Privacy Policy

1. Introduction

LockedX B.V. ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our anti-fraud sensor technologies and related services.

Company Details:

  • LockedX B.V.

  • Address: Herengracht 280, Amsterdam, 1016BX, Netherlands

  • Contact: hi@lockedx.com

  • KvK Number: 98029967

Important Notice: Our services are currently in experimental beta stage. This means our data processing practices may evolve as we develop and improve our anti-fraud technologies.


2. Legal Basis and Regulatory Compliance

LockedX B.V. operates under strict compliance with Dutch and European Union data protection laws. Our processing activities are governed by:

Primary Legal Framework:

  • General Data Protection Regulation (GDPR) - EU Regulation 2016/679

  • Dutch Implementation Act (UAVG) - Uitvoeringswet Algemene Verordening Gegevensbescherming

  • ePrivacy Directive - EU Directive 2002/58/EC and Dutch Telecommunications Act

  • Dutch Civil Code (Burgerlijk Wetboek) - Articles on data processing and privacy

Legal Basis for Processing Under GDPR Article 6:

  • Legitimate Interest (Article 6(1)(f)): Fraud prevention and cybersecurity protection for our clients and their users, balanced against individual privacy rights through our privacy-by-design architecture

  • Consent (Article 6(1)(a)): Where explicitly provided by end users through client implementation

  • Contractual Necessity (Article 6(1)(b)): To fulfill our anti-fraud service obligations to client organizations

  • Legal Obligation (Article 6(1)(c)): Compliance with Dutch cybersecurity reporting requirements and EU fraud prevention regulations

Legitimate Interest Assessment: Under GDPR Article 6(1)(f) and Dutch UAVG implementation, we have conducted a comprehensive Legitimate Interest Assessment (LIA) demonstrating:

  • Compelling Legitimate Interest: Preventing financial fraud and protecting digital infrastructure

  • Necessity Test: Our stateless, real-time processing is the least intrusive method for effective fraud detection

  • Balancing Test: Privacy-by-design architecture minimizes data processing while maximizing protection

Special Categories Considerations: Our behavioral analysis does not process special categories of personal data under GDPR Article 9, as we specifically avoid biometric identification and focus solely on device and interaction patterns.

3. Information We Collect

3.1 Client-Side Sensor Data

Our behavioral anti-bot sensor collects the following data types:

Behavioral Signals:

  • Mouse movements, clicks, focus events, scroll patterns

  • Keyboard events and input patterns

  • Touch interactions and hover events on mobile devices

  • Input change counts and form interaction patterns

Device Fingerprinting (all hashed for privacy):

  • WebGL capabilities and renderer information

  • Canvas fingerprinting data

  • Audio context fingerprinting

  • Font availability and rendering characteristics

  • Screen geometry, color depth, and pixel ratio

  • Fuzzy Device DNA: 64-character fingerprint for device similarity matching

  • Hardware concurrency and timezone information

Technical Performance Data:

  • Advanced Proof-of-Work Analysis: Multi-scale timing measurements, hash rates per second, memory behavior patterns

  • JavaScript execution performance and timing consistency

  • WebRTC IP address information (processed in real-time only)

  • Web Worker fingerprinting capabilities

  • Browser performance metrics and execution patterns

Network and Security Context:

  • TLS fingerprints (JA3/JA4) for connection analysis

  • Header order patterns for client identification

  • Connection metadata for fraud pattern detection

Integrity Monitoring:

  • Anti-tampering detection flags and scores

  • Native modification detection

  • Browser development tools detection

  • Headless browser detection signals

3.2 Client Information

From our business clients, we collect:

  • Company contact information

  • Technical integration details

  • Usage analytics and performance metrics

3.3 Data We Do NOT Collect

  • Personal identification information (names, addresses, phone numbers)

  • Financial account details or payment information

  • Content of communications or form inputs

  • Passwords or authentication credentials

  • Raw fingerprinting data (only hashed/processed versions)

  • Persistent tracking across websites or sessions

  • Long-term behavioral profiles or user histories

4. How We Use Information

We use collected data exclusively for real-time fraud and bot detection:

  • Real-Time Risk Assessment: Analyze behavioral patterns to identify automated or malicious behavior

  • Device Similarity Matching: Use fuzzy fingerprints to detect device-based fraud patterns

  • Performance Analysis: Advanced proof-of-work timing analysis to distinguish human from automated behavior

  • Integrity Verification: Detect tampering attempts or modified browser environments

  • Service Optimization: Improve detection algorithms and reduce false positives

  • Client Reporting: Provide aggregated fraud analytics and detection insights

  • Security Research: Enhance our understanding of emerging bot and fraud techniques

Data Processing Principles:

  • All processing occurs in real-time with minimal data retention

  • Raw sensor data is not stored long-term

  • Only aggregated, anonymized insights are retained for service improvement

5. Data Sharing and Disclosure

5.1 With Clients

We share fraud risk assessments and relevant analytics with the client organizations that implement our services.

