Privacy Policy

Last updated: March 21, 2026

1.Who we are

DFIR Lab ("we", "us") is a small cybersecurity startup based in Switzerland. We build digital forensics and incident response tools available at dfir-lab.ch (the "Platform").

This policy explains what data we collect, why, and how we handle it. We aim to be straightforward — we collect only what we need to run the Platform and we do not sell your data.

2.What we collect

Account data. When you sign up, we collect your name and email address. Authentication is handled by Clerk — we never store your password.

Usage data. We track which API endpoints you call and how many credits you use. This is needed for billing and rate limiting.

Analysis data. When you submit emails, URLs, IPs, or hashes for analysis, we process them to return results. We do not store submitted data beyond what is needed to deliver the analysis.

Payment data. Payments go through Stripe. We never see or store your card details — only transaction confirmations and subscription status.

Technical data. Like most web services, we collect IP addresses, browser type, and access logs for security and debugging purposes.

3.How we use your data

  • To provide and operate the Platform
  • To process payments and manage subscriptions
  • To enforce rate limits and prevent abuse
  • To communicate with you about your account
  • To fix bugs and improve the Platform
  • To comply with legal obligations

We do not use your data for advertising, profiling, or any purpose unrelated to running the Platform.

4.Third-party services

We use the following services to run the Platform:

  • Clerk — authentication and user management (US-based)
  • Stripe — payment processing (US-based)
  • Convex — database and backend infrastructure (US-based)

This means your data may be processed in the United States. Each provider has their own privacy and security practices. We do not share your data with anyone else unless required by law.

5.How long we keep it

Account data is kept while your account is active. If you delete your account, we remove your personal data within 30 days.

Logs are kept for up to 12 months, then deleted.

Payment records are kept as required by Swiss tax law (up to 10 years).

Analysis data is processed in real-time and not retained after delivering results.

6.Your rights

You can request access to, correction of, or deletion of your personal data at any time by emailing us. You can also export your data or ask us to stop processing it.

If you are in Switzerland, you have rights under the Swiss Federal Act on Data Protection (FADP). If you are in the EU, you have rights under the GDPR. Either way, just email us and we will help.

Contact: privacy@dfir-lab.ch

7.Cookies

We use only essential cookies for authentication and remembering your preferences (like dark/light theme). We do not use analytics, advertising, or tracking cookies.

8.Changes to this policy

If we make significant changes, we will update the "Last updated" date and notify you through the Platform. Your continued use after changes means you accept the updated policy.

9.Contact

Questions about this policy? Reach out:

DFIR Lab

Switzerland

Email: privacy@dfir-lab.ch

This Privacy Policy is governed by Swiss law.