Privacy Policy
Last updated: July 14, 2026
1. Data Controller (Art. 13(1)(a) GDPR)
The controller within the meaning of the GDPR is:
For data protection inquiries, contact us directly at team@blackwall.report or via our contact form.
2. Purposes and Legal Bases (Art. 13(1)(c) GDPR)
We process your personal data for the following purposes:
Contract Performance (Art. 6(1)(b) GDPR)
- Provision of the domain abuse reporting platform
- Processing and tracking your reports
- Communication about the status of your reports
- Provision of user accounts
- AI-powered report triage and analysis
- AI Chatbot assistance for cybersecurity queries
Legitimate Interests (Art. 6(1)(f) GDPR)
- Combating domain abuse and cybercrime
- Forwarding to hosting providers and registrars
- Platform security
- Improvement of our services
- Automated AI-based threat assessment and report quality screening
Consent (Art. 6(1)(a) GDPR)
- Sharing your report in the community (optional)
- Contact for follow-up questions (optional)
Legal Obligation (Art. 6(1)(c) GDPR)
- Retention obligations
- Cooperation with law enforcement in cases of serious crimes
3. Categories of Data Processed (Art. 13(1)(d) GDPR)
Account Data
- Email address
- Username (optional)
- Profile information (optional)
Usage Data
- IP address (for security purposes)
- Access timestamps
- Browser type and version
Report Data
- Reported URLs and domains
- Technical indicators (hashes, IP addresses of reported sites)
- Evidence material (screenshots, logs)
- Descriptions and comments
Communication Data
- Support-inbox messages and attachments
- Direct messages between users (encrypted at rest)
- Forum posts and comments (public)
- Contact-form submissions
Security & Session Data
- Password (salted + hashed, never stored in plaintext)
- MFA/TOTP secrets (encrypted)
- Login history, session IDs, device fingerprint hash
- Rate-limit counters
Billing Data (paid plans only)
- Stripe customer ID and subscription status
- Invoice metadata (amount, currency, plan)
- Card data is never stored on our servers: handled directly by Stripe
What we do with this data: in plain language
- Account Data: authenticate you, contact you about your reports, show your public profile if you enabled one.
- Report Data: triage the report (partly automated, see §12), forward evidence to the responsible hoster/registrar/CERT for takedown, optionally publish a redacted community version if you opted in.
- Evidence Material: preserved as a forensic snapshot to support takedown requests and, in serious cases, law-enforcement referrals.
- Usage & Security Data: detect abuse, block bots, investigate incidents, keep an audit trail of admin actions.
- Communication Data: deliver messages between you and support / other users; moderate content against our community rules.
- Billing Data: manage your subscription, issue invoices, comply with tax-law retention obligations.
What we do NOT do: we do not sell your data, we do not run advertising, we do not build behavioural profiles for marketing, and we do not share your identity with the operators of the domains you report against.
4. Data Recipients & Third-Party Processors (Art. 13(1)(e), Art. 28 GDPR)
Your data may be shared with the following recipients and processors:
A. Takedown Recipients
To achieve the purpose of the platform: taking abusive infrastructure offline: we forward parts of a report to the actors that can act on the reported domain. What is sent, to whom, and why:
Hosting Providers
What we send: the reported URL/domain, category (phishing / malware / scam / …), technical indicators (IPs, hashes, screenshots, HTTP evidence), and a short abuse narrative.
What we do NOT send: the reporter's email, account ID, IP, or any other identifying data.
Why: to request removal of the abusive content under the provider's Acceptable Use Policy. Legal basis: Art. 6(1)(f) GDPR.
Domain Registrars & Registries
What we send: the abusive domain, category, and evidence sufficient to justify a suspension (RFC 3013 / ICANN abuse-reporting standard).
Why: to suspend or lock domains that are clearly used for phishing, malware distribution, or fraud. Legal basis: Art. 6(1)(f) GDPR.
CDN / DDoS Providers (e.g. Cloudflare, Akamai, Fastly)
What we send: the reported URL, the CDN-facing hostname, category and evidence: only when the CDN is the effective front for the abusive site and the origin is masked.
Why: to trigger the CDN's abuse workflow (typically forwarding to the origin host or, in severe cases, interstitial warning / termination). Legal basis: Art. 6(1)(f) GDPR.
Note: Cloudflare is also a processor of ours for our own site (see §B): that is a separate role.
CERTs / National Response Teams (e.g. CERT-Bund, CERT-EU, national CSIRTs)
What we send: structured incident data (domain, IOC list, category, timestamps) for coordinated response, particularly for campaigns hitting critical infrastructure.
Why: to support NIS2-aligned incident coordination. Legal basis: Art. 6(1)(f) GDPR.
Blocklist / Threat-Intel Feeds (e.g. Google Safe Browsing, PhishTank, APWG)
What we send: the confirmed malicious URL/domain and category: no reporter data.
Why: to protect end-users at browser and gateway level. Legal basis: Art. 6(1)(f) GDPR.
Law-Enforcement Agencies (e.g. BKA, LKA, Europol, national police cybercrime units)
What we send: only on a valid legal request (subpoena, court order, MLAT) or when we ourselves report a serious crime (e.g. large-scale fraud, CSAM, threats to life). Disclosure may then include the full report, evidence chain, and: where legally required: reporter identity, IP and timestamps.
Legal basis: Art. 6(1)(c) GDPR (legal obligation) and/or Art. 6(1)(f) GDPR (overriding legitimate interest in prosecuting cybercrime). Every disclosure is logged in our internal audit trail.
Affected Brands / Trademark Owners (opt-in for Company tier)
What we send: reports impersonating their brand, with evidence: to enable their own takedown / trademark actions. Only when the brand has an active watchlist subscription with us.
Why: Art. 6(1)(b) GDPR (contract with the brand) for the brand relationship; Art. 6(1)(f) GDPR for the reported infrastructure data.
Reporter protection rule: by default the reporter is never named to any of the above recipients. The only exceptions are (1) a valid law-enforcement request compelling disclosure, or (2) you as the reporter explicitly requested to be named (e.g. a rights holder filing under their own name).
B. Data Processors (Art. 28 GDPR)
The following third-party services process data on our behalf under Data Processing Agreements (DPA/AV-Vertrag):
Supabase Inc.
Database hosting, authentication, file storage, and backend functions. Region: EU (Frankfurt, eu-central-1). Privacy Policy
Resend Inc.
Transactional email delivery (report status notifications, security alerts, and outbound takedown communication to hosters/registrars). Sending domain: blackwall.report. Privacy Policy
Cloudflare, Inc.
CDN, DDoS protection, TLS termination and bot mitigation (Turnstile CAPTCHA). Processes IP addresses and request metadata at the edge. EU data-processing addendum in place. Privacy Policy
Firecrawl (Mendable Inc.)
Web scraping of reported malicious URLs for evidence preservation. Only URLs of reported domains are processed: no personal user data is transmitted. Privacy Policy
Stripe Payments Europe, Ltd.
Payment processing for paid subscriptions (checkout, billing portal, subscription lifecycle). Only users who initiate a paid plan transmit payment data; card details never touch our servers. EU-US Data Privacy Framework certified. Privacy Policy
Discord Inc. (optional)
Only if you voluntarily link your Discord account: your Discord user ID and role assignments are synced to grant tier-based server access. You can disconnect at any time in your settings. Privacy Policy
Lovable AI Gateway (Google Gemini models)
Automated report triage, threat analysis, takedown-draft generation and AI copilot. No reporter identity (email, account ID) is sent to AI models: only domain names, technical indicators and the report body needed for classification. Data is not used for model training.
Important: Your email address will never be shared with third parties without your explicit consent, unless required by law.
4a. Evidence Preservation for Abuse Prevention (Art. 6(1)(f) GDPR)
Our Evidence Vault captures forensic snapshots of reported malicious websites (HTML source, screenshots, DNS records, WHOIS data) to create legally admissible evidence chains for takedown requests and potential law enforcement referrals.
Legal Basis: Legitimate Interest (Art. 6(1)(f) GDPR)
The preservation of evidence material from reported abusive websites serves the overriding legitimate interest of combating cybercrime and protecting internet users from fraud, phishing, and malware distribution. This interest outweighs the privacy interests of operators of demonstrably abusive infrastructure, as established under the balancing test required by Art. 6(1)(f) GDPR.
Should personal data (e.g., from an imprint on a phishing page) appear in captured snapshots, this data is stored exclusively for evidence purposes, access-restricted, and deleted according to our retention schedule (1 year after report closure).
4b. Anonymous Reports: Forensic Signals (Art. 6(1)(f) GDPR)
When a report is submitted without an account, we additionally record a small set of forensic signals about the submitter to prevent abuse (spam, joe-jobs, duplicate submissions) and to enable law-enforcement cooperation in serious cases.
Data collected for anonymous reports
- IP address
- Approximate geo-location (country, region, city): derived from Cloudflare edge headers
- Timezone and preferred language
- Browser, browser version, operating system and device type (parsed from the User-Agent)
- The email address you enter for status updates
Legal basis: Legitimate Interest (Art. 6(1)(f) GDPR)
Processing these signals is necessary to protect the platform and the abuse-report pipeline from misuse. Without them we cannot meaningfully rate-limit anonymous submissions, correlate duplicate reports, or hand over structured records to law enforcement when required.
No third-country transfer
Geo-location is derived exclusively from Cloudflare edge headers already present on the request. We do not forward your IP address to any third-party geo-IP service.
