Privacy Policy
Last updated: March 10, 2026
1. Data Controller
WorldSecurity.io is operated as a personal project by Jordi, based in the Netherlands. For all privacy-related inquiries, you can reach the data controller at:
- Email: hello@worldsecurity.io
- Website: www.worldsecurity.io
As we are a small-scale operation, we have not appointed a separate Data Protection Officer (DPO). The data controller handles all privacy matters directly. You may contact us at the email address above for any data protection request.
2. Personal Data We Collect
We collect and process the minimum amount of personal data necessary to provide our service:
| Data | Purpose | Legal Basis (Art. 6 GDPR) |
|---|---|---|
| Email address | Subscription management, entitlement verification, customer communication | Performance of contract (Art. 6(1)(b)) |
| Payment information | Processing subscription payments | Performance of contract (Art. 6(1)(b)) |
Session cookie (ws-session) | Maintaining your authenticated session | Legitimate interest (Art. 6(1)(f)) — necessary for service functionality |
| IP address | Infrastructure routing and security (processed by Vercel) | Legitimate interest (Art. 6(1)(f)) — security and infrastructure |
| Geolocation | Map display (only with your explicit browser permission) | Consent (Art. 6(1)(a)) |
What we do NOT collect: We do not store credit card numbers, CVVs, or any raw payment card data. All payment processing is handled entirely by Stripe. We do not use analytics trackers, advertising pixels, or fingerprinting technologies. No personal data is stored on the Sui blockchain — only cryptographic event hashes.
3. How We Store Your Data
- Your email address is stored in our Redis database (Upstash) as an entitlement record (
entitlement:email:{email}). - Session data is stored in an httpOnly cookie (
ws-session) on your device, containing only your email address. This cookie expires after 90 days. - Payment and billing data is stored and managed by Stripe under their own privacy policy and PCI-DSS compliance.
4. Data Retention
| Data | Retention Period |
|---|---|
| Email (entitlement record) | Duration of active subscription + 30 days after cancellation |
| Session cookie | 90 days (auto-expires) |
| Payment records (at Stripe) | As required by tax/accounting law (typically 7 years) |
| Server logs (at Vercel) | Up to 30 days (managed by Vercel) |
| Blockchain hashes (Sui testnet) | Permanent (public ledger, contains no personal data) |
When you request deletion of your data, we will remove your entitlement records within 30 days. Data held by sub-processors (Stripe, Vercel) is subject to their respective retention policies and legal obligations.
5. Cookies
We use a single, strictly necessary cookie:
| Cookie Name | Type | Purpose | Duration |
|---|---|---|---|
ws-session | httpOnly, Secure, SameSite=Lax | Session authentication (stores email) | 90 days |
We do not use tracking cookies, advertising cookies, or third-party analytics cookies. Because our cookie is strictly necessary for the service to function, consent is not required under the ePrivacy Directive (Art. 5(3)). No cookie banner is shown.
6. Sub-processors & Third-Party Services
We share personal data with the following third-party processors, each under appropriate safeguards:
| Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Stripe, Inc. | Payment processing | Email, payment details, billing address | United States |
| Vercel, Inc. | Website hosting & serverless functions | IP address, request logs | United States (edge: global) |
| Upstash, Inc. | Redis database (entitlement storage) | Email address | EU (Frankfurt) / United States |
| Sui Network (Mysten Labs) | Event verification (public blockchain) | Cryptographic hashes only (no personal data) | Decentralized |
7. International Data Transfers
Some of our sub-processors are based in the United States. For transfers of personal data from the EU/EEA to the US, the following safeguards are in place:
- Stripe: Participates in the EU-US Data Privacy Framework (DPF) and maintains Standard Contractual Clauses (SCCs).
- Vercel: Maintains Standard Contractual Clauses (SCCs) and has a Data Processing Addendum in place.
- Upstash: Offers EU-region hosting (Frankfurt). Where US processing occurs, SCCs are in place.
You may request a copy of the relevant safeguards by contacting us at hello@worldsecurity.io.
8. Your Rights Under GDPR
As a data subject under the General Data Protection Regulation, you have the following rights:
- Right of access (Art. 15) — You may request a copy of all personal data we hold about you.
- Right to rectification (Art. 16) — You may request correction of inaccurate personal data.
- Right to erasure (Art. 17) — You may request deletion of your personal data (“right to be forgotten”). We will comply within 30 days, unless we have a legal obligation to retain the data.
- Right to restriction of processing (Art. 18) — You may request that we limit how we process your data in certain circumstances.
- Right to data portability (Art. 20) — You may request your data in a structured, commonly used, machine-readable format (JSON).
- Right to object (Art. 21) — You may object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
- Right to withdraw consent (Art. 7(3)) — Where processing is based on consent (e.g., geolocation), you may withdraw consent at any time via your browser settings.
To exercise any of these rights, email us at hello@worldsecurity.io with the subject line “GDPR Request”. We will respond within 30 days. We may ask you to verify your identity before processing your request.
9. Right to Lodge a Complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. For the Netherlands, this is:
- Autoriteit Persoonsgegevens
- Website: autoriteitpersoonsgegevens.nl
- Phone: +31 (0)70 888 85 00
- Post: Postbus 93374, 2509 AJ Den Haag, Netherlands
10. Security Measures
We implement appropriate technical and organizational measures to protect your data:
- All data in transit is encrypted using TLS 1.2+
- Session cookies are httpOnly, Secure, and SameSite=Lax to prevent XSS and CSRF attacks
- No raw payment card data is ever stored on our systems (PCI-DSS handled by Stripe)
- Database access is restricted via encrypted connection strings and access controls
- Event verification uses cryptographic hashes, ensuring data integrity without exposing personal information
11. Children's Privacy
WorldSecurity.io is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at hello@worldsecurity.io and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page. For significant changes that affect how we process your data, we will notify paying subscribers via the email address associated with their account.
13. Contact
For any questions about this Privacy Policy, your personal data, or to exercise your rights, please contact us:
- Email: hello@worldsecurity.io
- Subject line: “Privacy Inquiry” or “GDPR Request”
- Response time: within 30 days
This privacy policy applies to the website www.worldsecurity.io and all related services operated under the WorldSecurity.io name. Governing law: General Data Protection Regulation (EU) 2016/679 and the Dutch UAVG (Uitvoeringswet AVG).