1. Overview
This Privacy Policy explains how NetzSec (Selda Karakus, Köln, Germany) collects, uses, and protects personal data when you visit our websites, use the dashboard, or purchase ZeroTrace hardware and firmware. ZeroTrace is a NetzSec product line, and this policy applies across NetzSec and its products.
Controller within the meaning of Art. 4 No. 7 GDPR is Selda Karakus, trading as NetzSec, Alte Brühler Straße 127, 50997 Köln, Germany, contact@netzsec.com.
The use of cookies and similar technologies on our website is described separately in our Cookies Policy.
2. Who This Applies To
- Visitors browsing netzsec.com, zerotrace.one, or zerotrace.pw subdomains
- Dashboard users with an account on our authenticated services
- Customers purchasing hardware, firmware, or licenses
- App users pairing with and controlling ZeroTrace hardware from the mobile app
- Support contacts communicating with us by email
3. Children
NetzSec is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided data, contact us so we can remove it.
4. Data We Collect
- Account data: email, username, hashed password, two-factor secret (if enabled), session tokens
- Order data: billing/shipping address, order history, invoice numbers
- Payment data: processed by Stripe; we only receive a payment confirmation, never card details
- Device & licensing data: device type and status, license keys, and a hardware fingerprint (HWID) used by our licensed desktop tools (e.g. OSINT, Proxy) to bind a licence to one machine. The HWID is a hash derived from your machine's motherboard, CPU, and disk serial numbers and its machine identifier — only the hash is transmitted; the raw serials never leave your device, and the binding is stored against your licence.
- Community content: scripts, themes, messages, ratings, and reactions you create, stored with the visibility (private, unlisted, or public) you choose.
- Certification data: your exam questions, answers, score, and pass/fail result, plus exam-integrity events recorded during a proctored attempt (for example switching tabs, leaving fullscreen, opening developer tools, blocked copy/paste, or auto-submission).
- AirLeak wardrive data (only if you upload it): when you upload a wardrive to your account — via the dashboard or the app's optional cloud sync — we store the discovered wireless networks (BSSID/MAC address, network name (SSID), encryption, channel), the GPS coordinates of each network's strongest sighting, your route track, and the device model. These are identifiers of nearby third-party wireless devices; see the AirLeak section below.
- Moderation data: infractions, warnings, and cooldowns applied to your account for abuse prevention.
- Support data: messages, attachments, and logs you choose to share
- Technical data: IP address, user agent, timestamps, abuse-detection signals, rate-limit logs
5. Legal Bases (Art. 6 GDPR)
- Art. 6(1)(b), performance of a contract (orders, accounts, licensing)
- Art. 6(1)(c), legal obligations (tax law, packaging law, etc.)
- Art. 6(1)(f), legitimate interests (security, fraud prevention, abuse detection)
- Art. 6(1)(a), consent (cookies and similar, where required)
6. How We Use Your Data
- Operate the dashboard, licensing, and delivery functionality
- Process orders, issue invoices, and prevent fraud
- Handle customer support and warranty claims
- Secure the Service (logging, rate-limiting, abuse monitoring)
- Comply with German tax, commercial, and packaging-law obligations
7. Processors & Third Parties
We use the following processors under Art. 28 GDPR contracts:
- Stripe Payments Europe Ltd (Dublin, Ireland; further sub-processing by Stripe, Inc. in the United States), payment processing. Transfer to the US is covered by the EU-US Data Privacy Framework certification and Stripe's Standard Contractual Clauses.
- DHL Paket GmbH (Bonn, Germany), physical shipment. The recipient name, shipping address, email, and phone number, plus the customs description and value, are shared so the parcel can be delivered and cleared.
- Discord (Discord Netherlands B.V., with onward processing by Discord Inc., USA), internal operational and support notifications. New-order details (including customer email, order ID, and cart contents), support-ticket messages, device-activation events, withdrawal notices, and error reports are sent to a private staff channel via webhook so we can fulfil orders and provide support. This is not a public channel and is used only for running the business (Art. 6(1)(b) and (f) GDPR).
- Hosting / infrastructure providers (located primarily within the EU/EEA), operation of the dashboard, backend, and licence services.
- Vercel Inc. (San Francisco, USA), content delivery and hosting of the website and, only if you opt in via the cookie banner, privacy-friendly product analytics (Vercel Web Analytics). Vercel Web Analytics is cookieless, measures aggregate page views, and does not build cross-site profiles or sell data. Vercel is certified under the EU-US Data Privacy Framework and we additionally rely on Standard Contractual Clauses (Art. 46 GDPR). If you decline analytics, no analytics script is loaded at all.
We do not sell personal data and do not transfer data to third parties for advertising.
