Privacy Notice

This Privacy Notice ("Notice") describes how Dataflow Forensics Inc., a Delaware corporation, doing business as Dataflow Forensics ("DFF," "we," "us," or "our"), processes personal data in connection with the Site (“Site” is the Dataflow Forensics website (df-f.com), including the DFF Labs page and any related inquiry or submission workflow).

1. Scope

This Notice applies to personal data we collect through the Site, including through contact forms, inquiry emails sent to addresses listed on the Site, cookie and analytics technologies, and any materials submitted through the Site or sent to us after you are directed by the Site to do so.

This Notice does not apply to data processed under separate written agreements, employment-related data (HR purposes), or data processed entirely outside the Site.

For HR purposes, please see our Recruitment Privacy Notice available at df-f.com

2. Controller and Contact

The controller for personal data processed under this Notice is Dataflow Forensics Inc., a Delaware corporation.

Address: 299 Park Ave Fl 2, New York, NY 10171
Privacy and data-protection inquiries: privacy@df-f.com

3. Personal Data We Collect

Depending on how you interact with the Site, we may collect the following categories of personal data (“Personal Data”):

Contact and identity data, such as name, email address, organization, title, and any information
you include in a message or form field.
Technical and usage data, such as IP address, browser type, device information, approximate
location inferred from IP address, referring pages, and interactions with the Site.
Submission-related data, such as file names, file contents, metadata, logs, archives, hashes, and
information about the fact, timing, and method of submission
Communications data, such as the content of emails, contact-form messages, and related
correspondence.
Profiling data, we use Google Analytics, a web analytics service provided by Google LLC, which collects and processes data about your interactions with our website, including pages visited, time spent on each page, referring URLs, browser type, device information, and approximate geographic location derived from your IP address through the use of cookies and similar tracking technologies, for the purposes of analyzing website traffic, understanding user behavior, and improving our services.

4. Strong Submission Warning; Data Minimization

Do not submit Personal Data, sensitive personal data, health data, payment-card data, government identifiers, credentials, secrets, privileged material, or other sensitive information unless doing so is absolutely necessary, you are legally authorized to do so, and you have removed or minimized such information wherever reasonably possible.

If you submit Personal Data through the Site or by email, you remain responsible for ensuring that your disclosure is lawful. We do not want unnecessary personal data and do not undertake any heightened or special handling obligation merely because you chose to include it.

This Notice does not convert an otherwise unsolicited Submission into a confidential or restricted-use submission.

5. Sources of Personal Data

We collect Personal Data directly from you automatically through your interaction with the Site by using analytics cookies, from the devices and browsers you use to access the Site, and from service providers that help us operate the Site and measure performance.

6. How We Use Personal Data and Legal Basis

We may use Personal Data to:

Operate, maintain, secure, troubleshoot, and improve the Site. Legal basis: our legitimate interest;
Respond to inquiries or decide whether not to respond. Legal basis: the execution of a contract or precontractual measures;
Receive, route, scan, filter, triage, and process Submissions. Legal basis: the execution of a contract or precontractual measures;
Detect abuse, misuse, fraud, malware, or technical problems. Legal basis: compliance with legal obligations or our legitimate interest;
Develop research outputs, detections, product improvements, and internal documentation. Legal basis: our legitimate interest;
analyze profiling data for website traffic patterns, measuring website performance, understanding how visitors navigate and interact with our website, identifying usage trends, and improving our content and user experience through Google Analytics, a web analytics service provided by Google LLC. The legal basis is your previous consent, expressed through the cookie banner.
Comply with law, legal process, sanctions/export-control requirements, or internal governance needs. Legal basis: compliance with legal obligations and
Protect DFF, our users, our systems, and the public. Legal basis: our legitimate interest.

If you voluntarily include personal data in a Submission, that does not prevent us from relying on lawful bases other than consent where applicable.

7. Cookies, Analytics, and Opt-Out Signals

We use cookies and similar technologies, including analytics and profiling technologies, to understand how the Site is used, maintain performance, and improve functionality

Where applicable law requires consent for non-essential cookies or analytics technologies, we seek that consent through a cookie banner or similar consent mechanism before activating non-essential tracking. If you decline or withdraw consent, non-essential cookies and analytics will not be activated for your
session. In jurisdictions where consent is not required, cookies may be used based on our legitimate interests or another lawful basis permitted by law.

Depending on configuration, analytics tools may receive online identifiers or device information.

Global Privacy Control and Opt-Out Preference Signals. We honor Global Privacy Control (GPC) and similar opt-out preference signals as required by applicable law. When we detect a GPC or similar signal, we treat it as a valid request to opt out of the sale or sharing of personal information or Personal Data associated with that browser and suppress non-essential tracking for that session. We do not currently respond to "Do Not Track" (DNT) browser signals.

8. How We Disclose Personal Data

We may disclose Personal Data to:

Service providers, hosting providers, analytics vendors, and technical contractors that help us operate the Site.
Advisors, auditors, insurers, and professional service providers.
Research collaborators where reasonably necessary for a specific, lawful research or security purpose;
Government authorities, regulators, law enforcement, courts, or other third parties where we believe disclosure is appropriate to comply with law or legal process, to protect rights or safety, or to investigate misuse; and
A buyer, successor, or other relevant third party in connection with a merger, acquisition, financing, reorganization, or asset sale
Our subsidiaries or other Group companies that may also be located outside the United States.

