STOPBOT.NET ("Stopbot", "we", "us" or "our") provides bot detection, traffic filtering, visitor intelligence, lookup and validation services. This Privacy Policy describes the personal information we process, where it comes from, why we use it, when we disclose it and the choices available to individuals.
This policy should be read with our Terms of Service. If a customer has a separate written data processing agreement with us, that agreement governs the covered processing if it conflicts with this policy.
1. Scope and our privacy roles
This policy applies to stopbot.net, panel.stopbot.net, api.stopbot.net, documentation and support experiences that link to this policy, and Stopbot integrations that communicate with our services. It does not govern an independent third-party website merely because that website links to Stopbot.
When Stopbot determines the purpose
Stopbot acts as a controller or equivalent responsible business for account registration, authentication, subscriptions, billing records, website analytics, service security, support communications and our own legal obligations.
When a customer determines the purpose
When a customer sends its visitors' data to Blocker, Blocker V2 or SmartURLs, the customer generally determines why and how that data is used. In that context, the customer is the controller or business and Stopbot acts as its processor or service provider. Stopbot may separately process limited security signals to protect the platform, prevent abuse and maintain reliable threat detection.
The website operator is usually the best first contact for requests about a block, redirect or visitor record. We will assist the customer with valid requests when required.
2. Information we collect
The information collected depends on how you interact with Stopbot and which service a customer enables.
| Category | Examples | When it is collected |
|---|---|---|
| Account and authentication | Name, email address, password hash, activation status, session identifier, account status and basic Google profile information if Google sign-in is selected. | When an account is created, activated, signed in to, recovered or updated. |
| Subscription and transaction | Plan, quota, usage, price, currency, gateway, transaction reference, payment status and timestamps. Stopbot does not receive or store full card details when they are handled by the selected payment provider. | When a plan is selected, purchased, renewed, cancelled or reconciled. |
| API credentials and configuration | API key, configuration names, filtering rules, response destinations, SmartURLs key names, allowlists, blocklists and service preferences. | When customers configure or call a Stopbot service. |
| API request and visitor metadata | Submitted or connection IP address, URL, user agent, device, hostname, ISP, approximate location derived from IP, request time and detection result. | When Blocker, Blocker V2, SmartURLs or IP Lookup processes a request. |
| Lookup and validation content | Email address, phone number, IP address and derived results such as domain records, disposable-email status, phone type, carrier, location or country. | When Email Validation, Phone Number Identify or IP Lookup is used. |
| Support and communications | Contact details, chat content, attachments, account identifiers and diagnostic details provided in a support request. | When you contact support, report abuse or communicate with us. |
| Website and device activity | Browser, operating system, device type, referring page, pages viewed, interactions, approximate location and conversion events. | From essential service logs and, for analytics or advertising measurement, only after consent. |
| Security and abuse signals | Failed sign-in attempts, malformed or invalid API requests, rate-limit events, suspicious IPs, threat matches and operational diagnostics. | When needed to protect accounts, customers and the Stopbot platform. |
Sources of information
- Directly from you, such as registration, configuration, payment and support information.
- From customers and their integrations, when they submit visitor or request data to our APIs.
- From service providers, such as authentication, payment, analytics, chat and anti-abuse providers.
- From network intelligence sources, including licensed, public and security datasets used to derive IP, hostname, ASN, carrier and threat information.
- Automatically from use of the service, such as timestamps, request volume, response codes and security events.
3. How and why we use information
| Purpose | Typical legal basis where required |
|---|---|
| Provide API responses, dashboard features, subscriptions, authentication, support and requested integrations. | Performance of a contract or steps requested before entering a contract. |
| Measure quota and usage, process transactions, maintain records and communicate service or account changes. | Contract, legitimate interests and legal obligations. |
| Detect bots, threats, fraud, abuse, compromised credentials and attempts to bypass service controls. | Legitimate interests in security, reliability and fraud prevention. |
| Diagnose failures, monitor performance, improve detection quality and develop service features. | Legitimate interests, subject to appropriate safeguards and data minimization. |
| Provide analytics and Google Ads conversion measurement on our public website. | Consent where required. |
| Comply with lawful requests, enforce agreements, resolve disputes and protect rights or safety. | Legal obligations and legitimate interests. |
Where consent is the basis, you may withdraw it for future processing. Where legitimate interests are the basis, we consider the purpose, necessity and impact on individuals. Other lawful bases may apply where permitted by local law.
We may create aggregated or de-identified statistics that are not reasonably linked to an individual. We may use those statistics to operate, report on and improve Stopbot.
