cloudmarlin

Legal

Privacy Policy

Effective: May 10, 2026 Last updated: May 10, 2026

This Privacy Policy explains what personal data Cloudmarlin LLC, a Delaware limited liability company ("Cloudmarlin", "we"), collects when you use cloudmarlin (the "Service"), why we collect it, how we use it, and what choices you have. It applies to cloudmarlin.com and any subdomain operated by Cloudmarlin.

For uploaded PCAPs: packet captures often contain personal data of third parties — IP and MAC addresses, hostnames, DNS queries, HTTP headers, and unencrypted application traffic. When you upload a PCAP, you act as the controller of the personal data inside it; Cloudmarlin acts as a processor on your instructions. Your responsibility to have a lawful basis for that processing is described in our Terms of Service.

Contents
  1. Who we are
  2. What we collect
  3. Why we use it
  4. Who we share it with
  5. How long we keep it
  6. International transfers
  7. Cookies
  8. Security
  9. Your rights (EU/UK)
  10. Your rights (California)
  11. Children
  12. Changes
  13. Contact

Who we are#

The data controller for personal data collected through the Service is:

Cloudmarlin LLC
A Delaware limited liability company
Privacy contact: privacy@cloudmarlin.com

What we collect#

2.1 Information you provide

  • Account details: email address, password (stored as a one-way bcrypt hash), and (if you sign in with Google) your Google account ID, name, and email.
  • Billing details: handled directly by Stripe. Cloudmarlin does not receive or store your full payment card number; we receive only a non-reversible Stripe customer/subscription identifier and the metadata required to issue receipts.
  • Uploaded PCAPs and the reports we generate from them. PCAPs may contain third-party personal data; see the callout above.
  • Communications: email you send to support@, privacy@, or similar inboxes.

2.2 Information collected automatically

  • Server logs: requests we receive include your IP address, user-agent string, the URL requested, status code, and timestamp. Logs are retained for up to 30 days for security and operational diagnostics.
  • Session cookies: a single signed cookie named session is set on login to keep you authenticated. It is essential to providing the Service.
  • Anti-abuse signals: on signup, hCaptcha collects information from your browser to evaluate whether the request is automated. See hCaptcha's privacy policy.

2.3 What we do not collect

  • We do not use third-party advertising or behavioral analytics on the Service.
  • We do not sell or share your personal information for cross-context behavioral advertising.
  • We do not train any machine-learning model on your uploaded PCAPs or reports.

Why we use it#

We process personal data for the following purposes (with the GDPR lawful basis indicated where relevant):

  • Provide the Service — running scans, generating reports, displaying results to you. (Performance of contract.)
  • Operate accounts and billing — authenticating you, processing payments, managing subscriptions. (Performance of contract.)
  • Security and abuse prevention — detecting unauthorized use, rate-limiting, hCaptcha. (Legitimate interest in keeping the Service available.)
  • Communicate with you — verification emails, billing receipts, security notices. (Performance of contract; legitimate interest.)
  • Comply with law — responding to lawful requests, preserving records when required. (Legal obligation.)

Who we share it with#

We share personal data only with the third-party processors that help us run the Service. The current list is published at /subprocessors and is summarized below:

  • Hetzner Online GmbH (Germany) — hosting and storage.
  • Stripe, Inc. (USA, with Stripe Payments Europe Ltd. for EU customers) — payment processing.
  • ActiveCampaign, LLC d/b/a Postmark (USA) — transactional email delivery.
  • Google LLC (USA) — OAuth identity verification, only for users who choose "Sign in with Google".
  • Intuition Machines, Inc. (hCaptcha) (USA) — bot detection on signup.

We may also disclose information when required by law, court order, or government request, or to protect the rights, property, or safety of Cloudmarlin, our users, or the public. If Cloudmarlin is involved in a merger, acquisition, or asset sale, we will provide notice before personal data is transferred and becomes subject to a different privacy policy.

How long we keep it#

Data categoryRetention
Anonymous PCAP uploads and reports24 hours from upload, then permanently deleted.
Authenticated reports (free and paid)While your account is active; deletable at any time from your account.
Account profile and credentialsWhile your account is active; deleted within 30 days of account closure.
Pending email-verification tokens24 hours, then deleted.
Server access logsUp to 30 days.
Billing recordsAs required by tax and accounting law (typically 7 years).

International transfers#

Cloudmarlin's primary hosting is in Germany (Hetzner). When you upload data to the Service, it is processed and stored in the European Union. Some of our subprocessors (Stripe, Postmark, Google, hCaptcha) are based in the United States; transfers to them rely on Standard Contractual Clauses or, where applicable, the EU – US Data Privacy Framework. Where Cloudmarlin is the importer (e.g., from a UK or EU customer's perspective), we maintain appropriate safeguards.

Cookies#

cloudmarlin uses one essential cookie:

NamePurposeLifetime
sessionKeeps you signed in across requests and protects against CSRF.Cleared when you log out or your browser session ends.

This cookie is strictly necessary to operate the Service and is exempt from consent requirements under the EU ePrivacy Directive and equivalent laws. We do not use advertising, analytics, or tracking cookies on the Service. The hCaptcha widget on the signup page may set its own cookies under hCaptcha's control; see hCaptcha's privacy policy.

Security#

We use TLS 1.2+ for all traffic, store passwords as bcrypt hashes, and apply security headers including a strict Content-Security-Policy on the Cloudmarlin-controlled surface. Access to the production environment is restricted to authorized personnel and audited. No system is perfectly secure; we will notify affected users and supervisory authorities of personal-data breaches as required by law.

Your rights (EU/UK)#

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the right to:

  • Request access to the personal data we hold about you;
  • Request rectification of inaccurate data;
  • Request erasure of your data ("right to be forgotten");
  • Request restriction of processing;
  • Receive your data in a portable format;
  • Object to processing based on legitimate interest;
  • Withdraw consent where we rely on consent (without affecting prior processing); and
  • Lodge a complaint with your national data-protection authority.

To exercise any of these rights, email privacy@cloudmarlin.com. We respond within 30 days; we may request information to verify your identity before acting on a request.

Your rights (California residents)#

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA gives you the right to:

  • Know what categories of personal information we collect, the sources, and the purposes;
  • Access the specific pieces of personal information we hold about you;
  • Delete your personal information, subject to legal exceptions;
  • Correct inaccurate personal information;
  • Opt out of sale or sharing of personal information for cross-context behavioral advertising. We do not sell or share personal information for these purposes, so there is nothing to opt out of; and
  • Be free from discrimination for exercising any of these rights.

To exercise these rights, email privacy@cloudmarlin.com. We do not use "sensitive personal information" as that term is defined in the CPRA outside of providing the Service.

Children#

The Service is not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided personal information to us, contact privacy@cloudmarlin.com and we will delete it.

Changes#

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent change. We will notify users of material changes by email or by a banner on the Service.

Contact#

For privacy questions or to exercise your rights, contact privacy@cloudmarlin.com. For other inquiries, see our Terms of Service.