Privacy Policy

This policy explains how STOPBOT.NET handles account, website and API service data, including data processed on behalf of our customers.

Effective: July 11, 2026 Last updated: July 11, 2026

Privacy at a glance

Clear boundaries for your data

No monetary sale

We do not sell personal information in exchange for money.

Analytics by choice

Google Analytics and Google Ads measurement load only after you accept.

Purpose-limited API data

Service data is used to deliver, secure and improve the services requested by customers.

Privacy requests supported

You can ask to access, correct or delete eligible personal information.

Applies toWebsite, panel, APIs and support
Policy ownerSTOPBOT.NET
Version2026.07

STOPBOT.NET ("Stopbot", "we", "us" or "our") provides bot detection, traffic filtering, visitor intelligence, lookup and validation services. This Privacy Policy describes the personal information we process, where it comes from, why we use it, when we disclose it and the choices available to individuals.

This policy should be read with our Terms of Service. If a customer has a separate written data processing agreement with us, that agreement governs the covered processing if it conflicts with this policy.

1. Scope and our privacy roles

This policy applies to stopbot.net, panel.stopbot.net, api.stopbot.net, documentation and support experiences that link to this policy, and Stopbot integrations that communicate with our services. It does not govern an independent third-party website merely because that website links to Stopbot.

When Stopbot determines the purpose

Stopbot acts as a controller or equivalent responsible business for account registration, authentication, subscriptions, billing records, website analytics, service security, support communications and our own legal obligations.

When a customer determines the purpose

When a customer sends its visitors' data to Blocker, Blocker V2 or SmartURLs, the customer generally determines why and how that data is used. In that context, the customer is the controller or business and Stopbot acts as its processor or service provider. Stopbot may separately process limited security signals to protect the platform, prevent abuse and maintain reliable threat detection.

Are you a visitor to a customer's website?

The website operator is usually the best first contact for requests about a block, redirect or visitor record. We will assist the customer with valid requests when required.

2. Information we collect

The information collected depends on how you interact with Stopbot and which service a customer enables.

CategoryExamplesWhen it is collected
Account and authenticationName, email address, password hash, activation status, session identifier, account status and basic Google profile information if Google sign-in is selected.When an account is created, activated, signed in to, recovered or updated.
Subscription and transactionPlan, quota, usage, price, currency, gateway, transaction reference, payment status and timestamps. Stopbot does not receive or store full card details when they are handled by the selected payment provider.When a plan is selected, purchased, renewed, cancelled or reconciled.
API credentials and configurationAPI key, configuration names, filtering rules, response destinations, SmartURLs key names, allowlists, blocklists and service preferences.When customers configure or call a Stopbot service.
API request and visitor metadataSubmitted or connection IP address, URL, user agent, device, hostname, ISP, approximate location derived from IP, request time and detection result.When Blocker, Blocker V2, SmartURLs or IP Lookup processes a request.
Lookup and validation contentEmail address, phone number, IP address and derived results such as domain records, disposable-email status, phone type, carrier, location or country.When Email Validation, Phone Number Identify or IP Lookup is used.
Support and communicationsContact details, chat content, attachments, account identifiers and diagnostic details provided in a support request.When you contact support, report abuse or communicate with us.
Website and device activityBrowser, operating system, device type, referring page, pages viewed, interactions, approximate location and conversion events.From essential service logs and, for analytics or advertising measurement, only after consent.
Security and abuse signalsFailed sign-in attempts, malformed or invalid API requests, rate-limit events, suspicious IPs, threat matches and operational diagnostics.When needed to protect accounts, customers and the Stopbot platform.

Sources of information

  • Directly from you, such as registration, configuration, payment and support information.
  • From customers and their integrations, when they submit visitor or request data to our APIs.
  • From service providers, such as authentication, payment, analytics, chat and anti-abuse providers.
  • From network intelligence sources, including licensed, public and security datasets used to derive IP, hostname, ASN, carrier and threat information.
  • Automatically from use of the service, such as timestamps, request volume, response codes and security events.