5.2 Service Providers

We may share data with trusted third-party service providers who assist with:

  • Edge Infrastructure: Cloudflare (operating exclusively within EU data centers with geo-fenced TLS keys)

  • Object Storage: EU-based R2 storage for insights logs and aggregated analytics

  • Performance Monitoring: EU-based infrastructure monitoring and optimization services

  • Security Analysis: EU-based fraud research and algorithm improvement services

  • Legal and compliance support within the EU

All service providers are contractually bound to process data only within EU borders and maintain GDPR compliance.

5.3 Legal Requirements

We may disclose data when required by law or to:

  • Respond to legal processes or government requests

  • Protect our rights, property, or safety

  • Prevent fraud or other illegal activities

5.4 Business Transfers

In case of merger, acquisition, or sale of assets, your data may be transferred as part of the transaction.

6. Data Retention

Stateless Architecture with Structured Insights: Our system processes data in real-time while maintaining detailed analytics:

Real-Time Processing:

  • Session Data: No persistent storage on user devices - completely stateless operation

  • Proof-of-Work Verification: Computed and verified in real-time, then immediately discarded

  • Challenge-Response: Temporary server state with 120-second automatic expiry

  • Tokens: 120-second lifetime, single-use, automatically purged after validation

Structured Data Retention:

  • Request Logs: Individual fraud assessments stored for up to 30 days in EU-based object storage

  • Aggregated Statistics: Rolling performance metrics retained for up to 12 months (anonymized)

  • Performance Analytics: PoW timing patterns and behavioral insights for algorithm improvement

  • Security Insights: Fraud detection effectiveness data for service optimization

Client Configuration:

  • API Key Metadata: Client-specific settings (difficulty levels, custom rules) retained for service duration

  • Client Analytics: Aggregated fraud prevention statistics provided to customers

Data Structure:

  • Raw sensor data is never stored - only processed insights and fraud scores

  • All retention follows data minimization principles with automatic expiry

  • Logs are organized by client and date for efficient access and deletion

Beta Considerations: During our experimental phase, we may adjust retention periods to optimize our algorithms while maintaining privacy principles.

7. Data Processing Location and Infrastructure

EU-Only Processing: All personal data is processed exclusively within European Union borders. We use geo-fencing technology with region-specific TLS keys to ensure data never leaves EU jurisdiction.

Infrastructure Partners:

  • Cloudflare: We utilize Cloudflare's edge infrastructure for content delivery and security, configured to operate only within EU data centers

  • Geographic Restrictions: Our technical architecture prevents data from being processed or stored outside the EU through automated geo-fencing controls

This approach eliminates the need for international data transfer mechanisms as no personal data crosses EU borders.

8. Data Security

We implement comprehensive technical and organizational security measures:

Architecture Security:

  • Geo-Fenced Processing: TLS keys and infrastructure configured to ensure EU-only data processing

  • Stateless Design: No persistent client-side storage eliminates data exposure risks

  • Real-Time Verification: Challenge-response system with automatic expiry (120 seconds)

  • Token Security: Single-use tokens with cryptographic verification and automatic purging

Data Protection:

  • Encryption of data in transit and at rest using industry-standard protocols

  • Advanced access controls and API key authentication systems

  • Edge Security: Cloudflare's security features configured for EU-only operations

  • Integrity Verification: Multi-layer validation of sensor data and client authenticity

Operational Security:

  • Comprehensive logging and monitoring with automatic anomaly detection

  • Background Processing: Sensitive operations isolated from response paths for performance and security

  • Regular security assessments and penetration testing

  • Staff training on data protection principles and incident response procedures

  • Dynamic Obfuscation: Client-side protection that evolves multiple times daily

Monitoring and Response:

  • Real-time fraud detection with immediate alerting capabilities

  • Structured insights system for security pattern analysis

  • Incident response procedures with defined escalation paths

  • Beta Security: Enhanced monitoring during experimental phase with continuous security validation

9. Your Rights Under GDPR and Dutch Law

As a data subject, you have comprehensive rights under GDPR and Dutch data protection law:

