Legal

Privacy Policy

Last updated: 2026-04-22 | ~14 min read
Terms of Service | Security

1. Who we are

Webatrisk is the controller of your personal data. Here is how to reach our Data Protection Officer.

Webatrisk FZ-LLC (registration pending), with its registered office at [registered address] ("Webatrisk", "we", "us"), operates the Remote Browser Isolation platform at webatrisk.com and its associated subdomains.

We are the data controller for the personal data described in this policy. Our Data Protection Officer can be reached at:

[DPO name]
Email: support@webatrisk.com

2. What we collect

We collect only what is necessary to run the Service: your email, session metadata, IP address (for rate limiting), and billing information.

2.1. Account data

  • Email address - used for authentication (one-time passcode), account communications, and billing.
  • Session tokens - stored as salted hashes. We never store plaintext session tokens.

2.2. Usage metadata

  • Session counts and session minutes - per account, per billing period, for usage metering and invoicing.
  • IP address - processed for rate limiting and abuse prevention. Truncated within 24 hours.

2.3. Billing data

  • Company name, billing address, and tax identifiers as provided in your order form.
  • Payment transaction records (we do not store full card numbers; card processing is handled by our payment provider).

2.4. Website visitors

  • Standard server logs: IP address (truncated after 24 hours), user agent, requested path, referrer, timestamp.
  • We do not use third-party advertising or analytics trackers on our marketing site.

3. What we do NOT collect

We never collect the content of your browsing sessions. No keystrokes, no pages visited, no biometrics.
  • Target-site content - pages rendered through the Service exist only inside an ephemeral isolated microVM. No cache, cookies, DOM, or screenshots are ever persisted.
  • Pages browsed - we do not log the URLs you visit through the Service.
  • Keystrokes on target sites - input within a session stays inside the isolated microVM and is destroyed when the session ends.
  • Biometrics - we never collect fingerprints, facial data, or any biometric identifier.
  • Precise location - we do not collect GPS or fine-grained location data. The only geographic signal we infer is approximate country from IP address, used solely for rate-limiting rules.
  • Microphone or camera access - the Service never requests or accesses your device microphone or camera.
We rely on three legal bases: contract performance, legitimate interest, and consent.
PurposeLegal basis (GDPR Art. 6)
Providing the Service, authentication, billingPerformance of a contract (Art. 6(1)(b))
Security logs, rate limiting, abuse preventionLegitimate interest (Art. 6(1)(f))
Marketing communications (if you opt in)Consent (Art. 6(1)(a))

Where we rely on legitimate interest, we have conducted a balancing test and determined that our interest in protecting the security and integrity of the Service does not override your rights.

5. Sub-processors

We use a small number of infrastructure providers. Here is the full list.
ProviderPurposeLocationDPA in place
CDN and edge network providerCDN, DNS, DDoS protection, edge computeGlobal (anycast)Yes
Managed database providerAccount and billing database (PostgreSQL)US-EastYes
Application hosting providerIsolated microVM orchestration and computeUS / EU (customer-selectable)Yes
Transactional email providerSending OTP codes and account notificationsUSYes
In-memory data store providerRate limiting, session state, ephemeral cacheUSYes
Payment processor (planned)Card payment processing (when available)US / EUWill be in place before launch

We review sub-processors at least annually and will notify customers by email at least 30 days before adding a new sub-processor.

6. International transfers

Some sub-processors are based in the US. We use Standard Contractual Clauses where required.

Webatrisk operates from the UAE. Where personal data is transferred to sub-processors located outside the European Economic Area or the United Kingdom, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, for transfers to US-based sub-processors.
  • EU adequacy decisions where the destination country has been recognized as providing adequate data protection.

Enterprise customers may request regional data residency (EU-only processing) as part of their plan.

7. Retention

We keep data only as long as necessary. Target-site content is never stored at all.
Data categoryRetention period
Account data (email, profile)Duration of account + 90 days after deletion
Usage metadata (session counts, minutes)24 months
Target-site contentNever stored
Server and security logs30 to 90 days
Billing recordsAs required by applicable tax and accounting law (typically 5-7 years)

8. Your rights

Under GDPR and CCPA, you can access, correct, delete, or export your data. We respond within 30 days.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access - request a copy of the personal data we hold about you.
  • Rectification - request correction of inaccurate data.
  • Erasure - request deletion of your personal data ("right to be forgotten").
  • Restriction - request that we limit how we use your data.
  • Portability - receive your data in a structured, machine-readable format.
  • Objection - object to processing based on legitimate interest.
  • Withdraw consent - where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

CCPA (California). California residents have the right to know what personal information we collect, to request deletion, and to opt out of any "sale" of personal information. We do not sell personal information.

To exercise any of these rights, email support@webatrisk.com. We will respond within 30 days. If we need more time, we will inform you of the reason and the expected timeline.

9. Cookies

We use only essential session cookies. No tracking cookies on the marketing site.

Our marketing website (webatrisk.com) does not set any cookies.

Our application portals (app.webatrisk.com, partner.webatrisk.com) use strictly necessary session cookies for authentication. These cookies are:

  • HttpOnly, Secure, SameSite=Lax
  • Not used for advertising or cross-site tracking
  • Deleted when you log out or when the session expires

We do not use any third-party tracking cookies, advertising pixels, or analytics cookies anywhere on our domains.

10. Children

The Service is not intended for anyone under 16.

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe that we have inadvertently collected data from a minor, please contact us at support@webatrisk.com and we will promptly delete it.

11. Security

We take security seriously. See our dedicated Security page for technical details.

We implement appropriate technical and organisational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. For a detailed description of our security architecture and practices, please visit our Security and Trust page.

12. Changes to this policy

We will notify you by email and with a banner on the site before material changes take effect.

We may update this Privacy Policy from time to time. For material changes, we will:

  • Send an email notification to the address associated with your account.
  • Display a prominent banner notice on the Service.
  • Provide at least 30 days' notice before the change takes effect.

Non-material changes (such as formatting or clarifications that do not affect your rights) may be made without advance notice.

13. Contact and supervisory authority

Reach us at support@webatrisk.com. You also have the right to lodge a complaint with a data protection authority.

If you have questions about this Privacy Policy or want to exercise your rights, contact us:

Webatrisk FZ-LLC (registration pending)
Data Protection Officer: [DPO name]
Email: support@webatrisk.com

If you are located in the European Economic Area, you have the right to lodge a complaint with your local supervisory authority.

14. Effective date

This Privacy Policy is effective as of 22 April 2026.