Privacy Policy

FingerprintIQ provides device intelligence, bot detection, and Sybil-resistance signals. We process technical signals about devices and network requests so our customers can tell humans apart from bots, agents, and abusive automation. This policy explains what we collect, why, how long we keep it, and the rights you have over it.

We do not sell personal data. We do not run ad networks. We are a B2B SaaS — our direct customers are companies, and the end-users of those companies are the data subjects whose device signals flow through our pipeline.

“FingerprintIQ”, “we”, “us” refers to the entity operating fingerprintiq.com and the FingerprintIQ APIs. For questions about this policy, including Data Processing Agreements, sub-processor lists, or data subject requests, contact info@fingerprintiq.com. Under the GDPR we act as a data processor on behalf of our customers when handling visitor signals, and as a controller for our own account, billing, and marketing data.

The data we process falls into three buckets:

1. Visitor and device signals (processed on behalf of our customers)

• Browser signals: canvas hash, WebGL parameters, font list, audio context, screen and timezone metadata, language, hardware concurrency, plugin enumeration.
• Network signals: IP address, ASN, geolocation derived from IP (country / region), TLS / JA4 fingerprint, HTTP header order, request timing.
• Behavioral telemetry: page paths, referrers, request volume, navigation order, dwell time, conversion events sent by our customers.
• Web3 signals (only when supplied by the customer or end-user): wallet addresses, ENS names, on-chain activity summaries, and Sybil-cluster heuristics derived from public chain data.
• Server-side caller signals: API key, User-Agent, declared client identity (for Sentinel and Pulse SDKs that classify AI agents, CLIs, and browsers).
• Derived identifiers: a hashed visitor ID and a fingerprint ID. These are pseudonymous — they identify a device, not a name.

2. Account and billing data (we are the controller)

• Email address, name, organization, profile photo from your OAuth provider.
• Authentication metadata (session tokens, IP at sign-in, MFA enrollment state).
• Billing information processed by our payment provider — we store plan, status, and the last four digits of a card, never the full PAN.

3. Marketing and support data

• Email addresses submitted through the contact form, free-tool email gate, or newsletter signups.
• Support messages and any attachments you send us.
• Anonymous web analytics (page views, referrers, country) about how you use fingerprintiq.com itself.

• Provide the service. Computing visitor IDs, classifying API callers, scoring Sybil risk, surfacing detections, and powering dashboards.
• Security and abuse prevention. Detecting fraudulent signups, blocking credential stuffing, enforcing API rate limits.
• Improve detection quality. Aggregating signal distributions to improve classifiers — never tied back to an individual end-user account.
• Communicate. Account notifications, security alerts, weekly insights emails, and product updates (you can opt out of non-essential email).
• Comply with the law. Tax records, fraud investigations, lawful requests from competent authorities.

• Contract. We process customer account data to deliver the service you signed up for.
• Legitimate interest. Fraud and bot detection on behalf of our customers is the entire product — Article 6(1)(f) covers this, balanced against the rights and reasonable expectations of end-users.
• Consent. Where required (cookies on our marketing site, opt-in marketing emails) we collect consent and let you withdraw it at any time.
• Legal obligation. Tax, accounting, and lawful requests.

• Free tier visitor events: 30 days.
• Paid plan visitor events: 90–365 days, depending on the plan.
• Aggregated / hashed signals: retained indefinitely in non-identifying form for model quality.
• Account data: retained for the life of the account and 90 days after deletion, then purged.
• Billing records: 7 years, as required by tax law.
• Support and contact messages: 2 years after the last reply.

We share data with a small set of vetted sub-processors that help us run the service. Each has a data processing agreement with us and is bound to use the data only for the purpose we provide it for.

• Edge hosting and storage. Compute, edge functions, KV, durable objects, and the D1 database that store fingerprints, sessions, and events.
• Resend. Transactional and notification email delivery.
• Payment provider. Subscriptions, invoices, and PCI-compliant card handling.
• OAuth providers. Google and GitHub for sign-in (when you choose them).
• On-chain enrichment. Public RPCs and chain-data providers used to enrich wallet profiles.

We never sell personal data. We disclose data only to sub-processors, to enforce our Terms, or when required by law. A current list of sub-processors is available on request.

FingerprintIQ runs on a global edge network. Visitor signals are processed at the edge node closest to the visitor and may be stored in regional data stores. Where data is transferred out of the EEA / UK, we rely on Standard Contractual Clauses with our sub-processors and apply supplementary measures (encryption in transit and at rest, pseudonymization).

Depending on where you live, you may have the right to access, correct, delete, restrict, port, or object to our processing of your personal data, and the right to withdraw consent without affecting the lawfulness of prior processing. California residents have additional rights under the CCPA / CPRA, including the right to know, the right to delete, the right to correct, and the right to opt out of “sharing” (we do not share or sell personal information for cross-context behavioral advertising).

For data we process on behalf of a customer (visitor signals), please contact the customer first — they are the controller and we will route the request to them if you reach us. For data we control (your FingerprintIQ account), email info@fingerprintiq.com and we will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority.

On fingerprintiq.com we set a minimal set of first-party cookies:

• better-auth.session_token — keeps you signed in to the dashboard.
• fiq_tool_email — remembers that you supplied an email for our free tools.
• Short-lived cookies used by our OAuth providers during sign-in.

The FingerprintIQ SDK that runs on customer sites does not use tracking cookies. Visitor IDs are computed from device signals and returned via API — they are not persisted in cookies by us.

We encrypt data in transit (TLS 1.3) and at rest. Sensitive fields (API key secrets, OAuth tokens) are hashed or symmetrically encrypted with a key managed in our secrets store. Access to production data is restricted to a small set of engineers and is audit-logged. We support MFA for all dashboard accounts and recommend you enable it. If you discover a vulnerability, please report it as described in our security policy.

FingerprintIQ is a B2B service and is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us and we will delete it.

We may update this policy as the service evolves. Material changes will be announced by email to account owners and posted here with a new “Last updated” date. Continued use of the service after a change means you accept the updated policy.

Questions, requests, or DPA enquiries: info@fingerprintiq.com. You can also use the contact form.