Privacy Policy
Last updated: July 17, 2026
This Privacy Policy explains how AbuseGraph ("AbuseGraph," "we," "us," or "our") collects, uses, discloses, and protects information in connection with our websites, APIs, dashboards, and related services (collectively, the "Service"). We designed our product to help organizations reduce account abuse while minimizing unnecessary collection and keeping decisions explainable to the teams that rely on them.
1. Roles and scope
When a customer integrates AbuseGraph into their application, that customer is typically the data controller (or "business") for personal data submitted through the Service, and AbuseGraph acts as a data processor (or "service provider") on their behalf. When you visit our marketing site, create an AbuseGraph account, or communicate with us directly, we act as a controller for that account and communications data.
This Policy covers both situations. Customer-specific processing terms, including a Data Processing Agreement (DPA), are available on request and control where they conflict with this Policy for customer-submitted data.
2. Information we process
Depending on how the Service is used, we may process the following categories of information:
- • Account information — name, email address, authentication credentials, workspace membership, billing contacts, and similar details you provide when registering or administering an account.
- • Customer content and event data — information customers submit for risk evaluation in connection with account lifecycle events (for example signup, sign-in, or related flows). This commonly includes identifiers the customer chooses to send (such as an email address), technical request metadata, and limited device or session characteristics needed to assess risk.
- • Technical and usage information — IP address and derived location or network attributes, browser and device characteristics, timestamps, referrers, request headers, API usage metrics, and diagnostic logs that help us operate, secure, and improve the Service.
- • Support and communications — messages, attachments, and related metadata when you contact us.
- • Billing and commercial information — plan selection, invoices, payment status, and related records. Payment card data is handled by our payment processor; we do not store full payment card numbers on our systems.
We do not ask customers to send passwords, payment card numbers, or government ID documents through the risk-evaluation API. Customers control what identifiers and context they include in each request.
3. How we use information
We use information to:
- • Provide, operate, and maintain the Service, including risk scoring, recommendations, monitoring features, and customer consoles
- • Authenticate users, protect accounts, prevent abuse of the Service, and enforce our terms
- • Generate outputs customers request (such as scores, verdicts, reasons, alerts, and activity history)
- • Improve reliability, accuracy, performance, and security of the Service using aggregated or de-identified insights where practical
- • Communicate about the Service, including transactional notices, security alerts, and (where permitted) product updates
- • Comply with law, respond to lawful requests, and establish, exercise, or defend legal claims
We do not sell personal information. We do not use customer event data to build advertising profiles or to market unrelated third-party products.
4. Legal bases (EEA / UK / similar regimes)
Where GDPR or analogous laws apply and we act as a controller, we rely on one or more of the following bases: performance of a contract; legitimate interests (such as securing our Service, preventing fraud and abuse, and improving reliability) balanced against individual rights; consent where required; and legal obligation. Where we act as a processor, our customers determine the applicable legal basis for submitting personal data to the Service. A Legitimate Interest Assessment for our controller activities is available upon request.
5. Sharing of information
We may share information with:
- • The customer workspace that submitted or controls the relevant data
- • Service providers that process data on our instructions to host, secure, monitor, communicate, bill, or support the Service
- • Professional advisors under confidentiality obligations
- • Authorities or other parties when required by law or to protect rights, safety, and security
- • A successor entity in connection with a merger, acquisition, or similar corporate transaction, subject to appropriate safeguards
We require processors that handle personal data to protect it under written agreements and to use it only for the services they provide to us. A current list of subprocessors is available to customers upon request at privacy@abusegraph.com.
6. International transfers
We and our service providers may process information in the United States and other countries. Where required, we use appropriate transfer mechanisms (such as Standard Contractual Clauses or equivalent safeguards) and apply additional contractual and technical protections. Customers with residency or localization requirements should contact us before sending regulated data so we can confirm available options.
7. Retention
We retain information only as long as reasonably necessary for the purposes described in this Policy, to comply with legal obligations, and to resolve disputes. Typical retention periods include:
- • Detailed request and evaluation records associated with risk checks: retained for a limited operational window, then deleted or reduced
- • Decision history and customer-visible activity needed for support, auditing, and product features: retained for the customer relationship and a reasonable period afterward
- • Aggregated or de-identified analytics: retained longer where they no longer identify an individual
- • Account, billing, and compliance records: retained as required by law and ordinary business needs
- • Records needed to honor erasure or suppression requests: retained in a minimized form so we can continue to respect those requests
Workspace administrators can configure retention preferences in the console. When a customer account is closed, we delete or anonymize customer-controlled personal data within a commercially reasonable period, subject to legal holds and minimized suppression records.
8. Security
We implement administrative, technical, and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include access controls, encryption in transit, hardened production environments, least-privilege operational practices, logging and monitoring, and vendor diligence for systems that process customer data. No method of transmission or storage is perfectly secure; if we become aware of an incident affecting your personal data, we will notify affected customers and individuals as required by applicable law and our agreements.
9. Your rights
Depending on your location and role, you may have rights to access, correct, delete, or export personal data; restrict or object to certain processing; withdraw consent; and appeal certain decisions. Residents of California and similar U.S. states may also have rights to know, delete, correct, and opt out of "sale" or "sharing" of personal information as those terms are defined by law. AbuseGraph does not sell personal information and does not share it for cross-context behavioral advertising.
If we process your data on behalf of a customer, please contact that organization first; we will assist them in responding. For requests directed to AbuseGraph as a controller, email privacy@abusegraph.com. Workspace owners can also export settings and request deletion from the console. We may need to verify your identity before fulfilling a request. You may also lodge a complaint with a supervisory authority where you live or work.
10. Cookies and similar technologies
Our websites and console may use cookies and similar technologies that are necessary to operate the Service (for example session and security cookies) and, where used, limited analytics to understand aggregate product usage. You can control cookies through your browser settings; disabling some cookies may affect site functionality.
11. Children
The Service is not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact privacy@abusegraph.com and we will take appropriate steps to delete it.
12. Changes
We may update this Policy from time to time. We will post the updated version with a revised "Last updated" date and, when changes are material, provide additional notice as appropriate. Continued use of the Service after an update becomes effective constitutes acceptance of the revised Policy where permitted by law.
13. Contact
Privacy questions, rights requests, and DPA or subprocessor inquiries: privacy@abusegraph.com