4. API, detection and visitor data
Stopbot services process different fields and produce different records. The following summary reflects the current service design.
| Service | Data processed and service record |
|---|---|
| Blocker | Processes IP, URL and user agent. Visitor records can include device, hostname, ISP, city, region, country, threat result, access decision and detection reason. |
| Blocker V2 | Processes the Blocker fields plus a customer configuration name and optional JSON parameters or headers for configured rule evaluation. Visitor records can include the resulting bot, block, threat and detection status. |
| SmartURLs | Processes IP, key name, URL and user agent. Records can include device, hostname, ISP, location, threat and block status, redirect flow and JavaScript verification status. |
| IP Lookup | Processes a submitted IP and returns network and approximate geographic attributes such as hostname, ASN, company, ISP, city, region, country and timezone. Request metadata may be logged. |
| Email Validation | Processes a submitted email address to evaluate format, domain, disposable-email status, MX, SPF and DMARC information. Request metadata may be logged. |
| Phone Number Identify | Processes a submitted number and can store the normalized number and derived type, carrier, location and country code in the customer's result history. |
| Account | Authenticates the API key and returns account plan, quota, usage and expiration information. API keys are credentials and must be kept confidential. |
Customers must not include passwords, authentication cookies, bearer tokens, private keys, financial data or unrelated sensitive information in URL, params, headers or user-agent fields. Because Stopbot APIs use query parameters, request values may also appear in browser history, proxy logs, web-server logs or customer-side diagnostics. API keys must be treated as secrets and rotated if exposed.
Optional Blocker V2 parameters and headers are used for configured rule evaluation and are not intended to be copied into the customer-facing visitor record. Operational infrastructure may still process request metadata needed to route, secure and diagnose the request.
5. Cookies and similar technologies
We use cookies, session identifiers and browser local storage for essential functionality, preferences, support and optional measurement.
| Technology | Purpose | Control or duration |
|---|---|---|
| PHPSESSID and security/session data | Authenticates panel sessions, protects account access and maintains service state. | Essential. Expires with the session or the server-configured session period. |
| sb-theme local storage | Remembers the light or dark appearance selected in the browser. | Preference. Remains until changed or browser site data is cleared. |
| sb-consent local storage | Remembers whether analytics and advertising measurement were accepted or declined. | Preference. Remains until reset or browser site data is cleared. |
| Google Analytics and Google Ads | Measures website use and conversion activity. | Optional. These tools load only after you select Accept in the consent notice. |
| Google Fonts | Delivers the typefaces used by public pages. The browser sends standard network information when requesting font files. | Loads with the public website. Font delivery is governed by Google's privacy practices. |
| Tawk.to live chat | Provides support chat and may process network, device and conversation information. | Support function. It may load independently of analytics consent and uses its own storage practices. |
| Google sign-in and reCAPTCHA | Provides optional authentication and helps prevent automated abuse when enabled. | Used when you choose Google sign-in or interact with a protected form. |
Declining analytics does not disable essential account/session storage or the support-chat service. Browser settings can also block or delete storage, but doing so may sign you out or reset preferences. If your browser sends a Global Privacy Control signal, we treat it as a request to decline optional analytics and advertising measurement.
6. How information is disclosed
We do not sell personal information for monetary payment. We disclose information only as reasonably necessary for the purposes in this policy, including to:
- Infrastructure, network and security providers that host, deliver, monitor or protect the service.
- Support providers, including Tawk.to when the live-chat service is available.
- Analytics and advertising measurement providers, including Google, after the required consent.
- Authentication and abuse-prevention providers, such as Google sign-in and reCAPTCHA when used.
- Payment providers selected at checkout, which may include PayPal, Midtrans, Coinbase or CoinPayments depending on availability. Their handling of payment credentials is governed by their own terms and privacy policies.
- Professional advisers such as accountants, auditors, insurers and legal advisers under appropriate confidentiality duties.
- Authorities or other parties when required by valid legal process or when reasonably necessary to protect rights, users, the public or service security.
- A successor organization in connection with a merger, financing, acquisition, reorganization or sale of assets, subject to appropriate safeguards.
A customer's authorized account users can access service configurations, usage and visitor records associated with that customer's account. Customers are responsible for limiting that access to appropriate personnel.
If applicable law characterizes optional advertising or analytics measurement as a "sale" or "sharing", you can decline that processing through our consent control. We do not use API-submitted visitor data to market directly to those visitors.
7. International data transfers
Stopbot and its providers may process information in countries other than the country where an individual or customer is located. Privacy and data-protection laws may differ across those locations.
Where required, we use recognized transfer mechanisms or contractual, technical and organizational safeguards appropriate to the service and the parties involved. Customers with specific transfer or residency requirements should contact us before submitting regulated data.
8. Data retention and security
How long information is kept
We retain information for no longer than reasonably necessary for the purpose for which it was collected, subject to contractual, security, backup and legal requirements. Retention may vary by service, plan, account state and the type of record.
| Record | Typical retention criteria |
|---|---|
| Account and configuration | While the account is active and for a limited period afterward to complete deletion, resolve disputes, prevent abuse or meet legal requirements. |
| Subscription and transaction | For the period required to reconcile payments, maintain financial records, address disputes and comply with applicable law. |
| API visitor and detection records | For the operational history made available to the customer and for a limited period needed for security, diagnostics, abuse prevention and service quality. |
| Phone identification results | As part of the customer's result history until removed under applicable retention or deletion processes. |
| Security events | For as long as reasonably needed to investigate incidents, enforce limits and prevent repeated abuse. |
| Support communications | Until the request is resolved and for a reasonable follow-up, quality and dispute-resolution period. |
| Backups | Until overwritten or deleted through the normal backup lifecycle, unless preservation is legally required. |
When retention ends, information is deleted, anonymized or isolated from normal use. Aggregated or de-identified data may be kept longer when it can no longer reasonably identify an individual.
