Privacy Policy
Last updated: 16 May 2026
1. Who we are
PCAP Analyzer is operated by pcaplab.com.
For the personal data of registered users (account data), PCAP Lab acts as the data controller within the meaning of Article 4(7) of the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679).
For personal data that may be contained within PCAP files uploaded by users (for example, IP addresses or traffic metadata of third parties captured on the user's network), PCAP Lab acts as a data processor on behalf of the user, who is the data controller for that content. A standard Data Processing Agreement (DPA) is maintained for paid and self-hosted customers and is available on request at contact@pcaplab.com.
Contact: contact@pcaplab.com
Note on EU Representative (Article 27 GDPR): If PCAP Lab is established outside the European Union, an EU representative may be required. The identity and contact details of any appointed representative will be listed here before the public launch of the paid service.
2. Personal data we collect and the lawful basis for each
2.1 Account registration data
When you create an account, we collect your username, email address, and a bcrypt-hashed password (we never store your password in plain text; the hash cannot be reversed to recover the original password). We also record your account creation timestamp, your last login timestamp, and whether your email address has been verified.
Lawful basis: Article 6(1)(b) GDPR — processing is necessary for the performance of the contract you enter into when you register (our Terms of Service). Without these data points, we cannot create or authenticate your account.
2.2 Plan and usage metadata
We store your subscription plan (Starter, Pro, or Team), trial and grace-period dates (where applicable), your upload count for the current billing period, and an append-only usage event log (event type, timestamp, and plan at the time of the event). We also record plan change history in an audit log when an administrator modifies your plan.
Lawful basis: Article 6(1)(b) GDPR — necessary to enforce plan limits, apply the correct features, and manage your subscription.
2.3 Security and abuse-prevention metadata
We process IP addresses and HTTP user-agent strings where necessary to protect accounts, rate-limit abuse, and investigate security events. This includes login attempts, upload rate limiting, password-reset requests, email-verification requests, and administrator plan changes.
Lawful basis: Article 6(1)(f) GDPR — our legitimate interest in protecting user accounts and the integrity of the service. We have assessed that this interest is not overridden by users' rights, given the limited scope of use, short-lived in-memory rate-limit windows, and users' reasonable expectation that a professional diagnostic service applies security controls.
2.4 Uploaded PCAP files and generated reports
When you upload a PCAP file, the file is stored temporarily on the server's storage solely for the purpose of performing the network analysis you requested. Once analysis reaches a terminal state, whether successful or failed, the original PCAP file is deleted from disk. The generated HTML and JSON analysis reports are retained according to your plan (see Section 5).
We do not extract, index, or retain any payload data or personal data found inside PCAP files beyond what is necessary to produce the analysis output you see. We do not use PCAP file contents for training machine-learning models, analytics, advertising, or any purpose other than producing your analysis report.
Lawful basis (for PCAP Lab's processing as data controller of your account): Article 6(1)(b) GDPR — the entire service consists of processing the files you upload.
Lawful basis (for personal data of third parties inside your PCAP files): You are the data controller for that content. PCAP Lab processes it on your instructions as data processor under Article 28 GDPR. You are responsible for ensuring you have a lawful basis for capturing and uploading traffic that may contain third-party personal data.
2.5 Cookies and session tokens
We set strictly necessary security and session cookies for the service to function:
| Cookie name | Purpose | Expiry | HttpOnly | Secure |
|---|---|---|---|---|
| access_token | Authenticated session (JWT, HS256, 30-minute expiry) | 30 minutes | Yes | Yes (production) |
| fastapi-csrf-token | Cross-Site Request Forgery protection (state-changing requests) | 30 minutes | Yes | Yes (production) |
These cookies are strictly necessary for security and authentication. They do not track behaviour, are not shared with third parties, and expire within 30 minutes of inactivity. We do not use analytics, advertising, or profiling cookies of any kind. No consent banner is displayed because no non-essential cookies are set.
The browser application also uses localStorage for the current access token, token type, cached user profile, and UI theme, and sessionStorage for the CSRF token sent with state-changing requests. These browser-storage entries are used only for authentication, security, and interface continuity.
Lawful basis: Article 6(1)(b) GDPR — the session cookie is required to maintain your authenticated state; the CSRF cookie is required to prevent cross-site request forgery attacks, a mandatory security control.
3. Data we do not collect
- We do not collect your real name, telephone number, or postal address.
- We do not collect payment card details (payment processing, when activated, will be handled entirely by a certified third-party payment processor; we never see raw card data).
- We do not use Google Analytics, Mixpanel, Hotjar, Meta Pixel, or any third-party analytics or advertising SDK.
- We do not sell, rent, or trade personal data to any third party for marketing purposes.
- We do not use the content of uploaded PCAP files for machine learning, model training, product analytics, or any purpose beyond producing your requested analysis report.
- We do not use IP addresses for advertising, profiling, or behavioural analytics.
4. How we share your data
We do not sell or share your personal data with third parties for commercial purposes. We may share data only in the following circumstances:
- Infrastructure providers (data processors under Article 28 GDPR): Your data is hosted on servers operated by our infrastructure provider. This provider processes data on our documented instructions, under a Data Processing Agreement, and may not use the data for its own purposes. Hetzner Online GmbH, Germany. Hetzner's Data Processing Agreement is available at hetzner.com/legal/privacy-policy.
- Email delivery (optional): If you receive transactional email (e.g., password reset), your email address is transmitted to our configured SMTP server to deliver the message. Transactional emails are delivered via Proton AG (Switzerland), acting as a sub-processor under Article 28 GDPR. Proton’s privacy policy is available at proton.me/legal/privacy.
