Privacy Policy

Last updated: 2026-04-13

1. Who we are

redteams.ai (“the Site”) is operated by redteams.ai (Sole Operator)(the “Controller”), an individual sole operator based in the European Union. Postal address: Postal address available on request via contact@redteams.ai. Contact: contact@redteams.ai.

2. What data we process and why

We process the minimum data needed to run the Site:

Newsletter email address— only if you voluntarily subscribe via the form. Purpose: sending the newsletter. Legal basis: your consent (Art. 6(1)(a) GDPR), recorded as a double opt-in (you confirm via a link emailed to you).
IP address and user agent— captured transiently for abuse prevention (rate-limiting) and security logging. Legal basis: our legitimate interest in keeping the Site available (Art. 6(1)(f) GDPR). Rate-limit entries are held in memory for ~60 seconds. Nginx access logs are rotated daily and retained for 14 days; the final octet of IPv4 addresses is anonymized before writing.
Analytics events (via Plausible Analytics)— we use Plausible (Raisonance SAS, Paris, France), a cookieless and privacy-friendly analytics service that does not set cookies or track individuals across sites. Data collected: URL visited, referrer, browser language, device type. Legal basis: legitimate interest (Art. 6(1)(f) GDPR) — the processing is anonymous at the source.
Comments (via Giscus / GitHub)— the comments widget on article pages is loaded only once you scroll to it. When loaded it connects to giscus.app and GitHub.com. If you post a comment, GitHub (as a separate controller) processes your GitHub identity under GitHub’s own privacy policy. We do not receive your GitHub credentials.
Newsletter JSON file — the Site records {email, subscribedAt, consentIp, consentUserAgent, confirmedAt, unsubscribeToken} as proof of consent. The IP and user-agent are stored solely to evidence the lawful basis and are not used for any other purpose.

3. Cookies and similar technologies

The Site itself sets no first-party cookies. Plausible is cookieless. Giscus loads only on user interaction and may cause GitHub to set its own cookies in your browser at that point; see our separate cookie notice for details.

3a. Advertising (Google AdSense)

When enabled, this Site may display advertisements served by Google AdSense. Google, as a third-party vendor, uses cookies (including the DoubleClick DART cookie) to serve ads based on a user’s prior visits to this Site or other sites on the internet. Google’s use of advertising cookies enables it and its partners to serve ads to users based on their visits to this Site and/or other sites on the Internet. You may opt out of personalized advertising by visiting Google Ads Settings. For information on how Google uses data, see Google’s partner-site policy. Legal basis: your consent where required (Art. 6(1)(a) GDPR).

4. Recipients and third-party processors

Plausible Analytics— Raisonance SAS, 149 Rue Saint-Honoré, 75001 Paris, France. DPA available at plausible.io/dpa. No transfer outside the EU.
GitHub Inc. (for Giscus)— San Francisco, CA, USA. Transfer basis: EU–US Data Privacy Framework (GitHub is self-certified) and Standard Contractual Clauses. Only engaged after you click or scroll to the comments section.
Vultr Holdings LLC— hosting provider for the underlying VPS. The Site is served from the Frankfurt region (EU). Where data transits outside the EU, it is covered by Vultr’s SCCs.

5. Retention

Newsletter records: kept until you unsubscribe, then anonymized/deleted within 30 days.
Unconfirmed newsletter records: deleted after 14 days.
Nginx access logs: 14 days, with the IP final octet anonymized.
In-memory rate-limit entries: ~60 seconds.
Analytics (Plausible): per Plausible’s retention policy (no personal data).

6. Your rights

Under the GDPR you have the right to access, rectify, erase, restrict processing of, port, and object to the processing of your personal data, and to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, email contact@redteams.ai from the address associated with your record (or include enough information for us to verify your identity). We will respond within one month (Art. 12(3) GDPR).

You also have the right to lodge a complaint with your local data protection supervisory authority if you believe your rights have been infringed.

7. Automated decision-making

We do not carry out automated decision-making or profiling.

8. Security

The Site is served exclusively over HTTPS (HSTS enforced), with a strict Content Security Policy, standard security headers, and bot/abuse filtering. Secrets are kept out of the repository. Newsletter writes are serialized behind a mutex.

9. Changes to this policy

We may update this policy from time to time. Material changes will be announced on the Site. The date at the top reflects the last revision.

2. What data we process and why

We process the minimum data needed to run the Site:

Newsletter email address— only if you voluntarily subscribe via the form. Purpose: sending the newsletter. Legal basis: your consent (Art. 6(1)(a) GDPR), recorded as a double opt-in (you confirm via a link emailed to you).

IP address and user agent— captured transiently for abuse prevention (rate-limiting) and security logging. Legal basis: our legitimate interest in keeping the Site available (Art. 6(1)(f) GDPR). Rate-limit entries are held in memory for ~60 seconds. Nginx access logs are rotated daily and retained for 14 days; the final octet of IPv4 addresses is anonymized before writing.

Analytics events (via Plausible Analytics)— we use Plausible (Raisonance SAS, Paris, France), a cookieless and privacy-friendly analytics service that does not set cookies or track individuals across sites. Data collected: URL visited, referrer, browser language, device type. Legal basis: legitimate interest (Art. 6(1)(f) GDPR) — the processing is anonymous at the source.

Comments (via Giscus / GitHub)— the comments widget on article pages is loaded only once you scroll to it. When loaded it connects to giscus.app and GitHub.com. If you post a comment, GitHub (as a separate controller) processes your GitHub identity under GitHub’s own privacy policy. We do not receive your GitHub credentials.

Newsletter JSON file — the Site records {email, subscribedAt, consentIp, consentUserAgent, confirmedAt, unsubscribeToken} as proof of consent. The IP and user-agent are stored solely to evidence the lawful basis and are not used for any other purpose.

3a. Advertising (Google AdSense)

4. Recipients and third-party processors

Plausible Analytics— Raisonance SAS, 149 Rue Saint-Honoré, 75001 Paris, France. DPA available at plausible.io/dpa. No transfer outside the EU.

GitHub Inc. (for Giscus)— San Francisco, CA, USA. Transfer basis: EU–US Data Privacy Framework (GitHub is self-certified) and Standard Contractual Clauses. Only engaged after you click or scroll to the comments section.

Vultr Holdings LLC— hosting provider for the underlying VPS. The Site is served from the Frankfurt region (EU). Where data transits outside the EU, it is covered by Vultr’s SCCs.

5. Retention

Newsletter records: kept until you unsubscribe, then anonymized/deleted within 30 days.

Unconfirmed newsletter records: deleted after 14 days.

Nginx access logs: 14 days, with the IP final octet anonymized.

In-memory rate-limit entries: ~60 seconds.

Analytics (Plausible): per Plausible’s retention policy (no personal data).

6. Your rights

You also have the right to lodge a complaint with your local data protection supervisory authority if you believe your rights have been infringed.