3. How and why we use information

PurposeTypical legal basis where required
Provide API responses, dashboard features, subscriptions, authentication, support and requested integrations.Performance of a contract or steps requested before entering a contract.
Measure quota and usage, process transactions, maintain records and communicate service or account changes.Contract, legitimate interests and legal obligations.
Detect bots, threats, fraud, abuse, compromised credentials and attempts to bypass service controls.Legitimate interests in security, reliability and fraud prevention.
Diagnose failures, monitor performance, improve detection quality and develop service features.Legitimate interests, subject to appropriate safeguards and data minimization.
Provide analytics and Google Ads conversion measurement on our public website.Consent where required.
Comply with lawful requests, enforce agreements, resolve disputes and protect rights or safety.Legal obligations and legitimate interests.

Where consent is the basis, you may withdraw it for future processing. Where legitimate interests are the basis, we consider the purpose, necessity and impact on individuals. Other lawful bases may apply where permitted by local law.

We may create aggregated or de-identified statistics that are not reasonably linked to an individual. We may use those statistics to operate, report on and improve Stopbot.

4. API, detection and visitor data

Stopbot services process different fields and produce different records. The following summary reflects the current service design.

ServiceData processed and service record
BlockerProcesses IP, URL and user agent. Visitor records can include device, hostname, ISP, city, region, country, threat result, access decision and detection reason.
Blocker V2Processes the Blocker fields plus a customer configuration name and optional JSON parameters or headers for configured rule evaluation. Visitor records can include the resulting bot, block, threat and detection status.
SmartURLsProcesses IP, key name, URL and user agent. Records can include device, hostname, ISP, location, threat and block status, redirect flow and JavaScript verification status.
IP LookupProcesses a submitted IP and returns network and approximate geographic attributes such as hostname, ASN, company, ISP, city, region, country and timezone. Request metadata may be logged.
Email ValidationProcesses a submitted email address to evaluate format, domain, disposable-email status, MX, SPF and DMARC information. Request metadata may be logged.
Phone Number IdentifyProcesses a submitted number and can store the normalized number and derived type, carrier, location and country code in the customer's result history.
AccountAuthenticates the API key and returns account plan, quota, usage and expiration information. API keys are credentials and must be kept confidential.
Do not send secrets in inspection fields

Customers must not include passwords, authentication cookies, bearer tokens, private keys, financial data or unrelated sensitive information in URL, params, headers or user-agent fields. Because Stopbot APIs use query parameters, request values may also appear in browser history, proxy logs, web-server logs or customer-side diagnostics. API keys must be treated as secrets and rotated if exposed.

Optional Blocker V2 parameters and headers are used for configured rule evaluation and are not intended to be copied into the customer-facing visitor record. Operational infrastructure may still process request metadata needed to route, secure and diagnose the request.

5. Cookies and similar technologies

We use cookies, session identifiers and browser local storage for essential functionality, preferences, support and optional measurement.

TechnologyPurposeControl or duration
PHPSESSID and security/session dataAuthenticates panel sessions, protects account access and maintains service state.Essential. Expires with the session or the server-configured session period.
sb-theme local storageRemembers the light or dark appearance selected in the browser.Preference. Remains until changed or browser site data is cleared.
sb-consent local storageRemembers whether analytics and advertising measurement were accepted or declined.Preference. Remains until reset or browser site data is cleared.
Google Analytics and Google AdsMeasures website use and conversion activity.Optional. These tools load only after you select Accept in the consent notice.
Google FontsDelivers the typefaces used by public pages. The browser sends standard network information when requesting font files.Loads with the public website. Font delivery is governed by Google's privacy practices.
Tawk.to live chatProvides support chat and may process network, device and conversation information.Support function. It may load independently of analytics consent and uses its own storage practices.
Google sign-in and reCAPTCHAProvides optional authentication and helps prevent automated abuse when enabled.Used when you choose Google sign-in or interact with a protected form.