We do not sell personal data for monetary consideration. We do not use Personal Data submitted through the Site's inquiry or Submission workflows for cross-context behavioral advertising. Depending on the configuration of analytics or similar technologies, certain disclosures of online identifiers may be treated differently under some laws; where applicable, we rely on consent, opt-out, or other rights mechanisms required by law

9. How We Disclose Personal Data

We may disclose Personal Data to:

service providers, hosting providers, analytics vendors, and technical contractors that help us
operate the Site;
advisors, auditors, insurers, and professional service providers;
research collaborators where reasonably necessary for a specific, lawful research or security
purpose;
government authorities, regulators, law enforcement, courts, or other third parties where we
believe disclosure is appropriate to comply with law or legal process, to protect rights or safety,
or to investigate misuse; and
a buyer, successor, or other relevant third party in connection with a merger, acquisition,
financing, reorganization, or asset sale
Our subsidiaries or other Group companies that may also be located outside the United States.

We do not sell personal data for monetary consideration. We do not use Personal Data submitted through the Site's inquiry or Submission workflows for cross-context behavioral advertising. Depending on the configuration of analytics or similar technologies, certain disclosures of online identifiers may be treated differently under some laws; where applicable, we rely on consent, opt-out, or other rights mechanisms required by law

10. International Transfers

We are based in the United States, and personal data may be processed in the United States and other jurisdictions where our service providers, research collaborators operate or our affiliates.

Where required by applicable law, we use transfer mechanisms or other safeguards that we consider appropriate to the relevant processing context. However, cross-border transfers may still be subject to legal or practical risks.

11. Retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Notice, as required or permitted by law, and as appropriate for our operational, security, research, evidentiary, or governance needs.

Retention is determined by the nature of the data, the purpose for which it was collected, applicable legal requirements, and our operational and research needs. Contact and inquiry data is generally retained for the duration of any active business relationship and a reasonable period thereafter. Server logs and analytics data are retained for the shorter of twelve months or the default retention period configured in our analytics tools. Submission-related data may be retained for extended periods, including indefinitely where justified by research, security, or legal needs, subject to applicable law.

Personal Data retained based on your consent or our legitimate interest will, in any event, be retained until you withdraw your consent or object to the processing.

We may retain data longer where required by law, legal process, litigation hold or the need to protect our right, security investigation, abuse prevention, or other legitimate need. Where personal data is no longer needed for any stated purpose and no legal basis for continued retention exists, we will securely delete or anonymize it.

12. Security

We use reasonable technical and organizational measures intended to protect Personal Data appropriate to the nature of the information and the relevant processing activity. However, no method of internet transmission or storage is completely secure, and we do not guarantee the security of any information transmitted to or stored by us.

The Site is not intended as a secure channel for highly sensitive or regulated data unless we expressly say otherwise in writing.

13. Your Rights

Depending on your location and applicable law, you may have rights regarding your personal data, which may include rights to request access, correction, deletion, restriction, objection, portability, withdrawal of consent where consent is the basis for processing, or complaint to a regulator.

These rights are subject to exceptions, limitations, and verification requirements under applicable law. We may decline, limit, or charge a permitted fee for requests where allowed by law, including where requests are legally exempt, manifestly unfounded, excessive, or impossible to verify.

To make a privacy request, contact privacy@df-f.com

14. Additional US State Privacy Disclosures

Residents of certain US states may have additional rights under state privacy laws. The exact rights available depend on your state of residence and the law that applies to the relevant processing activity.

We may collect identifiers, contact information, internet or network activity information, approximate geolocation inferred from IP address, professional information, and inferences drawn from usage or inquiry patterns. We use these categories for the purposes described in this Notice.

We may "share" (as that term is defined under the California Consumer Privacy Act) certain online identifiers and internet activity information with analytics providers for purposes of measuring Site performance. We do not sell personal information for monetary consideration. To opt out of sharing, you may enable Global Privacy Control in your browser or contact us at privacy@df-f.com.

Where required by applicable law, we offer consent, opt-out, or other rights mechanisms relating to analytics, cookies, targeted advertising, or similar disclosures. We do not offer financial incentives in exchange for retention, sale, or disclosure of personal data

15. Children's Privacy

The Site is not directed to children, and we do not knowingly collect personal data online from children through the Site. If you believe a child has provided personal data through the Site, contact us so that we can review and take appropriate steps.

16. Changes to This Notice

We may update this Notice from time to time by posting a revised version on the Site. The updated Notice becomes effective when posted unless otherwise stated. Where required by law, we will provide additional notice or obtain consent for material changes.

17. Contact Us

Dataflow Forensics Inc.

Address: 299 Park Ave, FL 2, New York, NY 10171

Privacy and data-protection inquiries: privacy@df-f.com

General contact: business@df-f.com

This Privacy Notice ("Notice") describes how Dataflow Forensics Inc., a Delaware corporation, doing business as Dataflow Forensics ("DFF," "we," "us," or "our"), processes personal data in connection with the Site (“Site” is the Dataflow Forensics website (df-f.com), including the DFF Labs page and any related inquiry or submission workflow).

1. Scope

This Notice applies to personal data we collect through the Site, including through contact forms, inquiry emails sent to addresses listed on the Site, cookie and analytics technologies, and any materials submitted through the Site or sent to us after you are directed by the Site to do so.

This Notice does not apply to data processed under separate written agreements, employment-related data (HR purposes), or data processed entirely outside the Site.

For HR purposes, please see our Recruitment Privacy Notice available at df-f.com

2. Controller and Contact

The controller for personal data processed under this Notice is Dataflow Forensics Inc., a Delaware corporation.

Address: 299 Park Ave Fl 2, New York, NY 10171
Privacy and data-protection inquiries: privacy@df-f.com

3. Personal Data We Collect

Depending on how you interact with the Site, we may collect the following categories of personal data (“Personal Data”):

Contact and identity data, such as name, email address, organization, title, and any information
you include in a message or form field.
Technical and usage data, such as IP address, browser type, device information, approximate
location inferred from IP address, referring pages, and interactions with the Site.
Submission-related data, such as file names, file contents, metadata, logs, archives, hashes, and
information about the fact, timing, and method of submission
Communications data, such as the content of emails, contact-form messages, and related
correspondence.

4. Strong Submission Warning; Data Minimization

Do not submit Personal Data, sensitive personal data, health data, payment-card data, government identifiers, credentials, secrets, privileged material, or other sensitive information unless doing so is absolutely necessary, you are legally authorized to do so, and you have removed or minimized such information wherever reasonably possible.

If you submit Personal Data through the Site or by email, you remain responsible for ensuring that your disclosure is lawful. We do not want unnecessary personal data and do not undertake any heightened or special handling obligation merely because you chose to include it.

This Notice does not convert an otherwise unsolicited Submission into a confidential or restricted-use submission.

5. Sources of Personal Data

We collect Personal Data directly from you, automatically through your interaction with the Site, from the devices and browsers you use to access the Site, and from service providers that help us operate the Site and measure performance.

6. How We Use Personal Data and Legal Basis

We may use Personal Data to:

Operate, maintain, secure, troubleshoot, and improve the Site. Legal basis: our legitimate interest;
Respond to inquiries or decide whether not to respond. Legal basis: the execution of a contract or precontractual measures;
Receive, route, scan, filter, triage, and process Submissions. Legal basis: the execution of a contract or precontractual measures;
Detect abuse, misuse, fraud, malware, or technical problems. Legal basis: compliance with legal obligations or our legitimate interest;
Develop research outputs, detections, product improvements, and internal documentation. Legal basis: our legitimate interest;
Comply with law, legal process, sanctions/export-control requirements, or internal governance needs. Legal basis: compliance with legal obligations and
Protect DFF, our users, our systems, and the public. Legal basis: our legitimate interest.

If you voluntarily include personal data in a Submission, that does not prevent us from relying on lawful bases other than consent where applicable.

7. Cookies, Analytics, and Opt-Out Signals

We use cookies and similar technologies, including analytics technologies, to understand how the Site is used, maintain performance, and improve functionality

Where applicable law requires consent for non-essential cookies or analytics technologies, we seek that consent through a cookie banner or similar consent mechanism before activating non-essential tracking. If you decline or withdraw consent, non-essential cookies and analytics will not be activated for your
session. In jurisdictions where consent is not required, cookies may be used based on our legitimate interests or another lawful basis permitted by law.

Depending on configuration, analytics tools may receive online identifiers or device information.

Global Privacy Control and Opt-Out Preference Signals. We honor Global Privacy Control (GPC) and similar opt-out preference signals as required by applicable law. When we detect a GPC or similar signal, we treat it as a valid request to opt out of the sale or sharing of personal information or Personal Data associated with that browser and suppress non-essential tracking for that session. We do not currently respond to "Do Not Track" (DNT) browser signals.

8. How We Disclose Personal Data

We may disclose Personal Data to:

Service providers, hosting providers, analytics vendors, and technical contractors that help us operate the Site.
Advisors, auditors, insurers, and professional service providers.
Research collaborators where reasonably necessary for a specific, lawful research or security purpose;
Government authorities, regulators, law enforcement, courts, or other third parties where we believe disclosure is appropriate to comply with law or legal process, to protect rights or safety, or to investigate misuse; and
A buyer, successor, or other relevant third party in connection with a merger, acquisition, financing, reorganization, or asset sale
Our subsidiaries or other Group companies that may also be located outside the United States.

