Privacy Policy

Last updated: April 2026

This Privacy Policy explains how Predax ("we", "us", or "our") collects, uses, and protects information in connection with the Predax API and related services (collectively, the "Service"). By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

1. Information We Collect

We aim to collect only the minimum data necessary to operate the Service, secure your account, and comply with legal obligations.

1.1 Account Information

When you register for an account, we may collect:

  • Email address
  • Display name or organization name (if provided)
  • Hashed authentication credentials (e.g., password hashes, API key hashes)

1.2 API Usage & Telemetry

When you use the Service or our APIs, we may collect:

  • Request metadata (timestamps, IP address, user agent, rate limit tier)
  • Endpoint paths and HTTP method
  • High-level usage metrics (e.g., number of requests, error counts)

We do not inspect or store your raw payload data beyond what is necessary for processing the request, debugging, security, and abuse prevention. Where possible, we aggregate or anonymize telemetry data.

1.3 Payment & Billing

If you subscribe to a paid plan, billing and payment details are processed by Stripe, Inc. We do not store full payment card numbers on our systems. We may store limited billing metadata such as:

  • Billing name and address
  • Subscription plan and status
  • Partial card details or payment method identifiers provided by Stripe

1.4 Support Chat

If you use the support chat widget on our site, the messages you send are processed by the OpenAI API to generate responses. We store your conversation history in our own database for continuity. OpenAI does not retain or train on data submitted via the API, per their API data usage policies.

1.5 Data Received from Integrations

When you use an Predax plugin or integration (such as the WordPress security plugin or WooCommerce fraud prevention plugin), the plugin may send anonymised event data to the Service each time it makes a decision about a visitor's IP address. This data includes:

  • The outcome of the decision: block, monitor, or allow
  • The reason for the decision (e.g., VPN detected, risk threshold exceeded)
  • The visitor's IP address — immediately hashed server-side using HMAC-SHA256. The original IP address is never stored in our telemetry tables
  • The /24 network prefix (e.g., 185.65.50) for geographic statistics — this is not sufficient to identify an individual
  • Detection signals (e.g., whether the IP was flagged as a VPN, proxy, or Tor node)
  • Contextual metadata: the type of action (login, checkout, page visit) and plugin type

Raw event records are automatically and permanently deleted after 90 days. Anonymised feature vectors derived from these events may be retained permanently to improve detection accuracy (see Section 1.6 and Section 2). No original IP address is recoverable from stored records.

1.6 Community Reputation Scoring

Anonymised, aggregated counts of block, monitor, and allow decisions are accumulated per hashed IP prefix and used to compute a community score that supplements the platform's own risk signals. This score reflects collective observed behaviour across all integrations and may influence the risk score returned for a given IP address. No individual user's identity or raw IP is exposed through this process.

1.7 Logs & Security Events

To maintain the security and reliability of the Service, we maintain logs that may include:

  • Authentication attempts and session identifiers
  • API key usage and rate limiting events
  • System errors, performance metrics, and security alerts

2. How We Use Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Authenticate users and secure accounts
  • Enforce rate limits, quotas, and plan usage
  • Monitor and improve performance, reliability, and security
  • Detect, prevent, and investigate abuse, fraud, or security incidents
  • Provide customer support and respond to inquiries
  • Comply with legal obligations and enforce our terms
  • Improve detection accuracy and train machine learning models using anonymised, aggregated event data received from integrations (see Section 1.5). No raw IP addresses are used for this purpose.

3. Data Retention

We retain information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. In general:

  • Account data is retained while your account is active.
  • Website activity events (such as page views) and API request metadata (such as IP address, user agent, request path, status code, and latency) may be retained for a limited period (typically 30–90 days) for security, abuse prevention, debugging, and analytics, after which they may be aggregated, anonymized, or deleted.
  • Integration telemetry events (raw, hashed) are retained for 90 days and then permanently deleted.
  • Anonymised feature vectors derived from integration events (used for model training) contain no reversible IP data and may be retained indefinitely.
  • Backup copies may persist for a limited time after deletion as part of our disaster recovery processes.

4. Data Sharing & Transfers

We do not sell your personal information. We may share limited information with third parties in the following circumstances:

  • Service providers: We may use third-party vendors (e.g., hosting, logging, analytics, payment processors) to help operate the Service. These providers are granted access only to the data necessary to perform their services and are bound by appropriate confidentiality and data protection obligations.
  • Legal requirements: We may disclose information if required to do so by law or in response to valid legal requests (e.g., subpoenas, court orders), or to protect our rights, users, or the public.
  • Business transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction, subject to continued protection consistent with this Privacy Policy.

5. Third-Party Data Processors

We use the following third-party processors to operate the Service. Each is bound by appropriate data protection obligations. Transfers from the UK to US processors are covered by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU Standard Contractual Clauses.

ProcessorCountryPurposeTransfer Basis
Stripe, Inc.USAPayment processing, subscription managementUK IDTA / UK Addendum to EU SCCs
Twilio SendGridUSATransactional email deliveryUK IDTA / UK Addendum to EU SCCs
OpenAI, L.L.C.USAAI support chatbot response generationUK IDTA / UK Addendum to EU SCCs
Hostinger UK LimitedUnited KingdomServer hosting and storageUK domestic (no transfer)

6. Security

We implement technical and organizational measures designed to protect your information, including encryption in transit, hashed credentials, and access controls. However, no method of transmission over the internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.

You are responsible for maintaining the confidentiality of your credentials and API keys. Do not share your keys with unauthorized parties, and rotate them promptly if you suspect compromise.

7. Your Rights (UK GDPR)

Under UK GDPR you have the right to: access your personal data; have inaccurate data corrected; request erasure; restrict or object to processing; and data portability.

You can manage basic account information in the dashboard. For other requests, email [email protected]. We may need to verify your identity before fulfilling certain requests.

You also have the right to lodge a complaint with the UK's data protection regulator, the Information Commissioner's Office (ICO), at ico.org.uk.

8. International Transfers

We are a UK-based company. Where we transfer your data to processors outside the UK (see Section 5), we do so under the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU Standard Contractual Clauses, ensuring equivalent protections apply.

9. Children's Privacy

The Service is not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe that a child has provided us with personal information, please contact us so that we can take appropriate action.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. If changes are material, we may provide additional notice (such as via email or in-app notification). Your continued use of the Service after any changes become effective constitutes your acceptance of the updated Privacy Policy.

11. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, you can contact us at:

Predax Email: [email protected]

For additional legal terms governing your use of the Service, please also see our Terms of Service.