Phishing Checkby0xda7a

Privacy Policy

1. Controller

The controller within the meaning of Art. 4(7) GDPR is:

0xda7a consulting GmbH
Nunsdorfer Ring 15
12277 Berlin
Germany

Email: privacy@0xda7a.com
Telephone: +49 30 75435788

2. Overview of Data Processing

No Tracking

This website does not use cookies, analytics tools, tracking pixels, or any other form of user tracking. We do not use third-party services that collect personal data. No personal data is collected for advertising or profiling purposes.

Data We Process

The only personal data processed when you visit this website are server log files (see Section 4) and, if you choose to use it, data processed through the phishing demonstration tool (proxy) (see Section 5).

3. Legal Bases for Processing

We process personal data on the following legal bases under the GDPR:

  • Art. 6(1)(f) GDPR (legitimate interest): For server log files necessary for the operation and security of this website.
  • Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures): When you use the phishing demonstration tool (proxy).
  • Art. 6(1)(a) GDPR (consent): Only if you have explicitly given consent for a specific processing purpose. You may withdraw consent at any time with effect for the future.

4. Server Log Files

When you access this website, your browser automatically transmits certain technical data. Our web server stores the following data in log files:

  • IP address
  • Date and time of the request
  • Requested URL and HTTP method
  • HTTP status code and response size
  • Browser user-agent string
  • Referrer URL (if sent by your browser)

Purpose: Ensuring the stable operation, security, and availability of the website, and detecting and preventing abuse.

Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure and reliable provision of this website.

Retention period: Server log files are deleted after 14 days unless longer retention is required for the investigation of a specific security incident.

Recipients: Log data is not shared with third parties beyond the hosting provider (see Section 6).

5. Phishing Demonstration Tool (Proxy)

If you use the phishing demonstration tool (proxy) provided on this website, additional data is processed.

Data Processed

  • Your IP address is transmitted to the proxy server to establish the connection and is stored for the duration of the proxy session.
  • JA4 fingerprint - A hash derived from your browser's TLS handshake parameters. This is used to associate your proxy session with your browser. It does not identify you personally.
  • The target domain you enter to initiate the proxy demonstration.

Cookies

Technically Necessary Cookie

For the proxy tool to function, a single session cookie is used. This cookie is set each time a proxy test is started when visiting this-is-not-the-real-web.site and is only valid for 15 minutes. This cookie is technically necessary so that all users of the tool can be distinguished and each user only sees their own proxied version of the tested website under this-is-not-the-real-web.site.

Cookies from Proxied Websites

The proxy tool forwards HTTP requests to the target website you specified. All cookies except the proxy session cookie that are set during a proxy session originate from the proxied (target) website, not from us. As part of the AitM demonstration, the proxy rewrites the domain on these cookies so that they are issued under the phishing demonstration domain instead of the original target domain. This is inherent to the AitM technique being demonstrated. The cookie contents themselves are not logged or persistently stored by us.

Session Duration

Proxy sessions are temporary and expire automatically after 5 minutes. After expiry, all session-related data (IP address, JA4 fingerprint, target domain) is deleted.

Purpose: Demonstrating adversary-in-the-middle (AitM) phishing techniques for security awareness and education.

Legal basis: Art. 6(1)(b) GDPR. The processing is necessary to provide the service you requested.

Recipients: During a proxy session, your requests are forwarded to the target website you specified. The target website operator receives the data as they would during a normal visit. No other third parties receive your data.

6. Hosting

This website is hosted on dedicated server infrastructure provided by Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany). Hetzner is a German hosting provider whose servers are located in Germany and Finland (within the EEA). We have concluded a data processing agreement (Auftragsverarbeitungsvertrag, AVV) with Hetzner in accordance with Art. 28 GDPR. Hetzner processes data solely on our behalf and under our instructions. For more information, see Hetzner's privacy policy.

7. Transfers to Third Countries

This website and all its infrastructure are hosted exclusively within Germany (see Section 6). We do not transfer your personal data to countries outside the European Economic Area (EEA) for our own purposes.

However, when you use the phishing demonstration tool (proxy) (see Section 5), you choose the target website yourself. If you enter a target domain whose servers are located outside the EEA, your requests - including your IP address and any data you submit - will be forwarded to that third-country server as part of the proxy demonstration. This transfer is initiated by you and is necessary to provide the service you requested (Art. 49(1)(b) GDPR). We have no control over the data processing practices of the target website operator. Before using the proxy tool with a non-EEA target, please be aware that the target website may be subject to different data protection standards.

8. Your Rights

Under the GDPR, you have the following rights with respect to your personal data:

  • Right of access (Art. 15 GDPR) - You may request confirmation of whether personal data concerning you is being processed and, if so, request access to that data and further information.
  • Right to rectification (Art. 16 GDPR) - You have the right to request the correction of inaccurate personal data concerning you.
  • Right to erasure (Art. 17 GDPR) - You have the right to request the deletion of your personal data, provided the legal requirements are met.
  • Right to restriction of processing (Art. 18 GDPR) - You have the right to request the restriction of processing of your personal data under certain conditions.
  • Right to data portability (Art. 20 GDPR) - You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
  • Right to object (Art. 21 GDPR) - You have the right to object at any time to the processing of your personal data based on Art. 6(1)(f) GDPR (legitimate interest), for reasons arising from your particular situation. If you object, we will no longer process your data unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

To exercise any of these rights, contact us at privacy@0xda7a.com.

9. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority pursuant to Art. 77 GDPR. The competent supervisory authority for our registered office is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59-61
10555 Berlin
Germany
https://www.datenschutz-berlin.de

10. No Automated Decision-Making

We do not use automated decision-making or profiling as defined in Art. 22 GDPR.

11. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in legal requirements or our data processing practices. The current version is always available at this URL.

Last updated: March 2026