- Legal obligation: We may disclose data to competent authorities where required by applicable law, a court order, or a binding regulatory decision. We will notify you in advance where legally permitted to do so.
- Business transfer: If PCAP Lab undergoes a merger, acquisition, or asset sale, personal data may be transferred to the acquiring entity, subject to equivalent data protection obligations. We will notify registered users of any such transfer.
5. How long we keep your data
| Data category | Retention period | Deletion trigger |
|---|---|---|
| Uploaded PCAP file | Deleted after analysis reaches a terminal state (success or failure) | Automatic (post-processing) |
| Analysis reports (HTML + JSON) | 7 days (Starter and Pro plans) 30 days (Team plan, upcoming for self-service) |
Automatic (hourly cleanup job) |
| Account data (username, email, hashed password) | Duration of account + up to 30 days post-deletion for backup purge | Account deletion request |
| Usage event log | Duration of account | Account deletion (cascade) |
| Password reset tokens (incl. IP address) | Tokens expire after 15 minutes; token records are purged within 24 hours after expiry or use | Automatic expiry and cleanup job |
| Email verification tokens (incl. IP address) | Tokens expire after 60 minutes; token records are invalidated when a new verification email is sent or when the token is used | Automatic expiry and token rotation |
| Trial-grant record (email hash only) | Indefinitely (used to prevent trial farming) | Manual request — contact us |
| Application and platform logs (server-side) | Configured by the deployment; production target is no more than 90 days | Platform log retention policy |
| Production backups and snapshots | Deployment-specific backup policy; target is no more than 30 days unless a customer agreement or legal hold requires otherwise | Backup lifecycle policy |
Trial-grant record: When a user activates a free trial, we store a keyed one-way HMAC-SHA256 identifier derived from the email address, not the address itself, to prevent multiple trial activations with the same email while reducing reversibility risk.
6. International transfers
The hosted service is designed to store application data and uploaded analysis artifacts in the EU/EEA when deployed on Hetzner's German infrastructure. If a production deployment enables a third-party SMTP provider or payment processor located outside the EU/EEA, that provider and the applicable transfer safeguard will be documented before activation.
We do not transfer personal data to countries outside the EU/EEA without appropriate safeguards as required by Chapter V of the GDPR.
7. Your rights under the GDPR
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the following rights with respect to your personal data. We will respond to verified requests within one calendar month (extendable by two additional months for complex requests, with prior notice).
- Right to be informed (Art. 13/14): This Privacy Policy fulfils this right.
- Right of access (Art. 15): You may request a copy of all personal data we hold about you, along with information about how it is processed. Your account data is accessible via the Profile page. A machine-readable JSON export is available at /api/privacy/export.
- Right to rectification (Art. 16): You may change your password in account settings. For username or email corrections, contact us so we can verify the request and avoid account takeover.
- Right to erasure / "right to be forgotten" (Art. 17): You may request deletion of your account and all associated data. Send your request to contact@pcaplab.com. We will action verified requests within one month. Note: the trial-grant email hash (see Section 5) may be retained for fraud-prevention purposes under Article 17(3)(b).
- Right to restriction of processing (Art. 18): You may request that we stop processing (but continue to store) your data in specific circumstances, such as while contesting accuracy or during an objection.
- Right to data portability (Art. 20): For data processed on a contract or consent basis by automated means, you may download your data in structured JSON via /api/privacy/export.
- Right to object (Art. 21): Where we rely on legitimate interests (Article 6(1)(f)) as our lawful basis, you may object at any time. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests. We do not carry out direct marketing.
- Right not to be subject to automated decision-making (Art. 22): The service produces automated technical scores (e.g., network health scores) based on PCAP file contents. These scores are informational analysis outputs and do not constitute decisions with legal or similarly significant effects on you personally. No profiling of users as individuals is performed.
To exercise any of these rights, email us at contact@pcaplab.com with subject line "Data Subject Request." We may ask you to verify your identity before processing your request.
Right to lodge a complaint: If you believe we are not handling your data lawfully, you have the right to lodge a complaint with the supervisory authority in your country of residence. A list of EU data protection authorities is available at edpb.europa.eu.
8. Security measures
We implement the following technical security measures:
- Passwords are hashed using bcrypt (cost factor 12) and are never stored or logged in plaintext.
- Session tokens (JWT, HS256) expire after 30 minutes. Browser sessions use HttpOnly, SameSite=Lax cookies and authenticated API calls currently also use browser storage for the bearer token.
- All state-changing requests are protected by CSRF tokens.
- File uploads are validated for format (magic number check), size, and path traversal attacks before processing.
- Login attempts are rate-limited with exponential backoff after repeated failures.
- Upload requests are rate-limited to 5 requests per 60-second window per IP address.
- Kubernetes deployments include a NetworkPolicy limiting PostgreSQL ingress to the application pods; the database service is not publicly reachable.
No security measure is absolute. In the event of a personal data breach, we will notify the competent supervisory authority within 72 hours where required by Article 33 GDPR, and will notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34 GDPR).
9. Children
PCAP Analyzer is a professional network diagnostic tool intended for users aged 18 and over. We do not knowingly collect personal data from individuals under 18. If you believe a minor has registered an account, please contact us immediately at contact@pcaplab.com and we will delete the account promptly.
10. Changes to this Privacy Policy
We may update this Privacy Policy when we change how we process personal data or when required to do so by law. We will notify you of material changes by displaying a prominent notice on the service and/or by sending an email to your registered address at least 30 days before the changes take effect. Continued use of the service after the effective date constitutes acceptance of the updated policy. The date at the top of this page indicates when this version was last revised.