basis on the IQShield side: Art. 28 GDPR — data processing agreement (DPA)
End User consent is not required, because:
- Processing is necessary for the Client's legitimate interest (security)
- IQShield does not use cookies → not subject to ePrivacy consent requirements
- Processing is minimal and proportionate to the purpose
However, the Client is required to inform End Users in their privacy policy (see section 12).
Part C: Common
9. Sub-processors
| Entity | Role | Location | Data |
|---|---|---|---|
| Supabase Inc. | Account authentication | EU (Frankfurt) | Email, password hash, Client sessions |
| Stripe / Paddle | Payments | EU + US (SCCs) | Client payment data |
| Hetzner Online GmbH | Server infrastructure | EU (Germany/Finland) | All data processed as part of the Service |
| Caddy / Let's Encrypt | SSL/TLS | — | No personal data |
IQShield notifies Clients of changes to the sub-processor list with 30 days' advance notice.
10. Security
IQShield implements the following technical and organizational measures:
- Data encryption in transit (TLS 1.2+)
- Data encryption at rest (PostgreSQL, Redis — encrypted volumes)
- Token hashing (HMAC-SHA256) — tokens are not stored in plain text
- Rate limiting at IP and Site Key level
- Audit log of administrative operations
- Principle of least privilege
- Regular dependency and OS updates
11. Data subject rights
Under the GDPR, data subjects have the right to:
- Access their data (Art. 15)
- Rectification of data (Art. 16)
- Erasure of data (Art. 17) — "right to be forgotten"
- Restriction of processing (Art. 18)
- Data portability (Art. 20)
- Object to processing (Art. 21)
- Lodge a complaint with a supervisory authority (UODO, ul. Stawki 2, 00-193 Warsaw, Poland)
For Clients: Exercise your rights via email: privacy@iqshield.io or through the Dashboard (account deletion).
For End Users: Due to the nature of the data (IP, User-Agent — short-term technical data), exercising access and deletion rights:
- Redis data: automatically deleted after max 5 minutes
- Verification log data: identification based on IP + time range — requests should be directed to privacy@iqshield.io
- IQShield cannot identify a specific individual based on IP address alone without additional information
12. Privacy notice template for Clients
Clients should include the following information about IQShield usage in their website's privacy policy. Example text:
Bot protection
Our website uses the IQShield service (iqshield.io) to protect forms against automated spam. IQShield uses a Proof-of-Work mechanism (a computational task solved by the browser) and behavioral analysis. During verification, the IP address, browser type, and aggregated interaction metrics are processed. IQShield does not use cookies, does not build user profiles, and processes data exclusively within the EU. Legal basis: Art. 6(1)(f) GDPR (legitimate interest — website security). More information: https://iqshield.io/privacy-policy.html
13. Data transfer outside the EEA
IQShield does not transfer personal data outside the European Economic Area.
Exception: Stripe/Paddle may process Client payment data (not End User data) using Standard Contractual Clauses (SCCs) approved by the European Commission.
14. Privacy policy changes
We notify Clients of material changes to this Policy by email with 30 days' advance notice. The current version is always available at iqshield.io/privacy-policy.html.
15. Contact
For privacy and data protection inquiries:
- Email: privacy@iqshield.io
- Address: ul. Luboszycka 36/1, 45-128 Opole, Poland
Supervisory authority: Polish Data Protection Authority (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, www.uodo.gov.pl