Declining analytics does not disable essential account/session storage or the support-chat service. Browser settings can also block or delete storage, but doing so may sign you out or reset preferences. If your browser sends a Global Privacy Control signal, we treat it as a request to decline optional analytics and advertising measurement.

Google Privacy Policy Tawk.to Privacy Policy

6. How information is disclosed

We do not sell personal information for monetary payment. We disclose information only as reasonably necessary for the purposes in this policy, including to:

  • Infrastructure, network and security providers that host, deliver, monitor or protect the service.
  • Support providers, including Tawk.to when the live-chat service is available.
  • Analytics and advertising measurement providers, including Google, after the required consent.
  • Authentication and abuse-prevention providers, such as Google sign-in and reCAPTCHA when used.
  • Payment providers selected at checkout, which may include PayPal, Midtrans, Coinbase or CoinPayments depending on availability. Their handling of payment credentials is governed by their own terms and privacy policies.
  • Professional advisers such as accountants, auditors, insurers and legal advisers under appropriate confidentiality duties.
  • Authorities or other parties when required by valid legal process or when reasonably necessary to protect rights, users, the public or service security.
  • A successor organization in connection with a merger, financing, acquisition, reorganization or sale of assets, subject to appropriate safeguards.

A customer's authorized account users can access service configurations, usage and visitor records associated with that customer's account. Customers are responsible for limiting that access to appropriate personnel.

If applicable law characterizes optional advertising or analytics measurement as a "sale" or "sharing", you can decline that processing through our consent control. We do not use API-submitted visitor data to market directly to those visitors.

7. International data transfers

Stopbot and its providers may process information in countries other than the country where an individual or customer is located. Privacy and data-protection laws may differ across those locations.

Where required, we use recognized transfer mechanisms or contractual, technical and organizational safeguards appropriate to the service and the parties involved. Customers with specific transfer or residency requirements should contact us before submitting regulated data.

8. Data retention and security

How long information is kept

We retain information for no longer than reasonably necessary for the purpose for which it was collected, subject to contractual, security, backup and legal requirements. Retention may vary by service, plan, account state and the type of record.

RecordTypical retention criteria
Account and configurationWhile the account is active and for a limited period afterward to complete deletion, resolve disputes, prevent abuse or meet legal requirements.
Subscription and transactionFor the period required to reconcile payments, maintain financial records, address disputes and comply with applicable law.
API visitor and detection recordsFor the operational history made available to the customer and for a limited period needed for security, diagnostics, abuse prevention and service quality.
Phone identification resultsAs part of the customer's result history until removed under applicable retention or deletion processes.
Security eventsFor as long as reasonably needed to investigate incidents, enforce limits and prevent repeated abuse.
Support communicationsUntil the request is resolved and for a reasonable follow-up, quality and dispute-resolution period.
BackupsUntil overwritten or deleted through the normal backup lifecycle, unless preservation is legally required.

When retention ends, information is deleted, anonymized or isolated from normal use. Aggregated or de-identified data may be kept longer when it can no longer reasonably identify an individual.

How we protect information

We use safeguards appropriate to the nature of the service and the risks involved, including TLS encryption in transit, restricted administrative access, password hashing, session controls, rate limits, request validation, network protections, service monitoring and security review. Access to production data is limited to authorized needs.

No internet service can guarantee absolute security. Customers must protect API keys, account credentials, integrations and downloaded records. If we become aware of a qualifying personal-data breach, we will investigate and provide notices required by applicable law.

9. Detection, profiling and automated decisions

Blocker, Blocker V2 and SmartURLs automatically evaluate signals such as IP intelligence, user agent, device, URL risk, hostname, customer lists and configured rules. The result may identify bot activity, a threat, an access decision, a detection reason or a configured page response.

A bot result and an access decision are not the same. For example, a request can have isBot: 0 and still have blockAccess: 1 because a customer's country, network, URL or other rule denied access. Customers choose their rules and determine how their applications act on the response.

