Privacy Policy

Last updated: March 2026

1. Introduction

This Privacy Policy explains how Defensia, with professional activity in Barcelona, Spain ("we", "us", "our"), collects, uses, stores, and protects your personal data when you use defensia.cloud and the Defensia platform (the "Service"). We are committed to protecting your privacy and ensuring that your personal information is handled responsibly and in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2. Data Controller

The data controller responsible for your personal data is Defensia, with professional activity in Barcelona, Spain. For any inquiries regarding data processing, you can contact us at support@defensia.cloud.

3. Information We Collect

We collect the following categories of information when you use the Service:

3.1 Account Data

When you create an account, we collect your name, email address, and password. Passwords are cryptographically hashed and are never stored in plain text.

3.2 Server Data

When you connect a server to the Service, we collect the server hostname, IP address, operating system information, and security event data. Security events include brute-force login attempts, port scans, vulnerability scan results, and firewall rule activity. This includes IP addresses identified as potential threats, which may be shared across the Defensia Network (if you enable this feature) to provide collective protection. These IP addresses are processed under our legitimate interest basis (Article 6(1)(f) GDPR) for cybersecurity purposes, in accordance with Recital 49 of the GDPR. This data is essential for providing the core security monitoring and protection features of the Service.

3.3 Usage Data

We collect information about how you interact with the Service, including pages visited, features used, browser type, device information, and access timestamps. This data helps us understand usage patterns and improve the platform.

3.4 Billing Data

All payment processing is handled entirely by our authorized payment provider, which acts as our Merchant of Record. We do not collect, store, or have access to your payment card information. Our payment provider processes your payment data in accordance with their own privacy policy and PCI DSS compliance standards.

4. How We Use Your Data

We use the information we collect for the following purposes:

  • To provide, operate, and maintain the Service, including real-time server monitoring and threat protection.
  • To send security alerts and notifications related to your servers and account.
  • To analyse usage patterns and improve the platform's features, performance, and user experience.
  • To communicate important service updates, maintenance notices, and policy changes.
  • To comply with legal obligations, including tax reporting and fraud prevention.

5. Legal Basis for Processing (GDPR)

Under the GDPR, we process your personal data based on the following legal grounds:

  • Contract performance (Article 6(1)(b)) — Processing is necessary for the performance of our contract with you, i.e., providing the Defensia security service.
  • Legitimate interest (Article 6(1)(f)) — We have a legitimate interest in improving our service, ensuring platform security, preventing abuse, and protecting our users.
  • Consent (Article 6(1)(a)) — Where applicable, we rely on your explicit consent for processing, such as sending marketing communications. You may withdraw consent at any time.
  • Legal obligation (Article 6(1)(c)) — Processing may be necessary to comply with legal obligations, including tax regulations and fraud prevention requirements.

6. Data Sharing

We may share your data with the following categories of recipients:

  • Authorized payment provider — Our Merchant of Record for payment processing. Our payment provider handles all billing, invoicing, and payment card data on our behalf.
  • Infrastructure providers — We use third-party hosting and cloud infrastructure services to operate the platform. These providers process data on our behalf under strict data processing agreements.
  • Defensia Network (opt-in) — If you enable the Defensia Network feature (available on the Pro plan), anonymised threat intelligence data from your servers may be shared with the collaborative Defensia Network to improve collective security. This is entirely optional and opt-in.

We do not sell, rent, or trade your personal data to third parties for marketing or advertising purposes under any circumstances.

7. Data Retention

We retain your data for the following periods:

  • Account data — Retained for the duration your account is active, plus 30 days after account deletion to allow for recovery and to fulfil any outstanding legal obligations.
  • Security event data — Retained for 7 days on the Free plan and 90 days on the Pro plan. After the retention period, event data is permanently deleted.
  • Audit logs — Retained for 1 year to support security investigations and compliance requirements.

When data is no longer needed for its original purpose and no legal obligation requires its retention, it is securely deleted or anonymised.

8. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access — You have the right to request a copy of the personal data we hold about you.
  • Right to rectification — You can request correction of any inaccurate or incomplete personal data.
  • Right to erasure — You can request deletion of your personal data, subject to legal retention obligations.
  • Right to data portability — You can request to receive your data in a structured, commonly used, machine-readable format.
  • Right to restriction — You can request that we limit the processing of your personal data under certain circumstances.
  • Right to object — You can object to the processing of your personal data where we rely on legitimate interest as the legal basis.
  • Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out prior to withdrawal.

To exercise any of these rights, please contact us at privacy@defensia.cloud. We will respond to your request within 30 days as required by the GDPR.

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the Spanish Data Protection Authority (Agencia Espanola de Proteccion de Datos, AEPD) at www.aepd.es.

9. Cookies

The Service uses strictly necessary session cookies for authentication and maintaining your logged-in state. These cookies are essential for the proper functioning of the platform and cannot be disabled. We do not use third-party tracking cookies, advertising cookies, or analytics cookies that track your behaviour across other websites.

10. International Transfers

Our servers and primary data processing infrastructure are located within the European Union. In the event that any personal data is transferred outside the EU/EEA, we will ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers to countries with an adequacy decision, to guarantee a level of protection equivalent to that within the EU.

11. Security

We take the security of your personal data seriously. All data is encrypted at rest and in transit using industry-standard encryption protocols (TLS 1.2+). Two-factor authentication (2FA) is available for all accounts to provide an additional layer of security. We conduct regular security audits and vulnerability assessments of our infrastructure and application code. While no system can guarantee absolute security, we implement appropriate technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction.

12. Children

The Service is not intended for, nor directed at, individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under 18, we will take prompt steps to delete such information. If you believe a child has provided us with personal data, please contact us at privacy@defensia.cloud.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. If we make material changes, we will notify you by email at the address associated with your account and update the "Last updated" date at the top of this page. We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

14. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: