Skip to content
sudodudes_
[root@sudodudes ~]# Privacy

What we collect, what we don’t.

Last updated: 2026-07-17

Short version: this site sets no cookies, loads no third-party trackers or fonts, and runs no analytics that leave our infrastructure. We do not sell, share, or rent any data. Everything below applies whether or not you're in the EU - we just build to the strictest standard everywhere.

Who's responsible for this data (controller)

sudodudes is the data controller for everything this website collects. Contact for any privacy matter: [email protected]. Full legal identity (name, registered address) is on the imprint page.

No cookies, no third-party requests

This site sets no cookies - not even "essential" ones, since there's no session to maintain. There is consequently no cookie banner: the ePrivacy rules that require one apply to storing or reading information on your device, and we do neither. Fonts, styles, and the data behind the threat dashboard are all served from our own infrastructure - your browser never talks to Google, a CDN, or any analytics vendor. Full explanation: cookie policy.

What this website collects, and why (legal bases)

Data Purpose Legal basis (GDPR) Retention
Server access logs (IP, user agent, URL, timestamp) Security, abuse prevention Art. 6(1)(f) legitimate interest 30 days
Contact form (name, email, company, message) Respond to your enquiry Art. 6(1)(b) - steps prior to a contract Until resolved, then per our records schedule
Newsletter (email, consent timestamp, policy version) Send the newsletter you asked for Art. 6(1)(a) explicit consent Until you unsubscribe; unconfirmed signups auto-delete after 30 days
Unsubscribe/suppression record Honor your opt-out permanently Art. 6(1)(f) - obligation not to re-contact you Kept until you request full erasure
WAF blocked-request logs Securing the service Art. 6(1)(f) legitimate interest 30 days (only anonymous country-level counts are ever published, on /threats/)

When you contact us

The contact form collects your name, work email, company, framework of interest, and message. We use this only to respond to your enquiry. We do not add you to a marketing list, ever - the newsletter is a completely separate, explicit opt-in (next section). Your enquiry is recorded as a lead in our CRM so we can track and respond to it; see "Who else sees this data" below.

The newsletter (double opt-in)

Subscribing requires two steps: submitting your email, then clicking a confirmation link we send you. Nothing is active, and nothing is added to our CRM, until you confirm - that's what "double opt-in" means, and it's how we prove consent was actually given rather than just typed in by someone else.

We record the exact timestamp of your consent and which version of this policy was in force when you gave it. Every email includes a one-click unsubscribe link that requires no login. Unsubscribing is retained as a minimal suppression record (your email + the withdrawal date) specifically so a later bug or data import can never accidentally re-subscribe you - you can request that record's full erasure too (see "Your rights").

We deliver the newsletter through Brevo (Sendinblue SAS), a French company, under a data processing agreement. No newsletter or contact-form data is transferred outside the EU.

Who else sees this data (CRM)

Contact-form enquiries and confirmed newsletter subscriptions are synced to our CRM (EspoCRM), which we run ourselves on our own infrastructure in Austria - not a third-party SaaS CRM. No sub-processor is involved for this step. This is purely internal record-keeping so we can respond to and track your enquiry (or, for the newsletter, know who's subscribed) - see the legal-bases table above for exactly what triggers this.

Everything runs in the EU

The website, its database, and the CRM all run on hardware we own, physically located in Austria. Our only external processor is Brevo (France, EU) for email delivery, under a DPA. No data this site collects is transferred outside the EU/EEA, so there's no Schrems II adequacy question to answer.

During an engagement

Client data is governed by the engagement contract and its accompanying DPA. We act as a processor (or sub-processor) where applicable. Specifics (categories, locations, retention) are documented per engagement, not buried in this page.

Your rights

You have the rights granted by GDPR (access, rectification, erasure, restriction, portability, objection, and withdrawal of consent), UK GDPR, DPDPA, and equivalent regimes. To exercise any of them - including full deletion of a newsletter subscription or its suppression record - email [email protected]. We aim to respond within 30 days, as GDPR Art. 12(3) requires.