Privacy Policy
Last updated: March 6, 2026
This privacy policy explains how Endolum GmbH ("we", "us") collects, uses, and protects your personal data when you use the Endolum Hacked service at hacked.endolum.io. This policy complies with the Swiss Federal Act on Data Protection (FADP/nDSG) and the EU General Data Protection Regulation (GDPR) where applicable.
1. Data Controller
Endolum GmbH
Oberdorfstrasse 8
8853 Lachen SZ, Switzerland
UID: CHE-297.991.738
Email: contact@endolum.io
2. What Data We Collect
Account information
- Email address
- Password (stored as a salted hash, never in plain text)
- Account tier and billing information (Business users)
- Marketing consent preference
Canary alert data
When someone opens a canary document you created, we collect the following information about the person who opened it:
- IP address
- Approximate geographic location (country, city) derived from the IP address
- User agent string (browser and operating system)
- ASN and organization name associated with the IP address
- VPN/proxy detection results (Business tier)
Usage data
- Pages visited and actions taken within the service
- Session cookies for authentication
3. Purpose and Legal Basis
| Purpose | Legal basis |
|---|---|
| Providing the canary document tracking service | Contract performance |
| Sending alert notifications when a canary document is opened | Contract performance |
| Account management and authentication | Contract performance |
| Service improvement and security | Legitimate interest |
| Marketing emails and product updates | Consent (opt-in at registration, can withdraw anytime) |
4. Third Party Services
- ip-api.com -- Used for IP geolocation to determine the approximate location of the person who opens a canary document. Their privacy policy applies to data they process.
- SMTP provider -- We use an email provider to send alert notifications and account emails. The provider processes email addresses and message content as needed to deliver emails.
5. Data Retention
- Free tier: Alert data is retained for 30 days, then automatically deleted.
- Business tier: Alert data is retained for 1 year.
- Account data: Retained as long as your account exists. You can delete your account at any time.
6. Marketing Emails
We only send marketing emails and product updates if you have given explicit consent during registration or later in your account settings. You can withdraw your consent at any time by updating your preferences or contacting us at contact@endolum.io.
7. Cookies
We use the following cookies:
| Cookie | Type | Purpose |
|---|---|---|
session |
Essential | Maintains your login session. Required for the service to work. No consent needed. |
cookie_consent |
Essential | Stores your cookie preference. Required to remember your choice. |
We do not use tracking cookies, analytics cookies, or advertising cookies.
8. International Data Transfers
Our servers are located in Switzerland. When we use third party services such as ip-api.com for geolocation lookups, IP addresses may be processed outside Switzerland. We ensure that any such transfers comply with applicable data protection requirements.
9. Your Rights
Under the FADP and, where applicable, the GDPR, you have the following rights:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate data.
- Deletion: Request deletion of your personal data and account.
- Data portability: Request your data in a structured, machine readable format.
- Withdraw consent: Withdraw consent for marketing communications at any time.
- Restriction: Request restriction of processing in certain circumstances.
- Objection: Object to processing based on legitimate interest.
To exercise any of these rights, contact us at contact@endolum.io.
10. Right to Lodge a Complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) in Switzerland. If the GDPR applies to your situation, you may also lodge a complaint with a supervisory authority in the EU/EEA.
11. Changes to This Policy
We may update this privacy policy from time to time. Changes will be posted on this page with an updated date. If we make significant changes, we will notify registered users by email.
12. Contact
For privacy related questions or requests:
Endolum GmbH
Oberdorfstrasse 8, 8853 Lachen SZ, Switzerland
Email: contact@endolum.io