We do not sell personal data for monetary consideration. We do not use Personal Data submitted through the Site's inquiry or Submission workflows for cross-context behavioral advertising. Depending on the configuration of analytics or similar technologies, certain disclosures of online identifiers may be treated differently under some laws; where applicable, we rely on consent, opt-out, or other rights mechanisms required by law

9. How We Disclose Personal Data

We may disclose Personal Data to:

service providers, hosting providers, analytics vendors, and technical contractors that help us
operate the Site;
advisors, auditors, insurers, and professional service providers;
research collaborators where reasonably necessary for a specific, lawful research or security
purpose;
government authorities, regulators, law enforcement, courts, or other third parties where we
believe disclosure is appropriate to comply with law or legal process, to protect rights or safety,
or to investigate misuse; and
a buyer, successor, or other relevant third party in connection with a merger, acquisition,
financing, reorganization, or asset sale
Our subsidiaries or other Group companies that may also be located outside the United States.

We do not sell personal data for monetary consideration. We do not use Personal Data submitted through the Site's inquiry or Submission workflows for cross-context behavioral advertising. Depending on the configuration of analytics or similar technologies, certain disclosures of online identifiers may be treated differently under some laws; where applicable, we rely on consent, opt-out, or other rights mechanisms required by law

10. International Transfers

We are based in the United States, and personal data may be processed in the United States and other jurisdictions where our service providers, research collaborators operate or our affiliates.

Where required by applicable law, we use transfer mechanisms or other safeguards that we consider appropriate to the relevant processing context. However, cross-border transfers may still be subject to legal or practical risks.

11. Retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Notice, as required or permitted by law, and as appropriate for our operational, security, research, evidentiary, or governance needs.

Retention is determined by the nature of the data, the purpose for which it was collected, applicable legal requirements, and our operational and research needs. Contact and inquiry data is generally retained for the duration of any active business relationship and a reasonable period thereafter. Server logs and analytics data are retained for the shorter of twelve months or the default retention period configured in our analytics tools. Submission-related data may be retained for extended periods, including indefinitely where justified by research, security, or legal needs, subject to applicable law.

Personal Data retained based on your consent or our legitimate interest will, in any event, be retained until you withdraw your consent or object to the processing.

We may retain data longer where required by law, legal process, litigation hold or the need to protect our right, security investigation, abuse prevention, or other legitimate need. Where personal data is no longer needed for any stated purpose and no legal basis for continued retention exists, we will securely delete or anonymize it.

12. Security

We use reasonable technical and organizational measures intended to protect Personal Data appropriate to the nature of the information and the relevant processing activity. However, no method of internet transmission or storage is completely secure, and we do not guarantee the security of any information transmitted to or stored by us.

The Site is not intended as a secure channel for highly sensitive or regulated data unless we expressly say otherwise in writing.

13. Your Rights

Depending on your location and applicable law, you may have rights regarding your personal data, which may include rights to request access, correction, deletion, restriction, objection, portability, withdrawal of consent where consent is the basis for processing, or complaint to a regulator.

These rights are subject to exceptions, limitations, and verification requirements under applicable law. We may decline, limit, or charge a permitted fee for requests where allowed by law, including where requests are legally exempt, manifestly unfounded, excessive, or impossible to verify.

To make a privacy request, contact privacy@df-f.com

14. Additional US State Privacy Disclosures

Residents of certain US states may have additional rights under state privacy laws. The exact rights available depend on your state of residence and the law that applies to the relevant processing activity.

We may collect identifiers, contact information, internet or network activity information, approximate geolocation inferred from IP address, professional information, and inferences drawn from usage or inquiry patterns. We use these categories for the purposes described in this Notice.

We may "share" (as that term is defined under the California Consumer Privacy Act) certain online identifiers and internet activity information with analytics providers for purposes of measuring Site performance. We do not sell personal information for monetary consideration. To opt out of sharing, you may enable Global Privacy Control in your browser or contact us at privacy@df-f.com.

Where required by applicable law, we offer consent, opt-out, or other rights mechanisms relating to analytics, cookies, targeted advertising, or similar disclosures. We do not offer financial incentives in exchange for retention, sale, or disclosure of personal data

15. Children's Privacy

The Site is not directed to children, and we do not knowingly collect personal data online from children through the Site. If you believe a child has provided personal data through the Site, contact us so that we can review and take appropriate steps.

16. Changes to This Notice

We may update this Notice from time to time by posting a revised version on the Site. The updated Notice becomes effective when posted unless otherwise stated. Where required by law, we will provide additional notice or obtain consent for material changes.

17. Contact Us

Dataflow Forensics Inc.

Address: 299 Park Ave, FL 2, New York, NY 10171

Privacy and data-protection inquiries: privacy@df-f.com

General contact: business@df-f.com

This Privacy Notice ("Notice") describes how Dataflow Forensics Inc., a Delaware corporation, doing business as Dataflow Forensics ("DFF," "we," "us," or "our"), processes personal data in connection with the Site (“Site” is the Dataflow Forensics website (df-f.com), including the DFF Labs page and any related inquiry or submission workflow).

1. Scope

This Notice applies to personal data we collect through the Site, including through contact forms, inquiry emails sent to addresses listed on the Site, cookie and analytics technologies, and any materials submitted through the Site or sent to us after you are directed by the Site to do so.

This Notice does not apply to data processed under separate written agreements, employment-related data (HR purposes), or data processed entirely outside the Site.

For HR purposes, please see our Recruitment Privacy Notice available at df-f.com

2. Controller and Contact

The controller for personal data processed under this Notice is Dataflow Forensics Inc., a Delaware corporation.

Address: 299 Park Ave Fl 2, New York, NY 10171
Privacy and data-protection inquiries: privacy@df-f.com

3. Personal Data We Collect

Depending on how you interact with the Site, we may collect the following categories of personal data (“Personal Data”):

Contact and identity data, such as name, email address, organization, title, and any information
you include in a message or form field.
Technical and usage data, such as IP address, browser type, device information, approximate
location inferred from IP address, referring pages, and interactions with the Site.
Submission-related data, such as file names, file contents, metadata, logs, archives, hashes, and
information about the fact, timing, and method of submission
Communications data, such as the content of emails, contact-form messages, and related
correspondence.

4. Strong Submission Warning; Data Minimization

Do not submit Personal Data, sensitive personal data, health data, payment-card data, government identifiers, credentials, secrets, privileged material, or other sensitive information unless doing so is absolutely necessary, you are legally authorized to do so, and you have removed or minimized such information wherever reasonably possible.

If you submit Personal Data through the Site or by email, you remain responsible for ensuring that your disclosure is lawful. We do not want unnecessary personal data and do not undertake any heightened or special handling obligation merely because you chose to include it.

This Notice does not convert an otherwise unsolicited Submission into a confidential or restricted-use submission.

5. Sources of Personal Data

We collect Personal Data directly from you, automatically through your interaction with the Site, from the devices and browsers you use to access the Site, and from service providers that help us operate the Site and measure performance.

6. How We Use Personal Data and Legal Basis

We may use Personal Data to:

Operate, maintain, secure, troubleshoot, and improve the Site. Legal basis: our legitimate interest;
Respond to inquiries or decide whether not to respond. Legal basis: the execution of a contract or precontractual measures;
Receive, route, scan, filter, triage, and process Submissions. Legal basis: the execution of a contract or precontractual measures;
Detect abuse, misuse, fraud, malware, or technical problems. Legal basis: compliance with legal obligations or our legitimate interest;
Develop research outputs, detections, product improvements, and internal documentation. Legal basis: our legitimate interest;
Comply with law, legal process, sanctions/export-control requirements, or internal governance needs. Legal basis: compliance with legal obligations and
Protect DFF, our users, our systems, and the public. Legal basis: our legitimate interest.

If you voluntarily include personal data in a Submission, that does not prevent us from relying on lawful bases other than consent where applicable.

7. Cookies, Analytics, and Opt-Out Signals

We use cookies and similar technologies, including analytics technologies, to understand how the Site is used, maintain performance, and improve functionality

Where applicable law requires consent for non-essential cookies or analytics technologies, we seek that consent through a cookie banner or similar consent mechanism before activating non-essential tracking. If you decline or withdraw consent, non-essential cookies and analytics will not be activated for your
session. In jurisdictions where consent is not required, cookies may be used based on our legitimate interests or another lawful basis permitted by law.

Depending on configuration, analytics tools may receive online identifiers or device information.

Global Privacy Control and Opt-Out Preference Signals. We honor Global Privacy Control (GPC) and similar opt-out preference signals as required by applicable law. When we detect a GPC or similar signal, we treat it as a valid request to opt out of the sale or sharing of personal information or Personal Data associated with that browser and suppress non-essential tracking for that session. We do not currently respond to "Do Not Track" (DNT) browser signals.

8. How We Disclose Personal Data

We may disclose Personal Data to:

Service providers, hosting providers, analytics vendors, and technical contractors that help us operate the Site.
Advisors, auditors, insurers, and professional service providers.
Research collaborators where reasonably necessary for a specific, lawful research or security purpose;
Government authorities, regulators, law enforcement, courts, or other third parties where we believe disclosure is appropriate to comply with law or legal process, to protect rights or safety, or to investigate misuse; and
A buyer, successor, or other relevant third party in connection with a merger, acquisition, financing, reorganization, or asset sale
Our subsidiaries or other Group companies that may also be located outside the United States.

We do not sell personal data for monetary consideration. We do not use Personal Data submitted through the Site's inquiry or Submission workflows for cross-context behavioral advertising. Depending on the configuration of analytics or similar technologies, certain disclosures of online identifiers may be treated differently under some laws; where applicable, we rely on consent, opt-out, or other rights mechanisms required by law

9. How We Disclose Personal Data

We may disclose Personal Data to:

service providers, hosting providers, analytics vendors, and technical contractors that help us
operate the Site;
advisors, auditors, insurers, and professional service providers;
research collaborators where reasonably necessary for a specific, lawful research or security
purpose;
government authorities, regulators, law enforcement, courts, or other third parties where we
believe disclosure is appropriate to comply with law or legal process, to protect rights or safety,
or to investigate misuse; and
a buyer, successor, or other relevant third party in connection with a merger, acquisition,
financing, reorganization, or asset sale
Our subsidiaries or other Group companies that may also be located outside the United States.