How we protect information
We use safeguards appropriate to the nature of the service and the risks involved, including TLS encryption in transit, restricted administrative access, password hashing, session controls, rate limits, request validation, network protections, service monitoring and security review. Access to production data is limited to authorized needs.
No internet service can guarantee absolute security. Customers must protect API keys, account credentials, integrations and downloaded records. If we become aware of a qualifying personal-data breach, we will investigate and provide notices required by applicable law.
9. Detection, profiling and automated decisions
Blocker, Blocker V2 and SmartURLs automatically evaluate signals such as IP intelligence, user agent, device, URL risk, hostname, customer lists and configured rules. The result may identify bot activity, a threat, an access decision, a detection reason or a configured page response.
A bot result and an access decision are not the same. For example, a request can have isBot: 0 and still have blockAccess: 1 because a customer's country, network, URL or other rule denied access. Customers choose their rules and determine how their applications act on the response.
Stopbot is designed for website security, traffic routing and fraud prevention. It is not designed to make decisions about employment, credit, insurance, housing, education, healthcare or other matters that produce legal or similarly significant effects on an individual. Customers must not use it for those purposes without an independently valid legal basis, appropriate safeguards and human review.
If you believe a customer website blocked or redirected you incorrectly, contact that website operator and provide the approximate time, requested page and non-sensitive diagnostic details. Do not send your API key, password or session token.
10. Your privacy rights and choices
Depending on where you live and how Stopbot processes your information, you may have the right to:
- Know whether we process your personal information and receive information about its use.
- Access or obtain a copy of eligible personal information.
- Correct inaccurate or incomplete information.
- Request deletion, subject to contractual, security and legal exceptions.
- Restrict or object to certain processing.
- Withdraw consent for future processing where consent is the legal basis.
- Receive eligible information in a portable format.
- Opt out of a sale or sharing where those concepts apply under local law.
- Complain to an appropriate privacy or data-protection authority.
- Exercise applicable rights without unlawful discrimination.
How to submit a request
- Contact us through the contact page or support center and clearly label the request as a privacy or data request.
- Describe the context by identifying whether the request concerns a Stopbot account, website analytics, support conversation or a customer's API visitor record.
- Provide safe matching details such as the account email, customer domain, affected service and approximate date and time. Never send a password, full API key or authentication token.
- Complete verification if reasonably required to protect the account and prevent unauthorized disclosure or deletion.
We may ask an authorized agent to provide proof of authority. If Stopbot processes the information only for a customer, we may direct the request to that customer or ask for enough information to identify the correct customer account.
Regional disclosures
Indonesia. Where Indonesia's personal-data law applies, requests may include the applicable rights of access, correction, deletion, withdrawal, restriction, objection and portability, subject to lawful exceptions.
EEA, United Kingdom and similar jurisdictions. Where applicable, individuals may exercise data-subject rights and may lodge a complaint with their local supervisory authority. Our typical legal bases are described in Section 3.
California. Where the California Consumer Privacy Act applies, the categories described in Section 2 may include identifiers, commercial information, internet or electronic-network activity, approximate geolocation and inferences related to bot or threat status. Eligible residents may request to know, delete or correct information and may opt out of covered sale or sharing. Stopbot does not sell personal information for monetary payment.
11. Customer responsibilities
Customers that integrate Stopbot into a website or application are responsible for their own privacy compliance. This includes:
- Providing an accurate privacy notice that identifies Stopbot or the relevant processing categories.
- Establishing an appropriate legal basis for sending visitor data to Stopbot.
- Collecting only data necessary for the configured detection or lookup purpose.
- Avoiding passwords, session cookies, authorization headers, private tokens and unrelated sensitive data.
- Keeping API keys confidential, limiting dashboard access and rotating credentials after suspected exposure.
- Configuring redirects, allowlists, blocklists and response rules carefully and reviewing false positives.
- Responding to visitor requests and complaints, with Stopbot's assistance where required.
- Using appropriate contracts and transfer safeguards when regulated data is involved.
12. Children, third-party services and policy changes
Children
Stopbot is a business and developer service and is not directed to children. Children should not create Stopbot accounts or submit personal information to us. If you believe a child has provided account information without appropriate authorization, contact us so we can review the situation.
Third-party websites and services
Stopbot pages may link to documentation hosts, social networks, payment providers, source-code repositories or other independent services. Their privacy practices are governed by their own notices. We encourage you to review those notices before providing information.
Changes to this policy
We may update this policy to reflect service, legal or operational changes. We will change the date at the top of this page and, when appropriate, provide additional notice through the panel, service communications or our update logs. Material changes apply prospectively from the stated effective date unless law requires otherwise.
Privacy contact
Questions or data requests?
Contact Stopbot through our support channels. Include enough non-sensitive information for us to identify the relevant account or customer, and never include a password, complete API key or session token.