Privacy Policy

Last updated: February 11, 2024

Introduction

TarPit.pro ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect your information when you use our honeypot security service.

By using TarPit.pro, you agree to the collection and use of information in accordance with this policy.

Information We Collect

Account Information

When you create an account, we collect:

  • Email address (stored encrypted in HashiCorp Vault)
  • Password (hashed with bcrypt, never stored in plain text)
  • Company name (optional, stored encrypted)

Attack Data

When using paid tiers with cloud sync, we collect attack data from your agents:

  • Attacker IP addresses
  • Timestamps of attack attempts
  • Target ports and protocols
  • Attack payloads (encrypted at rest)
  • Captured credentials from brute-force attempts (encrypted)

Technical Data

We automatically collect:

  • Agent version and hostname
  • Server IP address (for geo-location)
  • Usage metrics (number of attacks, ports monitored)

How We Use Your Information

We use collected information to:

  • Provide and maintain the TarPit.pro service
  • Display attack data in your dashboard
  • Propagate bans across your agent fleet
  • Generate anonymized threat intelligence reports
  • Improve our honeypot detection algorithms
  • Send service-related notifications
  • Process payments (via Stripe)

Data Security

We take security seriously:

  • Encryption at Rest: All sensitive data is encrypted using HashiCorp Vault Transit encryption
  • Encryption in Transit: All communications use TLS 1.3
  • Minimal Database Storage: PostgreSQL only stores UUIDs and Vault references, not actual data
  • Password Security: Passwords are hashed with bcrypt (cost factor 12)
  • mTLS: Agent-to-receiver communication uses mutual TLS authentication

Data Retention

Attack data is retained based on your subscription tier:

TierRetention
Free24-hour retention (100 attacks max)
Starter30 days
Pro90 days

Account data is retained until you delete your account. You can request account deletion at any time via email.

Third-Party Services

We use the following third-party services:

  • Stripe: For payment processing. See Stripe's Privacy Policy
  • MaxMind GeoIP2: For IP geolocation. Only IP addresses are shared, no personal data

Your Rights

You have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your account and associated data
  • Export your attack data (Pro tier)
  • Opt out of marketing communications

To exercise these rights, contact us at privacy@tarpit.pro

Cookies

We use minimal cookies:

  • Session Cookie: Required for authentication
  • Preference Cookie: Remembers your dashboard settings

We do not use tracking cookies or third-party analytics.

Children's Privacy

TarPit.pro is not intended for use by children under 13. We do not knowingly collect personal information from children under 13.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

Contact Us

If you have any questions about this Privacy Policy, please contact us: