Privacy Policy

Last updated: July 10, 2026

1. Data We Collect

AbuseGraph processes the following data on behalf of our customers (data controllers):

  • • IP address (for geo, ASN, VPN detection, velocity tracking)
  • • Email address (SHA-256 hashed, for identity graph linking and disposable domain detection)
  • • User-Agent string (for device fingerprinting)
  • • Browser fingerprint signals (canvas, WebGL, audio, hardware)
  • • Behavioral signals (mouse movement, keystroke timing — <1KB snapshot)
  • • Timestamps (for velocity and anomaly detection)

2. Legal Basis (GDPR)

We process personal data under Article 6(1)(f) — legitimate interest — for fraud prevention purposes. A Legitimate Interest Assessment (LIA) is available upon request.

3. Data Retention

  • • Raw request data (IP, fingerprint, behavioral): 30 days
  • • Anonymized aggregate statistics: 12 months
  • • Risk decisions (score, verdict, signals): 12 months
  • • Suppression list (for erasure requests): indefinite (email hash only)

4. Your Rights (GDPR / CCPA)

  • • Right to access your personal data
  • • Right to erasure ("right to be forgotten")
  • • Right to rectification
  • • Right to object to processing
  • • Right to data portability
  • • Right to opt-out of sale/sharing (CCPA)

To exercise these rights, contact privacy@abusegraph.com.

5. Subprocessors

We use managed cloud infrastructure under Data Processing Agreements. Contact privacy@abusegraph.com for the current subprocessor list.

6. Data Residency

Customer data is stored in our managed database. EU residency is available on request. Contact us for data residency requirements.

7. Contact

For privacy questions or data requests: privacy@abusegraph.com