Legal · 01
Privacy Policy
Last updated · 30 May 2026
HACKASTRA INFOSEC L.L.C-FZ ("Hackastra", "we", "our", "us") operates a discreet cyber incident response practice from the United Arab Emirates. This Privacy Policy explains what information we collect when you visit hackastra.com or use our incident response channel, why we collect it, how it is stored, who it is shared with, how long it is kept, and the rights you have over it.
1. What we collect
- Alias and optional contact email — provided by you when you open a channel. Pseudonyms are encouraged.
- Channel messages — text you send to a responder, and replies sent to you.
- Engagement information — for paid engagements, the business, contact, and incident details necessary to perform the work, plus invoicing details.
- Minimal technical metadata — request timestamps and IP-level rate-limit identifiers used solely to keep the service available. No third-party analytics on the public site.
- Operator session data — for our internal team, an authentication cookie used to access the operator console.
2. What we do not collect
No identity verification. No mandatory KYC for triage. No advertising cookies. No third-party profilers, fingerprinters, or trackers. No social-share pixels.
3. Why we collect it
- To triage your incident and respond in real time.
- To allow you to reconnect to an existing channel from the same browser.
- To alert an off-duty responder by email when the operator console is unattended.
- To perform paid engagements, invoice them, and meet UAE record-keeping obligations.
4. How it is stored
Channel content is stored in an access-restricted managed database. Traffic is encrypted in transit using HTTPS / TLS. Backups, where used, are encrypted at rest. Operator credentials are stored as one-way bcrypt hashes; sessions use short-lived signed tokens. Engagement files (where exchanged separately) are stored on access-controlled storage and shared with the client at the conclusion of the engagement.
5. Who we share data with
Nothing leaves the channel without your explicit consent. We do not sell, rent, share, or syndicate your data. We will not voluntarily disclose your conversation, identity, or the existence of the engagement to regulators, insurers, law enforcement, or media. We may engage a small number of vetted infrastructure vendors (such as our email and hosting providers) strictly to deliver the service; those vendors are bound by written confidentiality terms. We may disclose data where compelled by a valid order of a competent UAE court or authority; where lawfully permitted, we will notify you before doing so.
6. Data retention
Channel transcripts are retained while the channel is active. By default, a redacted summary may be retained for one engagement cycle to make a follow-up faster. Paid engagement records (scope, invoices, deliverables) are retained for the period required by UAE law. On written request to legal@hackastra.com we will purge non-statutory data associated with your account within thirty (30) days.
7. International transfers
Our infrastructure may process data outside the UAE Free Zone in which Hackastra is registered. Where this occurs, we rely on legal mechanisms permitted by UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the "PDPL") and equivalent obligations under applicable laws.
8. Cookies & local storage
- access_token / refresh_token — httpOnly, Secure cookies set only for authenticated operators. Not used for visitors.
- hackastra_chat_session_v1 — a single entry in your browser's localStorage holding the channel ID and an opaque per-channel token. This lets you return to your conversation. You can clear it at any time from your browser settings.
9. Your rights
Under the UAE PDPL and other applicable laws (including the GDPR where it applies to you), you may request access to, correction of, restriction of processing of, or deletion of your personal data, and withdraw any consent you have given. To exercise these rights, email legal@hackastra.com from the address you used to open the channel — or from any address, citing the channel ID — and we will respond within thirty (30) days.
10. Security
We restrict operator access to a small number of named individuals and review that list periodically. No system is perfectly secure; we encourage you not to share credentials, secrets, or live personally identifiable information in the channel itself. If we become aware of a personal-data breach materially affecting you, we will notify you and the competent UAE authority in line with our legal obligations.
11. Children
The service is not intended for use by anyone under the age of eighteen (18).
12. Changes
We may update this Privacy Policy from time to time. Material changes will be flagged on this page with a revised effective date.
13. Contact
Data controller: HACKASTRA INFOSEC L.L.C-FZ, UAE Free Zone. Email: legal@hackastra.com.