Sting9 Logo
Sting9

Privacy Policy

Effective Date: November 12, 2025

At Sting9, your privacy is our top priority. We are committed to protecting your personal information and handling submitted phishing data with the utmost care.

Our Privacy Principles

Privacy First

All submissions are automatically anonymized. No personal data is stored.

No Tracking

We don't track who submits messages. Anonymous contributions are welcome.

GDPR Compliant

We comply with GDPR, CCPA, and international privacy regulations.

1. Who We Are

Sting9 Research Initiative is operated by nlsio LLC (change of status planned). We are building the world's most comprehensive open-source dataset of phishing and smishing messages to train AI models for detecting malicious communications.

Contact:

Email: hello@sting9.org

Data Protection Officer: privacy@sting9.org

2. Information We Collect

2.1 Submitted Phishing/Scam Messages

When you submit a suspicious message to Sting9, we collect:

  • Message Content: The full text of the email, SMS, or other message (automatically anonymized before storage)
  • Message Metadata: Subject lines, timestamps, sender domains (but NOT full email addresses or phone numbers)
  • Message Headers: Technical routing information with personal identifiers removed
  • Message Type: Whether it's an email, SMS, WhatsApp, Telegram, Signal, or other format
  • Submission Source: How the message was submitted (web form, email forward, API, partner)
  • Detected Language: The language of the message content

✓ IMPORTANT: All personally identifiable information (PII) is automatically redacted BEFORE storage.

This includes: email addresses, phone numbers, names, street addresses, credit card numbers, social security numbers, IP addresses, and any other identifiable information.

2.2 Website Usage Data

We collect minimal technical data to operate our website:

  • Basic server logs (timestamps, HTTP requests) - retained for 30 days
  • Error logs for debugging - retained for 90 days
  • No cookies, tracking pixels, or analytics tools
  • No third-party advertising or tracking

2.3 Information We DO NOT Collect

We explicitly DO NOT collect or retain:

  • Your identity or contact information (unless you explicitly provide it for partnership inquiries)
  • IP addresses of website visitors or submitters
  • Device fingerprints or tracking identifiers
  • Browsing history or behavioral data
  • Any personal information from the phishing messages you submit

3. How We Use Your Information

3.1 Submitted Messages

Anonymized message data is used to:

  • Build and train AI models for phishing detection
  • Create an open-source dataset for security researchers
  • Analyze attack patterns and trends
  • Improve our detection algorithms
  • Generate public statistics about phishing threats

3.2 Technical Data

Basic technical data is used only to:

  • Operate and maintain our website
  • Debug technical issues
  • Prevent abuse and ensure security
  • Comply with legal obligations

4. Data Storage and Security

Data Hosting

All data is hosted on Upsun infrastructure in the Switzerland region, benefiting from Switzerland's strong data protection laws.

Security Measures:

  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest
  • Automatic PII Redaction: Personal information is removed before database storage using regex patterns and NER (Named Entity Recognition)
  • Access Controls: Strict row-level security and role-based access in PostgreSQL
  • Audit Logging: All data access is logged and monitored
  • Regular Backups: Automated encrypted backups with 30-day retention
  • Security Updates: Regular security patches and vulnerability scanning

5. Data Sharing and Disclosure

5.1 Open Dataset

Anonymized message data is made publicly available under the ODC-BY-NC license for:

  • Academic researchers
  • Security professionals
  • Non-profit organizations
  • Educational institutions

5.2 No Sale of Data

We DO NOT and WILL NEVER sell your personal information or the phishing data you submit.

5.3 Legal Requirements

We may disclose information only if required by law, court order, or to protect our legal rights. However, since we don't collect personal information, there is minimal data to disclose.

6. Your Privacy Rights

Under GDPR, CCPA, and other privacy laws, you have the right to:

  • Access: Request information about data we may have (though we don't link data to identities)
  • Deletion: Request deletion of specific submissions (if you can identify them)
  • Portability: Export data in machine-readable format
  • Objection: Object to processing of your data
  • Correction: Request correction of inaccurate data

To Exercise Your Rights:

Email: privacy@sting9.org

Note: Since submissions are anonymous, you may need to provide the submission ID to identify specific data.

7. Data Retention

  • Anonymized Messages: Retained indefinitely for research purposes (as they contain no personal information)
  • Server Logs: 30 days
  • Error Logs: 90 days
  • Backup Data: 30 days

8. International Data Transfers

Our data is hosted in Switzerland and is not transferred outside of Switzerland except when accessed via our API by authorized researchers worldwide. Since all data is anonymized, international transfers do not pose privacy risks.

9. Children's Privacy

Our service is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has submitted personal information, please contact us at privacy@sting9.org.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes by:

  • Posting the updated policy on this page
  • Updating the "Effective Date" at the top
  • Sending notice to registered partners (if applicable)

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

General Inquiries: hello@sting9.org

Privacy Officer: privacy@sting9.org

Sting9 Research Initiative
Operated by nlsio LLC