Stopbot is designed for website security, traffic routing and fraud prevention. It is not designed to make decisions about employment, credit, insurance, housing, education, healthcare or other matters that produce legal or similarly significant effects on an individual. Customers must not use it for those purposes without an independently valid legal basis, appropriate safeguards and human review.

If you believe a customer website blocked or redirected you incorrectly, contact that website operator and provide the approximate time, requested page and non-sensitive diagnostic details. Do not send your API key, password or session token.

10. Your privacy rights and choices

Depending on where you live and how Stopbot processes your information, you may have the right to:

  • Know whether we process your personal information and receive information about its use.
  • Access or obtain a copy of eligible personal information.
  • Correct inaccurate or incomplete information.
  • Request deletion, subject to contractual, security and legal exceptions.
  • Restrict or object to certain processing.
  • Withdraw consent for future processing where consent is the legal basis.
  • Receive eligible information in a portable format.
  • Opt out of a sale or sharing where those concepts apply under local law.
  • Complain to an appropriate privacy or data-protection authority.
  • Exercise applicable rights without unlawful discrimination.

How to submit a request

  1. Contact us through the contact page or support center and clearly label the request as a privacy or data request.
  2. Describe the context by identifying whether the request concerns a Stopbot account, website analytics, support conversation or a customer's API visitor record.
  3. Provide safe matching details such as the account email, customer domain, affected service and approximate date and time. Never send a password, full API key or authentication token.
  4. Complete verification if reasonably required to protect the account and prevent unauthorized disclosure or deletion.

We may ask an authorized agent to provide proof of authority. If Stopbot processes the information only for a customer, we may direct the request to that customer or ask for enough information to identify the correct customer account.

Regional disclosures

Indonesia. Where Indonesia's personal-data law applies, requests may include the applicable rights of access, correction, deletion, withdrawal, restriction, objection and portability, subject to lawful exceptions.

EEA, United Kingdom and similar jurisdictions. Where applicable, individuals may exercise data-subject rights and may lodge a complaint with their local supervisory authority. Our typical legal bases are described in Section 3.

California. Where the California Consumer Privacy Act applies, the categories described in Section 2 may include identifiers, commercial information, internet or electronic-network activity, approximate geolocation and inferences related to bot or threat status. Eligible residents may request to know, delete or correct information and may opt out of covered sale or sharing. Stopbot does not sell personal information for monetary payment.

11. Customer responsibilities

Customers that integrate Stopbot into a website or application are responsible for their own privacy compliance. This includes:

  • Providing an accurate privacy notice that identifies Stopbot or the relevant processing categories.
  • Establishing an appropriate legal basis for sending visitor data to Stopbot.
  • Collecting only data necessary for the configured detection or lookup purpose.
  • Avoiding passwords, session cookies, authorization headers, private tokens and unrelated sensitive data.
  • Keeping API keys confidential, limiting dashboard access and rotating credentials after suspected exposure.
  • Configuring redirects, allowlists, blocklists and response rules carefully and reviewing false positives.
  • Responding to visitor requests and complaints, with Stopbot's assistance where required.
  • Using appropriate contracts and transfer safeguards when regulated data is involved.

12. Children, third-party services and policy changes

Children

Stopbot is a business and developer service and is not directed to children. Children should not create Stopbot accounts or submit personal information to us. If you believe a child has provided account information without appropriate authorization, contact us so we can review the situation.

Third-party websites and services

Stopbot pages may link to documentation hosts, social networks, payment providers, source-code repositories or other independent services. Their privacy practices are governed by their own notices. We encourage you to review those notices before providing information.

Changes to this policy

We may update this policy to reflect service, legal or operational changes. We will change the date at the top of this page and, when appropriate, provide additional notice through the panel, service communications or our update logs. Material changes apply prospectively from the stated effective date unless law requires otherwise.

Privacy contact

Questions or data requests?

Contact Stopbot through our support channels. Include enough non-sensitive information for us to identify the relevant account or customer, and never include a password, complete API key or session token.