Privacy Policy

UX3 Security ("we", "our", "the Service") provides cloud-managed firewall and threat protection for websites. This policy describes what data we collect, why, and how it's handled. We aim for clarity over legalese — if anything is unclear, contact us at privacy@ux3security.com.

1. What we collect from your protected sites

When you install the agent on your site, it communicates with our API to fetch firewall rules and report blocked attacks. The following data is transmitted:

Visitor data (security-relevant traffic only)

• IP address of visitors whose requests trigger a firewall rule (blocked attacks, allow-list matches, rate-limit events)
• Request path and query string (e.g. /wp-login.php?action=login) for blocked or flagged requests
• HTTP method and User-Agent string for blocked or flagged requests
• Country resolved from IP — derived, not collected from the visitor
• Referrer header when present, for spam and bot analysis

We do not collect data about regular legitimate visitors. Only requests that match a security rule are recorded. The agent makes this distinction locally on your server before transmitting anything.

Server health data

• PHP version, PHP SAPI, and loaded modules (cURL, OpenSSL)
• Web server software (Apache, nginx) and operating system
• MySQL/MariaDB version
• Disk space (total, free, used)
• Detected platform (WordPress, CodeIgniter, Laravel, etc.) and version
• Agent version and install method

This data lets your dashboard show server health and helps support diagnose compatibility issues.

What we do NOT collect

• Database content (posts, products, user records, comments)
• File contents from your server
• Email content sent through your site
• Form submissions — we only see form METADATA when a request is flagged as spam, not field values
• Visitor data from non-flagged traffic
• Browser cookies of your visitors

2. What we collect about you (the account holder)

• Name and email address — required to create an account
• Password hash (never stored in plaintext)
• Login activity logs — IP and timestamp of dashboard logins, for your own audit trail
• Site list and configuration — domains added, firewall rules, ban lists, allow-lists
• Email preferences — which alert types you've opted into or out of
• Billing information (if applicable) — handled by our payment processor; we never see full card numbers

3. How we use this data

Data collected from protected sites is used to:

• Show you blocked attacks, traffic stats, and threat trends in your dashboard
• Train and improve our threat-detection rules
• Generate aggregate, anonymized threat intelligence (e.g. "X% of WordPress sites saw login brute-force attempts this week")
• Investigate incidents you report to support

Account data is used to:

• Authenticate you and authorize access to your dashboard
• Send you alerts you've opted into (disconnections, attack spikes, daily reports)
• Send transactional emails (password resets, OTP codes, billing)
• Provide support when you contact us

4. Data retention

• Visitor security data — retained for the period configured in your dashboard settings (default 90 days), then automatically purged
• Activity logs — retained for 12 months
• Account data — retained for the lifetime of your account, plus 30 days after deletion to recover from accidental deletion
• Email logs — retained for 30 days for delivery troubleshooting

5. Sharing & third parties

We do not sell your data. We do not share it for advertising. The only third parties we share data with are:

• SMTP / email delivery providers — to send you the alerts you've opted into
• Payment processor (if you have a paid plan) — handles billing on our behalf
• IP geolocation database vendor — visitor IPs are looked up against a local database; no real-time third-party calls per request
• Hosting infrastructure — our servers run on standard cloud infrastructure with industry-standard data-protection commitments

We will disclose data to law enforcement only when legally compelled and only the minimum required by the order.

6. Security

Communications between agents and our API use TLS 1.2+. Account passwords are hashed with bcrypt. Per-site API tokens are randomly generated 64-character secrets. Database backups are encrypted at rest. We follow standard security-engineering practices and conduct periodic security reviews.

That said, no system is perfectly secure. If you suspect a security issue, contact security@ux3security.com.

7. Your rights

You have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Delete your account and associated data (subject to legal retention requirements)
• Export your data in a portable format
• Object to specific processing or withdraw consent for optional features

To exercise any of these rights, email privacy@ux3security.com from the address on your account.

8. Cookies

Our dashboard uses session cookies (essential, for login state) and a CSRF-protection cookie. We do not use marketing or tracking cookies. We do not embed third-party analytics scripts.

9. Children's data

The Service is not intended for use by individuals under 16, and we do not knowingly collect data from children. If you believe we have inadvertently collected data from a child, contact us and we will delete it.

10. International transfers

Our infrastructure may process data in regions outside your country of residence. Where required by law (e.g. GDPR for EU users), we use standard contractual clauses or equivalent transfer mechanisms.

11. Changes to this policy

We may update this policy from time to time. Material changes will be announced by email to account holders at least 14 days before taking effect. The "last updated" date at the top of this page reflects the current version.

12. Contact

• Privacy: privacy@ux3security.com
• Security: security@ux3security.com
• Support: support@ux3security.com