Retention
Forensic signals are automatically nullified as soon as the report reaches a terminal state (solved, invalid, rejected) or at the latest after 90 days. After 90 days the associated email is also replaced with deleted@anonymous.user.
Your right to erasure: you can delete all personal data associated with an anonymous report at any time via /report/status using the report ID and the email you submitted with.
5. Data Transfers to Third Countries (Art. 13(1)(f) GDPR)
Our infrastructure is located in the European Union. Transfers to third countries only occur when:
- An adequacy decision by the EU Commission exists (Art. 45 GDPR)
- Standard contractual clauses have been agreed upon (Art. 46(2)(c) GDPR)
- The transfer is necessary for the establishment of legal claims (Art. 49(1)(e) GDPR)
EU-Based Infrastructure: Your data is primarily processed and stored within the EU.
6. Storage Duration (Art. 13(2)(a) GDPR)
7. Your Rights (Art. 15-22 GDPR)
You have the following rights regarding your personal data:
Right of Access (Art. 15 GDPR)
You can request information about the data we process.
Right to Rectification (Art. 16 GDPR)
You can request correction of inaccurate data.
Right to Erasure (Art. 17 GDPR)
You can request deletion of your data, provided no legal retention obligations exist.
Right to Restriction (Art. 18 GDPR)
You can request restriction of processing.
Right to Data Portability (Art. 20 GDPR)
You can receive your data in a commonly used format.
Right to Object (Art. 21 GDPR)
You can object to processing based on legitimate interests.
Withdrawal of Consent (Art. 7(3) GDPR)
You can withdraw given consents at any time with effect for the future.
8. Right to Complain (Art. 77 GDPR)
You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your data violates the GDPR.
Competent supervisory authority (Germany)
As Blackwall operates as a US LLC, EU data subjects may lodge complaints with the supervisory authority of their habitual residence, place of work, or place of the alleged infringement: see the Legal Notice for our EU representative (Art. 27 GDPR) once appointed.
A list of EU supervisory authorities can be found at: European Data Protection Board
9. Technical and Organizational Measures (Art. 32 GDPR)
We implement the following security measures:
- TLS/HTTPS encryption for all data transmissions
- Encrypted storage of passwords
- Regular security audits
- Access controls and logging
- Automatic backups with encryption
10. Cookies and Local Storage
We use the following technologies:
Essential Cookies
Required for authentication and basic functionality. Legal basis: Art. 6(1)(b) GDPR.
Analytics (optional, consent-based)
Anonymous, first-party usage analytics to help us improve the platform. Only loaded after you actively opt in via the cookie banner. No cross-site tracking, no advertising cookies, no data sold to third parties. Legal basis: Art. 6(1)(a) GDPR (consent): withdrawable at any time by clearing your consent in the browser storage.
Local Storage
For session data and user preferences. No tracking purposes.
We do not use third-party advertising or cross-site tracking. Analytics remain fully optional and off by default.
14. Contact
For questions regarding data protection, please contact us via our contact form.
We will respond to your inquiry within 30 days in accordance with Art. 12(3) GDPR.
11. Automated Decision-Making & AI Triage (Art. 22 GDPR)
Incoming reports are pre-classified by an AI triage system (severity score, category, duplicate detection, spam filter). This is a preparatory step: it prioritises the review queue but does not produce a legally binding decision on its own.
- Every takedown, forwarding or publication decision is confirmed by a human team member.
- Reports rejected as spam can be appealed via the contact form; a human will re-review.
- The AI receives only report content and technical indicators: no reporter identity.
Because there is no solely-automated decision with legal or similarly significant effect on you as a data subject, Art. 22(1) GDPR does not apply. Your right to object to processing based on legitimate interests (Art. 21 GDPR) remains fully available.
12. Data About Third Parties in Reports (Art. 14 GDPR)
A report about a malicious website may contain personal data of third parties: typically the operators, registrants or administrators of that infrastructure (e.g. imprint entries, WHOIS records, contact addresses embedded in phishing content).
Source of the data: the reported website itself, publicly available registries (WHOIS/RDAP), and open-source intelligence.
Legal basis: Legitimate interest in preventing and investigating cybercrime (Art. 6(1)(f) GDPR). Notification of the affected persons under Art. 14(5)(b) GDPR would seriously impair the purpose of the processing (takedown of abusive infrastructure).
Recipients: as set out in §4: hosters, registrars, CERTs and, in serious cases, law-enforcement authorities.
13. Minors (Art. 8 GDPR)
Blackwall is not directed at children. Accounts are intended for users aged 16 and older. If we become aware that a user under 16 has created an account without parental consent, we will delete the account and associated data without undue delay.
15. Changes to this Policy
We may update this Privacy Policy to reflect changes to our services, processors or legal requirements. Material changes (new processors, new data categories, changed retention, changed legal bases) will be announced in-app and, for registered users, by email at least 14 days before they take effect. The date at the top of this page always reflects the last update.