We do not sell personal data for monetary consideration. We do not use Personal Data submitted through the Site's inquiry or Submission workflows for cross-context behavioral advertising. Depending on the configuration of analytics or similar technologies, certain disclosures of online identifiers may be treated differently under some laws; where applicable, we rely on consent, opt-out, or other rights mechanisms required by law

10. International Transfers

We are based in the United States, and personal data may be processed in the United States and other jurisdictions where our service providers, research collaborators operate or our affiliates.

Where required by applicable law, we use transfer mechanisms or other safeguards that we consider appropriate to the relevant processing context. However, cross-border transfers may still be subject to legal or practical risks.

11. Retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Notice, as required or permitted by law, and as appropriate for our operational, security, research, evidentiary, or governance needs.

Retention is determined by the nature of the data, the purpose for which it was collected, applicable legal requirements, and our operational and research needs. Contact and inquiry data is generally retained for the duration of any active business relationship and a reasonable period thereafter. Server logs and analytics data are retained for the shorter of twelve months or the default retention period configured in our analytics tools. Submission-related data may be retained for extended periods, including indefinitely where justified by research, security, or legal needs, subject to applicable law.

Personal Data retained based on your consent or our legitimate interest will, in any event, be retained until you withdraw your consent or object to the processing.

We may retain data longer where required by law, legal process, litigation hold or the need to protect our right, security investigation, abuse prevention, or other legitimate need. Where personal data is no longer needed for any stated purpose and no legal basis for continued retention exists, we will securely delete or anonymize it.

12. Security

We use reasonable technical and organizational measures intended to protect Personal Data appropriate to the nature of the information and the relevant processing activity. However, no method of internet transmission or storage is completely secure, and we do not guarantee the security of any information transmitted to or stored by us.

The Site is not intended as a secure channel for highly sensitive or regulated data unless we expressly say otherwise in writing.

13. Your Rights

Depending on your location and applicable law, you may have rights regarding your personal data, which may include rights to request access, correction, deletion, restriction, objection, portability, withdrawal of consent where consent is the basis for processing, or complaint to a regulator.

These rights are subject to exceptions, limitations, and verification requirements under applicable law. We may decline, limit, or charge a permitted fee for requests where allowed by law, including where requests are legally exempt, manifestly unfounded, excessive, or impossible to verify.

To make a privacy request, contact privacy@df-f.com

14. Additional US State Privacy Disclosures

Residents of certain US states may have additional rights under state privacy laws. The exact rights available depend on your state of residence and the law that applies to the relevant processing activity.

We may collect identifiers, contact information, internet or network activity information, approximate geolocation inferred from IP address, professional information, and inferences drawn from usage or inquiry patterns. We use these categories for the purposes described in this Notice.

We may "share" (as that term is defined under the California Consumer Privacy Act) certain online identifiers and internet activity information with analytics providers for purposes of measuring Site performance. We do not sell personal information for monetary consideration. To opt out of sharing, you may enable Global Privacy Control in your browser or contact us at privacy@df-f.com.

Where required by applicable law, we offer consent, opt-out, or other rights mechanisms relating to analytics, cookies, targeted advertising, or similar disclosures. We do not offer financial incentives in exchange for retention, sale, or disclosure of personal data

15. Children's Privacy

The Site is not directed to children, and we do not knowingly collect personal data online from children through the Site. If you believe a child has provided personal data through the Site, contact us so that we can review and take appropriate steps.

16. Changes to This Notice

We may update this Notice from time to time by posting a revised version on the Site. The updated Notice becomes effective when posted unless otherwise stated. Where required by law, we will provide additional notice or obtain consent for material changes.

17. Contact Us

Dataflow Forensics Inc.

Address: 299 Park Ave, FL 2, New York, NY 10171

Privacy and data-protection inquiries: privacy@df-f.com

General contact: business@df-f.com

This Privacy Notice ("Notice") describes how Dataflow Forensics Inc., a Delaware corporation, doing business as Dataflow Forensics ("DFF," "we," "us," or "our"), processes personal data in connection with the Site (“Site” is the Dataflow Forensics website (df-f.com), including the DFF Labs page and any related inquiry or submission workflow).

1. Scope

This Notice applies to personal data we collect through the Site, including through contact forms, inquiry emails sent to addresses listed on the Site, cookie and analytics technologies, and any materials submitted through the Site or sent to us after you are directed by the Site to do so.

This Notice does not apply to data processed under separate written agreements, employment-related data (HR purposes), or data processed entirely outside the Site.

For HR purposes, please see our Recruitment Privacy Notice available at df-f.com

2. Controller and Contact

The controller for personal data processed under this Notice is Dataflow Forensics Inc., a Delaware corporation.

Address: 299 Park Ave Fl 2, New York, NY 10171
Privacy and data-protection inquiries: privacy@df-f.com

3. Personal Data We Collect

Depending on how you interact with the Site, we may collect the following categories of personal data (“Personal Data”):

Contact and identity data, such as name, email address, organization, title, and any information
you include in a message or form field.
Technical and usage data, such as IP address, browser type, device information, approximate
location inferred from IP address, referring pages, and interactions with the Site.
Submission-related data, such as file names, file contents, metadata, logs, archives, hashes, and
information about the fact, timing, and method of submission
Communications data, such as the content of emails, contact-form messages, and related
correspondence.

