Privacy Policy

Loxu.io is a forensic content-protection platform operated from Tel Aviv, Israel. We act as a data processor on behalf of the agencies (our customers) who subscribe to our services. Those agencies are the data controllers for the personal data of their subscribers.

Contact: legal@loxu.io

Forensic Data (collected about Subscribers on behalf of Agencies):

• —Device fingerprint — GPU hash, screen resolution, browser version, installed fonts, canvas and WebGL rendering output
• —IP address and derived geolocation (city level)
• —Internet service provider and connection type
• —Watch time — total seconds of content consumed per session
• —Access timestamps — exact date and time of each link open
• —Security events — screen capture attempts, print attempts, DevTools access, wrong password entries
• —VPN/proxy detection flag

Agency Account Data (collected directly from agencies):

• —Agency name, contact email, phone number
• —Telegram ID (if connected)
• —Google account ID (if connected via OAuth)
• —Billing information (processed by our payment provider — we do not store card numbers)
• —Session tokens and login timestamps

We process personal data under the following legal bases as defined in GDPR Article 6:

• —Art. 6(1)(b) — Contract: Agency account data is processed to perform the subscription contract.
• —Art. 6(1)(f) — Legitimate Interest: Forensic Data (device fingerprints, IP addresses, watch time) is processed under legitimate interest for fraud prevention, chargeback dispute resolution, and content-sharing deterrence. This processing does not require subscriber consent and is not gated by our cookie banner.
• —Art. 6(1)(c) — Legal Obligation: We may process data where required by applicable law (e.g. responding to a valid court order or subpoena).

Agencies, as data controllers, are responsible for establishing their own lawful basis when sharing Forensic Links with their subscribers, and for providing appropriate disclosure.

• —Forensic Data (visit records, security events, device fingerprints): retained for 90 days by default, then permanently deleted via automated daily purge.
• —Agency account data: retained for the duration of the subscription and for 30 days after account closure.
• —GDPR request logs: retained for 3 years for compliance record-keeping.
• —DPA acceptance records: retained for the duration of the agency relationship plus 5 years.
• —Session cookies: expire after 30 days of inactivity.

• —We do not sell personal data to any third party.
• —Master Blacklist: anonymised device fingerprint hashes (not raw IPs or names) are shared across agencies on the platform to prevent repeat fraud. No personally identifiable information is included.
• —Payment processors (Stripe, PayPal): billing data is processed by these providers under their own privacy policies.
• —Supabase: our database and storage provider, operating under a data processing agreement with us.
• —Legal authorities: we may disclose data in response to a valid court order, subpoena, or statutory requirement. Where legally permitted, we will notify the affected agency.

If you are a subscriber of an agency that uses Loxu.io, you may exercise the following rights:

• —Right of Access (Art. 15): Request a copy of the Forensic Data held about your device.
• —Right to Erasure (Art. 17): Request deletion of your personal data. Note: where data is retained for fraud prevention under Legitimate Interest (Art. 17(3)(e)), only the personally identifiable elements will be deleted; an anonymised fraud marker may be retained.
• —Right to Restriction (Art. 18): Request that processing of your data be restricted while a dispute is resolved.
• —Right to Portability (Art. 20): Receive your data in a structured, machine-readable format.
• —Right to Object (Art. 21): Object to processing based on Legitimate Interest. We will assess whether our legitimate grounds override your interests.

These rights are exercised via the agency that controls your data. Contact the agency directly, or email us at legal@loxu.io if you cannot reach the agency.

• —Email legal@loxu.io with subject "GDPR Data Request — [type of request]"
• —Include: your name, the agency you subscribed through (if known), and the device or IP you believe was tracked.
• —We will respond within 30 days. We may need to verify your identity before fulfilling the request.
• —If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

We use the following types of cookies:

• —Essential: agency_session — HTTP-only session cookie. Required for agency portal authentication. Always active.
• —Analytics (optional): Used to count page views and measure traffic sources. Active only if you accept analytics cookies.
• —Marketing (optional): Used for retargeting. Currently inactive — reserved for future use.

You can manage your cookie preferences at any time via the banner at the bottom of the page. Note: forensic tracking of links you open is not cookie-based and is not controlled by the cookie banner — see Section 3 for the legal basis.

• —All data is transmitted over TLS (HTTPS).
• —Forensic Data is stored in a private Supabase database with row-level security enforced at the database level.
• —Agency sessions use HMAC-signed tokens — not plain session IDs.
• —DPA documents are stored in a private storage bucket; access requires a short-lived signed URL.
• —We conduct periodic security reviews and promptly address identified vulnerabilities.

We may update this Privacy Policy from time to time. Material changes will be communicated to agencies by email at least 14 days before taking effect. The current effective date is displayed at the top of this page.