OctoLab OctoLab

Privacy Policy

Last updated: March 1, 2026

1. Who Is Responsible for Your Data

CYBER OCTOPUS VN ("we", "us") is the data controller for the personal data collected through OctoLab. We decide how and why your data is processed.

Contact: [email protected]

2. What We Collect

Information you provide

  • Account registration: Email address and display name. Passwords are hashed with bcrypt and never stored in plain text.
  • Feedback and tool requests: Any comments, ratings, or tool suggestions you submit through the platform.

Information generated by your use

  • Session metadata: Which CVE environment you used, session start and end times, session duration.
  • Evidence bundles: Command logs, network captures (PCAP), and an integrity manifest recorded during your session. These are cryptographically signed, stored for 30 days, and only accessible to you.

Information collected automatically

  • Cookies: A session cookie (session_id) for authentication and a CSRF token cookie for security. That's it. We do not use analytics, tracking, or advertising cookies.
  • Server logs: IP address, browser user-agent, and request timestamps are recorded in standard web server logs for security and debugging purposes.

Information we do not collect

  • We do not collect payment card details. All payment processing is handled by Paddle (see Section 5).

3. Why We Process Your Data

We process personal data on the following legal bases:

PurposeLegal basis
Provide and maintain your accountPerformance of contract
Send account verification and essential service emailsPerformance of contract
Record and store evidence bundles for your downloadPerformance of contract
Improve environment quality using aggregated feedbackLegitimate interest
Detect and prevent abuse or fraudLegitimate interest
Respond to your support requestsPerformance of contract

We do not sell your data. We do not use it for advertising. We do not profile you.

4. How Long We Keep Your Data

  • Account data: Retained while your account is active. Deleted upon account closure, subject to any legal retention requirements.
  • Evidence bundles: Automatically deleted 30 days after the session ends.
  • Feedback and tool requests: Retained as long as needed to improve the Service. You can request deletion at any time.
  • Server logs: Retained for 90 days, then deleted.

5. Third Parties

We share data with a limited number of third parties, only as necessary to operate the Service:

  • Paddle.com (payment processing): Paddle acts as our Merchant of Record. When you subscribe, Paddle collects and processes your payment information directly. We never see or store your card details. See Paddle's Privacy Policy.
  • Resend (email delivery): We use Resend to send transactional emails — account verification and essential service notifications only. See Resend's Privacy Policy.
  • Hetzner (hosting): Our servers are located in Germany (Hetzner data centre). See Hetzner's Privacy Policy.

We do not share your data with anyone else.

6. International Data Transfers

Our servers are located in Germany (EU). If you access OctoLab from outside the EU, your data is transferred to and processed in Germany. For users in the EU/EEA, your data stays within the EU. For users outside the EU, the transfer is necessary to perform our contract with you (providing the Service).

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the data we hold about you.
  • Rectification: Ask us to correct inaccurate data.
  • Erasure: Ask us to delete your account and associated data.
  • Portability: Request your data in a machine-readable format.
  • Objection: Object to processing based on legitimate interest.
  • Restriction: Ask us to limit how we process your data in certain circumstances.
  • Withdraw consent: Where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

If you believe we are not handling your data correctly, you have the right to lodge a complaint with a supervisory authority in your jurisdiction.

8. Children's Privacy

OctoLab is not directed at anyone under the age of 18. We do not knowingly collect data from minors. If you believe a minor has created an account, contact us and we will delete it.

9. Security

We take reasonable measures to protect your data:

  • All web traffic is encrypted with HTTPS.
  • Passwords are hashed with bcrypt (cost factor 12).
  • Lab environments run in isolated Firecracker microVMs that are destroyed after each session.
  • Terminal connections use encrypted WebSocket channels.
  • Secrets and credentials are encrypted at rest with AES-256-GCM.

No system is perfectly secure. If you discover a security issue, please report it to [email protected].

10. Changes to This Policy

We may update this policy. If we make material changes, we will notify registered users by email at least 14 days before the changes take effect.

11. Contact

Privacy questions or data requests:

For questions about payment data, contact Paddle directly.