Privacy Policy
01 —
Introduction & Who We Are
CraxsRatInfo (craxsratinfo.com) is an independent cybersecurity research and education platform dedicated to documenting, analysing, and helping users defend against CraxsRat and related Android malware threats. All content published on this site is strictly informational and defensive in nature — we do not distribute, host, or facilitate any malicious software.
This Privacy Policy explains exactly what personal data we collect when you visit or interact with our site, why we collect it, how it is stored and protected, and what rights you hold as a visitor. We are committed to full compliance with the General Data Protection Regulation (GDPR).
02 —
Data Controller
For the purposes of the GDPR, the data controller responsible for your personal data is:
03 —
What Data We Collect & Why
We collect only the minimum data necessary to operate this site. Below is a full breakdown:
| Data Type | Source | Purpose | Legal Basis (GDPR) |
|---|---|---|---|
| Anonymised analytics | Ahrefs Analytics | Understanding how visitors navigate the site to improve content | Legitimate interest (Art. 6(1)(f)) |
| Browser & device type | Analytics cookies | Site performance optimisation and error detection | Legitimate interest (Art. 6(1)(f)) |
| Country-level geolocation | Analytics cookies | Understanding audience distribution | Legitimate interest (Art. 6(1)(f)) |
| Referral sources | Analytics cookies | Knowing how visitors discover the site | Legitimate interest (Art. 6(1)(f)) |
Our report forms (Report Suspicious App, Report a Problem, Security Report) are currently client-side only placeholder forms. No form data is collected, stored, processed, or transmitted to any server.
04 —
What We Do Not Collect
To be unambiguous about the limits of our data practices:
Payment or financial data — there are no paid features, subscriptions, or transactions on this site. User account credentials — we operate no login system, user database, or authentication service. Government-issued identification, health data, or any data classified as sensitive under GDPR Article 9. Personal names, email addresses, phone numbers, or physical addresses. Precise geolocation data. Data from children under 16 years of age — our service is not directed at minors.
We do not engage in behavioural advertising, cross-site tracking, or automated profiling that produces legal or similarly significant effects on individuals.
05 —
Cookies & Tracking Technologies
This site uses cookies and similar technologies. Cookies are small text files stored in your browser. We use them in two categories:
| Category | Examples | Purpose | Can Be Disabled? |
|---|---|---|---|
| Essential | Cookie consent preference | Required for basic site functionality | No — site won't function without them |
| Analytics | Ahrefs analytics cookies | Anonymised data to understand content performance | Yes — via our cookie banner |
Analytics data is collected in aggregate and anonymised form. We do not use advertising cookies, retargeting pixels, or social media tracking widgets embedded in our pages. You may disable non-essential cookies at any time through your browser settings or our site's cookie consent interface without loss of core functionality.
06 —
Third-Party Services & External Links
We work with a minimal set of trusted third-party services:
| Service | Purpose | Data Shared |
|---|---|---|
| Ahrefs Analytics | Anonymised site usage statistics | Anonymised page views, referral sources, device type |
| Hostinger | Website hosting & CDN delivery | Standard server logs (briefly retained) |
| Google Search Console | Site ownership verification | No visitor data — only a verification meta tag |
External links to Telegram, YouTube, X (Twitter), and Pinterest are provided for community and content purposes. Once you leave our site, those platforms' own privacy policies apply. We have no control over and accept no responsibility for their data practices.
07 —
Data Retention
We retain data only for as long as it is necessary to fulfil the purpose for which it was collected:
| Data Type | Retention Period |
|---|---|
| Anonymised analytics data | Managed by Ahrefs per their data retention policy (up to 26 months in aggregate form) |
| Cookie consent preference | 12 months, then re-prompted |
When data reaches the end of its retention period, it is permanently deleted or irreversibly anonymised. Since our site is statically generated with no database, we store no personal data on our servers.
08 —
Data Security
Given the nature of this site — a platform documenting active malware threats — we take security seriously at every layer:
TLS/HTTPS encryption enforced across the entire site and all data in transit. Static site architecture — no database means minimal attack surface for data breaches. No storage of personally identifiable information (PII) on our servers. Regular dependency auditing for our codebase.
While we apply industry-standard security practices, no system is entirely immune to risk. In the event of a data breach affecting personal data, we will notify affected individuals and the relevant supervisory authority within 72 hours, as required by GDPR Article 33.
09 —
Legal Basis for Processing (GDPR)
Under the GDPR, we must have a valid legal basis for each type of data processing. We rely on one primary basis:
Legitimate Interests (Article 6(1)(f)): We process anonymised analytics data on the basis of our legitimate interest in operating and improving a functional cybersecurity education resource. We have assessed that this interest is not overridden by your fundamental rights and freedoms, given the fully anonymised nature of the analytics data and the availability of our cookie opt-out mechanism.
10 —
International Data Transfers
Our site infrastructure and some third-party processors (such as Ahrefs, headquartered in Singapore) may be based outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place — specifically, reliance on Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers to countries that have received an EU adequacy decision.
11 —
Your Rights Under GDPR
As a data subject under the GDPR, you hold the following rights. You may exercise any of them by contacting us at privacy@craxsratinfo.com. We will respond within 30 days.
- Right of Access — obtain a copy of the data we hold about you
- Right to Rectification — correct inaccurate or incomplete data
- Right to Erasure — request deletion of your personal data
- Right to Restriction — limit how we process your data
- Right to Portability — receive your data in a structured, machine-readable format
- Right to Object — object to processing based on legitimate interests
- Right to Withdraw Consent — revoke consent at any time via our cookie banner
- Right to Lodge a Complaint — escalate to a supervisory authority
If you are dissatisfied with our response, you have the right to lodge a complaint with the supervisory authority in your country of residence. A full list of EU DPAs is available at edpb.europa.eu.
12 —
Children's Privacy
CraxsRatInfo is not directed at, nor intended for use by, individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child under 16 has submitted personal data to us, please contact us immediately at privacy@craxsratinfo.com and we will delete that data without delay.
13 —
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices, applicable law, or site functionality. When we make material changes, we will update the "Last Updated" date at the top of this document.
Continued use of CraxsRatInfo after a policy update constitutes acceptance of the revised terms. We encourage you to review this policy periodically. Archived versions are available on request.