This notice describes how Endolum GmbH processes personal and technical data inside the Hacked canary tracking product. It complies with the Swiss Federal Act on Data Protection (revFADP) and, where applicable, the EU General Data Protection Regulation (GDPR). The marketing website at endolum.io publishes a separate site privacy policy that covers tracking and contact forms on the public pages.
Endolum GmbH, Oberdorfstrasse 8, 8853 Lachen SZ, Switzerland. Commercial register UID CHE-297.991.738. Contact: contact@endolum.io.
Hacked has two distinct sets of data subjects, and the controller role differs for each.
For the workspace owner and the workspace members, Endolum is the controller of the account data needed to operate the product. This is the user who creates the canary, the recipients who receive alerts, and the team members invited into the workspace.
For the data captured when a canary is triggered, the workspace operator is the controller and Endolum is the processor. The workspace operator decides where the canary is placed, who is intended to see it, and how the resulting alert is used. Endolum executes the technical capture and enrichment on behalf of the operator under these terms and the order confirmation that accompanies the subscription.
The Endolum Identity Service stores the email address, display name, organisation or workspace membership, multi factor authentication state, and permission claims required for the product to function. Within the Hacked database, workspace level records cover the canary inventory, the list of recipients (email addresses and webhook URLs), and the operator audit log.
Canaries are generated assets such as Word documents, Excel workbooks, PDF files, SVG images, tracking pixels, URL shortcuts, QR codes, redirect links, and cloned login pages. For canaries generated from a template the workspace operator chooses a label and optional filename. For Word documents the operator may upload their own .docx file, which is stored to inject tracking and to allow re-download. Operators must not upload content that they are not authorised to use or that contains personal data of third parties.
When a canary is triggered, Hacked records the timestamp, the source IP address, the user agent string, and the canary identifier. For Business workspaces the IP is enriched with country and city derived from a geolocation database, the ASN and the network operator name, and a signal indicating whether the address belongs to a known VPN or proxy range. The user agent is parsed into operating system and browser name. The cloned login page canary type additionally records the submitted username and the length of the submitted password. The submitted password itself is never stored, transmitted, or logged.
When a trigger event is created, Hacked sends an alert to the configured recipients. Email alerts are dispatched through the central Endolum email service. Webhook alerts post the trigger record over HTTPS to the URL the operator configures (Slack, Microsoft Teams, or any generic endpoint). Endolum does not control what the recipient platform does with the alert content after delivery.
Subscription billing is operated through Stripe Payments Europe Limited. Endolum receives the customer record, subscription state, and invoice metadata. Card numbers, expiry dates, and CVV values are never received or stored by Endolum.
The backend records request URLs, IP addresses, user agents, and timestamps in line with normal operational logging. Logs are kept for up to 30 days and are used to diagnose errors, monitor for abuse, and protect the service against automated attack.
| Purpose | Legal basis |
|---|---|
| Generating and serving canary assets, recording trigger events, and dispatching alerts on behalf of the workspace operator | Performance of a contract |
| Capturing trigger event data about persons who interact with a canary | Legitimate interest of the workspace operator in detecting unauthorised access to their systems and assets, balanced against the rights of the data subject (see section 5) |
| Account management, authentication, and multi factor authentication | Performance of a contract |
| Subscription billing and statutory invoicing | Performance of a contract and legal obligation |
| Operational logging, abuse prevention, and platform security | Legitimate interest in keeping the service available and free from abuse |
| Statutory retention of accounting and invoicing data | Legal obligation |
Canary tracking captures data about individuals who interact with a tracked asset. The workspace operator is responsible for placing canaries only inside systems and contexts where this kind of monitoring is lawful and proportionate. In particular:
Endolum supports operators in fulfilling these obligations by providing export and deletion tools, signed data processing addendum on request, and documentation of how the technical capture works.
Hacked relies on the sub processors listed below to deliver the service. The full, up to date list of Endolum sub processors across all products is published at endolum.io/sub-processors.
| Sub processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Hosting of the Hacked backend, databases, and Identity Service on a Kubernetes cluster | Falkenstein, Germany (EU) |
| Stripe Payments Europe Limited | Subscription billing, invoice generation, payment processing | Dublin, Ireland (EU), with processing in the United States |
| ip-api.com (linked in operations) | IP to geolocation and ASN lookup for trigger event enrichment | European Union |
Hacked does not send canary content or trigger event data to any AI service.
Hacked runs on infrastructure in Germany within the EU/EEA. The transfer of billing data to Stripe relies on Stripe's certification under the EU-US Data Privacy Framework and on Standard Contractual Clauses for residual transfers. Trigger event data is processed entirely within the EU. Where any other sub processor processes data outside Switzerland or the EEA, we rely on an adequacy decision, Standard Contractual Clauses, or your explicit consent for the specific transfer.
Data in transit is protected by TLS. Databases are encrypted at the storage layer. Authentication uses RS256 signed tokens issued by the Endolum Identity Service. Multi factor authentication is available and recommended. API access for Business workspaces uses keys with an eh_ prefix that can be rotated or revoked at any time. The cloned login page canary does not store submitted passwords. Account deletion triggers a cascade that removes canaries, trigger events, recipients, and audit history across the platform.
If you are a workspace owner, member, or alert recipient, your account data is held by Endolum and you can exercise the rights listed below directly against Endolum.
If your personal data appears in a trigger event because you interacted with a canary placed by an Endolum customer, the customer is the controller of that record. Endolum can identify the responsible workspace and forward your request, but the decision on access or erasure rests with the workspace operator unless the request relates to a manifest error in the technical capture.
Under the revFADP and, where it applies, the GDPR, the rights you may exercise are:
Write to contact@endolum.io to exercise any of these rights. We respond within 30 days.
If you believe your data protection rights have been violated, you may lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) in Switzerland. If the GDPR applies to your situation, you may also lodge a complaint with a supervisory authority in the EU or EEA.
We may update this notice from time to time. The version date is shown at the top of the page. Material changes are reflected in the date and the changed sections, and where the change affects existing customers we provide reasonable advance notice.
For privacy related questions about Hacked, write to contact@endolum.io or to Endolum GmbH, Oberdorfstrasse 8, 8853 Lachen SZ, Switzerland.