Core GDPR Rights:

  • Right of Access (Article 15): Request information about your personal data we process

  • Right to Rectification (Article 16): Correct inaccurate personal data

  • Right to Erasure (Article 17): Request deletion of your personal data ("right to be forgotten")

  • Right to Restriction (Article 18): Limit how we process your personal data

  • Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format

  • Right to Object (Article 21): Object to processing based on legitimate interests

  • Right to Withdraw Consent (Article 7(3)): Where processing is based on consent

Additional Rights Under Dutch Law:

  • Right to Compensation: Under Dutch Civil Code for damages caused by unlawful data processing

  • Right to Lodge Complaints: With the Dutch Data Protection Authority (Autoriteit Persoonsgegevens)

Exercise of Rights: To exercise these rights, contact us at privacy@lockedx.com We will:

  • Respond within 30 days as required by GDPR Article 12(3)

  • Provide information free of charge for the first request

  • Verify your identity before processing requests to protect your data

  • Inform you of any extensions (up to 60 additional days for complex requests)

Limitations on Rights: Some rights may be limited where processing is necessary for:

  • Compliance with legal obligations (GDPR Article 17(3)(b))

  • Fraud prevention and cybersecurity (GDPR Article 21(1) legitimate interests)

  • Our stateless architecture may technically limit certain data portability requests as we do not maintain long-term individual profiles

10. Technical Implementation

Our privacy-first technical architecture ensures minimal data exposure:

Stateless Token System: We use completely stateless tokens that:

  • Contain no personally identifiable information

  • Are not stored on user devices (no localStorage, cookies, or persistent storage)

  • Are generated fresh for each fraud assessment request

  • Automatically expire immediately after processing (10-second lifetime)

  • Cannot be used to track users across sessions, pages, or websites

Real-Time Processing Architecture:

  • Behavioral data processed instantly without device persistence

  • Advanced proof-of-work analysis computed in real-time

  • Fuzzy device fingerprints generated on-demand for similarity matching

  • All processing occurs server-side within EU infrastructure

No Cross-Session Tracking: Each fraud assessment is completely independent with no tracking continuity between requests.

Dynamic Obfuscation: Our client-side sensor uses advanced polymorphic obfuscation that changes multiple times daily to prevent reverse engineering and maintain detection effectiveness.

11. Third-Party Services

Our services may integrate with third-party platforms and services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

12. Children's Privacy

Our services are not intended for individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware of such collection, we will take steps to delete the information.

13. Data Breach Response and Legal Obligations

Regulatory Compliance Framework: We maintain strict compliance with Dutch and EU breach notification requirements:

Dutch Data Protection Authority Reporting:

  • 72-hour notification to Autoriteit Persoonsgegevens under GDPR Article 33

  • Breach assessment following Dutch UAVG implementation guidelines

  • Risk evaluation using Dutch DPA methodology for determining notification thresholds

Individual Notification Requirements: Under GDPR Article 34 and Dutch implementation:

  • High-risk breaches: Direct notification to affected individuals within 72 hours

  • Clear communication in Dutch or English as appropriate

  • Mitigation measures and protective steps clearly explained

Legal Documentation:

  • Breach register maintained per GDPR Article 33(5) and Dutch UAVG requirements

  • Impact assessments following Dutch DPA guidelines

  • Remediation tracking with timeline documentation

Incident Response Protocol:

  1. Immediate containment (within 1 hour of detection)

  2. Risk assessment using Dutch DPA risk matrix (within 6 hours)

  3. Authority notification to AP if required (within 72 hours)

  4. Individual notification if high risk confirmed (within 72 hours)

  5. Post-incident review and Dutch UAVG compliance validation

14. Changes to This Privacy Policy

Legal Change Management: We may update this Privacy Policy periodically, especially during our beta phase as our services evolve, while maintaining compliance with:

Dutch and EU Requirements:

  • GDPR Article 12: Transparent information and modalities

  • Dutch UAVG: Implementation-specific notification requirements

  • ePrivacy Directive: Cookie and tracking technology disclosures

Change Process:

  • Advance notification: 30 days notice for material changes affecting legal basis

  • Client notification: Direct communication for B2B contract modifications

  • Website publication: Updated policy posted with version control

  • Version tracking: Clear "Last updated" date with change log available upon request

  • Legal review: Each update reviewed for Dutch and EU compliance

Material Changes Definition: Under Dutch law and GDPR, material changes include:

  • Modifications to legal basis for processing

  • Changes to data retention periods

  • New data sharing arrangements

  • Modified rights or complaint procedures

Beta Considerations: During experimental phase, we may need to adjust practices more frequently, but will:

  • Maintain higher notification standards during beta

  • Provide detailed explanations of technical changes

  • Ensure all changes strengthen rather than weaken privacy protections

15. Contact Information and Supervisory Authority

General Privacy Inquiries:

  • Email: privacy@lockedx.com

  • Address: LockedX B.V., Herengracht 280, Amsterdam, 1016BX, Netherlands

  • Dutch Registration: KvK Number: 98029967

Legal Compliance Contacts:

  • GDPR Compliance: gdpr@lockedx.com

  • Dutch UAVG Matters: uavg@lockedx.com

  • Data Subject Rights: data-rights@lockedx.com

Supervisory Authority - Autoriteit Persoonsgegevens (Dutch DPA): Under GDPR Article 77 and Dutch UAVG, you have the right to lodge a complaint with:

Autoriteit Persoonsgegevens:

  • Website: autoriteitpersoonsgegevens.nl

  • Phone: +31 70 888 8500

  • Address: Bezuidenhoutseweg 30, 2594 AV Den Haag, Netherlands

  • Email: info@autoriteitpersoonsgegevens.nl

European Data Protection Board: For cross-border data protection matters:

  • Website: edpb.europa.eu

  • Role: Coordination between EU data protection authorities

Legal Framework References:

  • GDPR: eur-lex.europa.eu/eli/reg/2016/679

  • Dutch UAVG: wetten.overheid.nl (Uitvoeringswet Algemene Verordening Gegevensbescherming)

  • ePrivacy Directive: eur-lex.europa.eu/eli/dir/2002/58

16. Legal Framework Compliance Summary

Dutch Law Compliance:

  • Wet bescherming persoonsgegevens (UAVG) - Full implementation of GDPR in Dutch law

  • Telecommunicatiewet - ePrivacy compliance for electronic communications

  • Burgerlijk Wetboek - Civil law protections for privacy and data subjects

  • Wet computercriminaliteit - Cybercrime prevention legal framework

EU Regulatory Compliance:

  • GDPR (EU 2016/679) - Primary data protection regulation

  • ePrivacy Directive (2002/58/EC) - Electronic communications privacy

  • NIS Directive (EU 2016/1148) - Network and information systems security

  • EU Cybersecurity Act (EU 2019/881) - Framework for cybersecurity certification

Industry Standards:

  • ISO 27001 - Information security management (implementation in progress)

  • NIST Cybersecurity Framework - Risk management and security controls

  • OWASP - Web application security best practices

Professional Obligations: As a Dutch B.V. providing cybersecurity services, we maintain:

  • Professional liability insurance for data protection services

  • Incident reporting to Dutch authorities as required

  • Continuous monitoring of Dutch DPA guidance and EU data protection developments

  • Legal counsel specializing in Dutch privacy law and EU data protection

17. Beta Service Disclaimer and Legal Considerations

Important Legal Notice: Our services are currently in experimental beta phase under Dutch and EU regulatory oversight.

Beta Legal Framework:

  • GDPR Article 25: Privacy-by-design implementation during development

  • Dutch UAVG: Beta testing with enhanced privacy protections

  • Innovation Sandbox: Operating under Dutch digital innovation guidelines

Beta-Specific Protections:

  • Enhanced consent mechanisms for experimental features

  • Stricter data minimization during testing phase

  • Accelerated deletion of test data upon beta completion

  • Continuous legal review of all processing activities

  • Regular compliance audits with Dutch DPA consultation available

Service Evolution Notice: This means our data processing practices may change as we develop our technology, but:

  • All changes will maintain GDPR Article 25 privacy-by-design principles

  • Dutch UAVG notification requirements will be strictly followed

  • New features will undergo Data Protection Impact Assessment (DPIA) before implementation

  • We may discontinue certain data processing activities with 30-day advance notice

  • Performance and availability are not guaranteed during experimental phase

Legal Protections During Beta:

  • Liability limitations under Dutch contract law for experimental services

  • Enhanced data subject rights during testing phase

  • Priority support for privacy-related inquiries

  • Continuous compliance monitoring with regular legal review

This privacy policy is designed to comply with Dutch and EU data protection laws including GDPR, Dutch UAVG, ePrivacy Directive, and relevant Dutch civil and commercial law. This document has been prepared with reference to guidance from the Autoriteit Persoonsgegevens and the European Data Protection Board. Please consult with legal counsel to ensure it meets your specific business requirements and circumstances.