4. Strong Submission Warning; Data Minimization

Do not submit Personal Data, sensitive personal data, health data, payment-card data, government identifiers, credentials, secrets, privileged material, or other sensitive information unless doing so is absolutely necessary, you are legally authorized to do so, and you have removed or minimized such information wherever reasonably possible.

If you submit Personal Data through the Site or by email, you remain responsible for ensuring that your disclosure is lawful. We do not want unnecessary personal data and do not undertake any heightened or special handling obligation merely because you chose to include it.

This Notice does not convert an otherwise unsolicited Submission into a confidential or restricted-use submission.

5. Sources of Personal Data

We collect Personal Data directly from you, automatically through your interaction with the Site, from the devices and browsers you use to access the Site, and from service providers that help us operate the Site and measure performance.

6. How We Use Personal Data and Legal Basis

We may use Personal Data to:

Operate, maintain, secure, troubleshoot, and improve the Site. Legal basis: our legitimate interest;
Respond to inquiries or decide whether not to respond. Legal basis: the execution of a contract or precontractual measures;
Receive, route, scan, filter, triage, and process Submissions. Legal basis: the execution of a contract or precontractual measures;
Detect abuse, misuse, fraud, malware, or technical problems. Legal basis: compliance with legal obligations or our legitimate interest;
Develop research outputs, detections, product improvements, and internal documentation. Legal basis: our legitimate interest;
Comply with law, legal process, sanctions/export-control requirements, or internal governance needs. Legal basis: compliance with legal obligations and
Protect DFF, our users, our systems, and the public. Legal basis: our legitimate interest.

If you voluntarily include personal data in a Submission, that does not prevent us from relying on lawful bases other than consent where applicable.

7. Cookies, Analytics, and Opt-Out Signals

We use cookies and similar technologies, including analytics technologies, to understand how the Site is used, maintain performance, and improve functionality

Where applicable law requires consent for non-essential cookies or analytics technologies, we seek that consent through a cookie banner or similar consent mechanism before activating non-essential tracking. If you decline or withdraw consent, non-essential cookies and analytics will not be activated for your
session. In jurisdictions where consent is not required, cookies may be used based on our legitimate interests or another lawful basis permitted by law.

Depending on configuration, analytics tools may receive online identifiers or device information.

Global Privacy Control and Opt-Out Preference Signals. We honor Global Privacy Control (GPC) and similar opt-out preference signals as required by applicable law. When we detect a GPC or similar signal, we treat it as a valid request to opt out of the sale or sharing of personal information or Personal Data associated with that browser and suppress non-essential tracking for that session. We do not currently respond to "Do Not Track" (DNT) browser signals.

8. How We Disclose Personal Data

We may disclose Personal Data to:

Service providers, hosting providers, analytics vendors, and technical contractors that help us operate the Site.
Advisors, auditors, insurers, and professional service providers.
Research collaborators where reasonably necessary for a specific, lawful research or security purpose;
Government authorities, regulators, law enforcement, courts, or other third parties where we believe disclosure is appropriate to comply with law or legal process, to protect rights or safety, or to investigate misuse; and
A buyer, successor, or other relevant third party in connection with a merger, acquisition, financing, reorganization, or asset sale
Our subsidiaries or other Group companies that may also be located outside the United States.

We do not sell personal data for monetary consideration. We do not use Personal Data submitted through the Site's inquiry or Submission workflows for cross-context behavioral advertising. Depending on the configuration of analytics or similar technologies, certain disclosures of online identifiers may be treated differently under some laws; where applicable, we rely on consent, opt-out, or other rights mechanisms required by law

9. How We Disclose Personal Data

We may disclose Personal Data to:

service providers, hosting providers, analytics vendors, and technical contractors that help us
operate the Site;
advisors, auditors, insurers, and professional service providers;
research collaborators where reasonably necessary for a specific, lawful research or security
purpose;
government authorities, regulators, law enforcement, courts, or other third parties where we
believe disclosure is appropriate to comply with law or legal process, to protect rights or safety,
or to investigate misuse; and
a buyer, successor, or other relevant third party in connection with a merger, acquisition,
financing, reorganization, or asset sale
Our subsidiaries or other Group companies that may also be located outside the United States.

We do not sell personal data for monetary consideration. We do not use Personal Data submitted through the Site's inquiry or Submission workflows for cross-context behavioral advertising. Depending on the configuration of analytics or similar technologies, certain disclosures of online identifiers may be treated differently under some laws; where applicable, we rely on consent, opt-out, or other rights mechanisms required by law

10. International Transfers

We are based in the United States, and personal data may be processed in the United States and other jurisdictions where our service providers, research collaborators operate or our affiliates.

Where required by applicable law, we use transfer mechanisms or other safeguards that we consider appropriate to the relevant processing context. However, cross-border transfers may still be subject to legal or practical risks.

11. Retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Notice, as required or permitted by law, and as appropriate for our operational, security, research, evidentiary, or governance needs.