8. International Transfers
Where data is processed outside the EU/EEA — primarily by Stripe for card-payment processing, Vercel for content delivery and optional analytics, and Discord for internal notifications — we rely on a combination of: (i) the EU-US Data Privacy Framework adequacy decision where applicable, (ii) Standard Contractual Clauses under Art. 46(2)(c) GDPR, and (iii) additional safeguards as required by case law (Schrems II). Copies of the SCCs may be requested at contact@netzsec.com.
9. Data Security
- Encryption in transit (TLS) on all endpoints
- Password hashing using modern algorithms (e.g., argon2 / bcrypt)
- Least-privilege access and security monitoring
- Automated retention and cleanup (see Section 10)
10. Data Retention
We retain data only as long as needed for the purpose collected:
- Server / access logs (IP, user agent, timestamps): up to 14 days for security and abuse-prevention purposes (Art. 6(1)(f) GDPR), then anonymised or deleted
- Sessions & auth tokens: deleted at expiry
- Desktop tool licenses: 7 days from issue, then cleaned up
- Cooldowns: 14 days
- Webhook content: 30 days
- Notifications: deleted once read, and in any case after 60 days
- Messages & reactions: 90 days
- AirLeak wardrive data (networks, discoveries, and tracks you uploaded): retained until you delete or unpublish it; we do not auto-expire it. The raw uploaded CSV file is deleted immediately after it is processed.
- Invoices, contracts, and tax-relevant records: 10 years (§147 AO)
- Account data (including the HWID bound to a licence): retained while the account or licence exists; deleted on request subject to legal hold
Backups are infrequent and used only during maintenance, deleted records are not recoverable.
11. Mobile Application
The ZeroTrace mobile app (iOS/Android) is the companion app for pairing with and controlling ZeroTrace hardware. It has no login account and no analytics or telemetry, and it keeps your captured data on your phone by default. We do not receive your location, photos, or device logs, and nothing leaves the phone unless you choose to upload it. The app can optionally sync a finished wardrive to your ZeroTrace cloud account or to third-party platforms, using a token you add yourself; this is described under "Optional uploads" below and is off until you set it up.
Permissions the app requests, and why
- Bluetooth (BLE): to discover, pair with, and control your ZeroTrace devices and to receive the wireless observations they capture. Bluetooth communication happens directly between your phone and your device.
- Location (including in the background): during a war-drive ("Drive"), to stamp each captured device with the position where it was heard strongest and to draw your route on the map. On Android, location access is also a system prerequisite for Bluetooth scanning. By default location is recorded only while the app is open; if you grant "Allow all the time" and enable background recording, a drive keeps logging with the screen off, using a foreground service with a persistent notification. Location is only ever used to record an active drive.
- Camera: only to scan a license-key QR code when activating a device. The frame is processed on-device to read the key; no images are captured, stored, or transmitted.
- Photos / media library: the app writes to your gallery only when you tap "save" to export a route card, drive image, or GIF, and reads a single image you pick if you set a custom theme background. It does not scan, index, or upload your existing library and does not read photo location metadata.
Data stored on your device
- App settings, paired devices, saved scripts, and theme/unit preferences.
- War-drive sessions — the captured observations (a device's Bluetooth address, advertised name, signal strength, vendor, and the GPS coordinates and time of its strongest sighting) and your route track — saved as files in the app's private storage.
- Any WiGLE or WDGoWars API tokens you choose to add (see below).
All of this stays on the device. You can delete drive sessions, remove tokens, and clear the in-app diagnostic log at any time; uninstalling the app removes it. None of it is synced to ZeroTrace.
Optional uploads (your ZeroTrace cloud and/or third-party accounts)
The app can publish a finished drive to your ZeroTrace cloud account and to the third-party wardriving platforms WiGLE (wigle.net) and WDGoWars (wdgwars.pl). This is strictly opt-in and never happens unless you act:
- You paste a token for each destination you want to use. Tokens are stored encrypted on your device only (in the OS keychain/keystore), are never embedded in the app, and are only ever sent to the destination they belong to as an authentication header.
- Only when you tap Upload — or enable auto-upload for finished drives — does the app send that session's observations as a standard WiGLE-format CSV (device address, name, time, signal strength, latitude/longitude, accuracy) directly from your phone to the chosen destination's API. The app may also read back your own account statistics from each destination using the same token.
- Uploads to your ZeroTrace cloud (
secure.zerotrace.pw) are received and stored by us; how we handle that server-side data, and the optional community map and leaderboard, are described in the AirLeak section below. - Uploads to WiGLE or WDGoWars go to your own account on that third-party service; NetzSec is not a party to those transfers and does not receive or process that data, and the service's own privacy policy and terms govern it.