Retention is determined by the nature of the data, the purpose for which it was collected, applicable legal requirements, and our operational and research needs. Contact and inquiry data is generally retained for the duration of any active business relationship and a reasonable period thereafter. Server logs and analytics data are retained for the shorter of twelve months or the default retention period configured in our analytics tools. Submission-related data may be retained for extended periods, including indefinitely where justified by research, security, or legal needs, subject to applicable law.

Personal Data retained based on your consent or our legitimate interest will, in any event, be retained until you withdraw your consent or object to the processing.

We may retain data longer where required by law, legal process, litigation hold or the need to protect our right, security investigation, abuse prevention, or other legitimate need. Where personal data is no longer needed for any stated purpose and no legal basis for continued retention exists, we will securely delete or anonymize it.

12. Security

We use reasonable technical and organizational measures intended to protect Personal Data appropriate to the nature of the information and the relevant processing activity. However, no method of internet transmission or storage is completely secure, and we do not guarantee the security of any information transmitted to or stored by us.

The Site is not intended as a secure channel for highly sensitive or regulated data unless we expressly say otherwise in writing.

13. Your Rights

Depending on your location and applicable law, you may have rights regarding your personal data, which may include rights to request access, correction, deletion, restriction, objection, portability, withdrawal of consent where consent is the basis for processing, or complaint to a regulator.

These rights are subject to exceptions, limitations, and verification requirements under applicable law. We may decline, limit, or charge a permitted fee for requests where allowed by law, including where requests are legally exempt, manifestly unfounded, excessive, or impossible to verify.

To make a privacy request, contact privacy@df-f.com

14. Additional US State Privacy Disclosures

Residents of certain US states may have additional rights under state privacy laws. The exact rights available depend on your state of residence and the law that applies to the relevant processing activity.

We may collect identifiers, contact information, internet or network activity information, approximate geolocation inferred from IP address, professional information, and inferences drawn from usage or inquiry patterns. We use these categories for the purposes described in this Notice.

We may "share" (as that term is defined under the California Consumer Privacy Act) certain online identifiers and internet activity information with analytics providers for purposes of measuring Site performance. We do not sell personal information for monetary consideration. To opt out of sharing, you may enable Global Privacy Control in your browser or contact us at privacy@df-f.com.

Where required by applicable law, we offer consent, opt-out, or other rights mechanisms relating to analytics, cookies, targeted advertising, or similar disclosures. We do not offer financial incentives in exchange for retention, sale, or disclosure of personal data

15. Children's Privacy

The Site is not directed to children, and we do not knowingly collect personal data online from children through the Site. If you believe a child has provided personal data through the Site, contact us so that we can review and take appropriate steps.

16. Changes to This Notice

We may update this Notice from time to time by posting a revised version on the Site. The updated Notice becomes effective when posted unless otherwise stated. Where required by law, we will provide additional notice or obtain consent for material changes.

17. Contact Us

Dataflow Forensics Inc.

Address: 299 Park Ave, FL 2, New York, NY 10171

Privacy and data-protection inquiries: privacy@df-f.com

General contact: business@df-f.com

1. Scope

2. Controller and Contact

3. Personal Data We Collect

4. Strong Submission Warning; Data Minimization

5. Sources of Personal Data

6. How We Use Personal Data and Legal Basis

7. Cookies, Analytics, and Opt-Out Signals

8. How We Disclose Personal Data

9. How We Disclose Personal Data

10. International Transfers

11. Retention

12. Security

13. Your Rights

14. Additional US State Privacy Disclosures

15. Children's Privacy

16. Changes to This Notice

17. Contact Us

1. Scope

2. Controller and Contact

3. Personal Data We Collect

4. Strong Submission Warning; Data Minimization

5. Sources of Personal Data

6. How We Use Personal Data and Legal Basis

7. Cookies, Analytics, and Opt-Out Signals

8. How We Disclose Personal Data

9. How We Disclose Personal Data

10. International Transfers

11. Retention

12. Security

13. Your Rights

14. Additional US State Privacy Disclosures

15. Children's Privacy

16. Changes to This Notice

17. Contact Us

1. Scope

2. Controller and Contact

3. Personal Data We Collect

4. Strong Submission Warning; Data Minimization

5. Sources of Personal Data

6. How We Use Personal Data and Legal Basis

7. Cookies, Analytics, and Opt-Out Signals

8. How We Disclose Personal Data

9. How We Disclose Personal Data

10. International Transfers

11. Retention

12. Security

13. Your Rights

14. Additional US State Privacy Disclosures

15. Children's Privacy

16. Changes to This Notice

17. Contact Us

1. Scope

2. Controller and Contact

3. Personal Data We Collect

4. Strong Submission Warning; Data Minimization

5. Sources of Personal Data

6. How We Use Personal Data and Legal Basis

7. Cookies, Analytics, and Opt-Out Signals

8. How We Disclose Personal Data

9. How We Disclose Personal Data

10. International Transfers

11. Retention

12. Security

13. Your Rights

14. Additional US State Privacy Disclosures

15. Children's Privacy

16. Changes to This Notice

17. Contact Us

Evaluate the Platform.