Map tiles
The drive map loads background tiles from a third-party map CDN (CARTO basemaps, rendered from OpenStreetMap data, no account or API key). As with any online map, this discloses the map area you are viewing and your device's IP address to the tile provider. No ZeroTrace identifier is attached.
Diagnostics
For troubleshooting, the app keeps a small, fixed-size diagnostic log on the device (shown in the in-app Logs screen). It is capped, overwrites the oldest entries first, and is never transmitted off the device — consistent with our no-logs principle.
Lawful use
War-driving records wireless identifiers broadcast by nearby devices, which can constitute personal data under the GDPR. You are responsible for using the app — and any uploads you make — in line with the law applicable to you. The app is built to minimise: it runs on-device, flags randomised (private) Bluetooth addresses, bounds how much it retains, and uploads nothing without your action.
Legal bases (Art. 6 GDPR): providing the app's core functionality rests on Art. 6(1)(b) (performance of the contract); access to Bluetooth, location, camera, and photos is enabled by the device permissions you grant at the operating-system level; optional uploads to your ZeroTrace cloud and to WiGLE/WDGoWars rest on your consent (Art. 6(1)(a)), which you can withdraw at any time by removing the token or disabling auto-upload.
A note on Android permissions: some permissions appear in the Android manifest because they are pulled in by the libraries the app uses (for example a microphone permission comes bundled with the camera module) even though the app does not use them. The app requests a permission at runtime only for the features described above.
12. AirLeak Data & Community
If you upload a wardrive to your ZeroTrace cloud account (from the dashboard or the mobile app), the observations are ingested and stored on our backend: for each discovered network we keep its BSSID/MAC address, name (SSID), encryption, channel, the GPS coordinates and time of its strongest sighting, and the route track of the drive, together with your username and the device model. A wardrive records identifiers that nearby wireless devices broadcast, which can constitute personal data about their owners; you are responsible for uploading only data you are permitted to collect and share.
Private by default. An uploaded drive is visible only to you unless you turn on publishing. Your own view shows the full BSSID, SSID, and exact coordinates.
If you publish, your discovered networks join the community map and you appear on the leaderboard, the recent-activity feed, and shared tracks. To protect the people whose devices were observed, the community view is de-identified: BSSID/MAC addresses are hashed, coordinates are coarsened to roughly 110 metres, and SSIDs are omitted. The leaderboard shows your username and your count of unique networks; a shared track shows your username, device model, and time. You can unpublish or delete your data at any time.
Uploaded runs are also screened for fabricated data (impossible movement, colliding or future timestamps, oversized files); a flagged run may be held for review and excluded from the community map and leaderboard.
Legal basis: upload and publishing rest on your consent (Art. 6(1)(a)); screening and de-identification rest on our legitimate interest (Art. 6(1)(f)) in a trustworthy community dataset and in protecting observed third parties.
13. AI Features
Some of our desktop tools (for example OSINT, Proxy, and the desktop app) include an optional AI assistant. By default it runs a local model on your own machine (e.g. Ollama) and sends nothing to us or to any third party.
If you choose a cloud AI provider — such as Anthropic, OpenAI, Google, Mistral, or another supported provider — and supply your own API key, then the content you send to the assistant (your prompts and any tool output you include, which may contain data you are working on) is transmitted to that provider and handled under that provider's own terms and privacy policy. NetzSec does not receive that content. A small amount of AI-usage information (model, token counts, cost, and a short prompt snippet) is kept locally on your device for your own reference and is not transmitted to us.
14. Automated Decision-Making
NetzSec does not carry out automated individual decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Art. 22 GDPR.
Our systems use automated rules for fraud and abuse prevention (e.g., rate limiting, anomaly detection, payment-risk signals supplied by Stripe). These rules may flag a session or order for human review but do not, by themselves, deny goods or services without a manual review step.
15. Your Rights (Art. 15–22 GDPR)
- Access, request a copy of your data (Art. 15)
- Rectification, correct inaccurate data (Art. 16)
- Erasure, request deletion (Art. 17), subject to legal retention
- Restriction, limit processing (Art. 18)
- Portability, receive your data in a portable format (Art. 20)
- Objection, to processing based on legitimate interests (Art. 21)
- Withdraw consent, at any time, with effect for the future (Art. 7(3))
- Right to lodge a complaint with a supervisory authority, competent for us: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Düsseldorf
To exercise rights, contact contact@netzsec.com.
16. Contact and DPO
Privacy questions and requests can be sent to contact@netzsec.com.
NetzSec is currently a sole proprietorship without employees regularly engaged in large-scale processing and is not required to appoint a Data Protection Officer (Art. 37 GDPR / §38 BDSG). The owner, Selda Karakus, handles privacy enquiries directly.