THE THREAT MODEL

Legal

Privacy Policy

Last updated: April 2026

Data Controller

The data controller for this website is r3tr0s0ft, a sole trader registered in the United Kingdom, operating as The Threat Model.

For privacy-related inquiries, you can contact us at privacy@thethreatmodel.com or via our contact page.

The Short Version

We use privacy-respecting, cookie-free analytics to understand how people use this site. We collect minimal personal data only when you voluntarily submit it (such as through our contact form). We do not build user profiles. Most of our interactive tools run entirely in your browser. One tool (IP Address Check) connects your browser to third-party APIs as described below.

Analytics

We use Plausible Analytics, self-hosted on our own infrastructure at analytics.thethreatmodel.com. Plausible is open-source, cookie-free, and GDPR-compliant by design. It collects the following aggregate data:

  • Page views (which pages are visited and how often)
  • Referrer (what site linked you here)
  • Country (derived from your IP address, which is then immediately discarded and not stored)
  • Device type (desktop, mobile, tablet)
  • Browser and OS (e.g., Firefox on Linux)

Plausible does not use cookies, does not track you across sites, and does not build visitor profiles. All data is aggregated and cannot be used to identify individual visitors. Because no cookies or persistent identifiers are used, no consent banner is required under GDPR or ePrivacy regulations.

Our Plausible instance is self-hosted, meaning analytics data is stored on infrastructure we control and is not shared with any third party.

Analytics data is retained indefinitely in aggregate form. No individual-level data is collected or stored.

Legal Basis for Processing

Under UK GDPR, we process personal data on the following legal bases:

  • Analytics (Plausible): Legitimate interest in understanding site usage to improve our content. No individual data is collected or stored.
  • Contact form: Consent, provided when you check the consent box and submit the form.
  • Server logs: Legitimate interest in maintaining security and preventing abuse. Logs are automatically deleted after 14 days.
  • Interactive tools (IP check): Legitimate interest in providing the service you requested. Third-party API requests are initiated by your browser only when you actively choose to use the tool.

Cookies

This website does not set or read cookies. Your theme preference (light/dark mode) is stored in your browser's localStorage and never leaves your device.

Interactive Tools & Third-Party Services

Our tools are designed to process data locally in your browser. However, some tools connect to third-party services as part of their functionality. By using these tools, you acknowledge and accept the data handling described below:

  • Password Checker: Your password is analysed locally using the zxcvbn library running in JavaScript. Based on the current implementation, your password is not transmitted to any server. You can verify this by inspecting your browser's Network tab while using the tool.
  • IP Address Check: This tool connects your browser directly to the following third-party services, which will receive your IP address: ipapi.co (IP geolocation), ipify.org (IP detection), and Google STUN server (stun.l.google.com, for WebRTC leak detection). These services are operated by third parties with their own privacy policies. We do not control how they process your data. No data from these services passes through our servers.
  • Browser Fingerprint: All fingerprinting signals are collected and hashed locally in your browser. Based on the current implementation, no fingerprint data is transmitted to any server.
  • Privacy Checkup: Your answers and score are computed in your browser. Based on the current implementation, they are not stored on or transmitted to any server.
  • Data Broker Opt-Out: Your checklist progress is saved in your browser's localStorage only. The tool provides links to third-party opt-out pages. When you follow these links, you leave our site and interact directly with those third parties under their own privacy policies. Some opt-out processes may require you to submit personal information (including, in some cases, government-issued identification) directly to the data broker. This is at your sole discretion and risk.

International Data Transfers

Our servers are located in France (within the EEA). When you use our IP Address Check tool, your browser connects directly to third-party services that may process data outside the UK/EEA:

  • ipapi.co (operated by Kloudend, Inc., USA)
  • ipify.org (created by Randall Degges, hosted on Heroku infrastructure)
  • Google STUN (operated by Google LLC, USA)

These transfers occur only when you actively use the IP check tool. Your browser connects to these services directly; the data does not pass through our servers. We do not control the data processing practices of these third parties.

Local Storage

We use your browser's localStorage for the following purposes:

  • Theme preference: Remembers your light/dark mode choice
  • Data broker checklist: Tracks which brokers you have marked as opted out of

localStorage is device-local storage built into your browser. This data is not accessible to us or any third party. You can clear it at any time through your browser settings.

Advertising

We may introduce privacy-respecting advertising in the future through ethical ad networks that do not use cookies, personal data, or behavioural targeting. If we do, this privacy policy will be updated to reflect the specific ad network used, what data (if any) it processes, and your options for opting out. Any advertising will be clearly marked and will not affect our editorial content or product evaluations.

Third-Party Links & Affiliate Links

This site contains links to external websites, including affiliate links. When you click on these links, you leave our site and are subject to the privacy policies of those third-party sites. We are not responsible for the privacy practices, content, or security of external websites. Affiliate partners may use their own cookies, tracking, and data collection on their sites. We encourage you to review their privacy practices before providing any personal information.

Contact Form

When you submit a message through our contact form, we collect your name, email address, subject, and message content. Your IP address is also recorded for anti-abuse purposes.

This data is stored on our own server infrastructure and is only used to respond to your inquiry. Contact submissions are retained for up to 12 months and then deleted. We do not share contact form data with any third party.

Fonts

We use Google Fonts (Inter and Space Grotesk). These fonts are downloaded at build time and served from our own domain. No requests are made to Google's servers when you visit this site. Your browser loads font files directly from our infrastructure.

Server Logs

Our web server may temporarily log IP addresses and request metadata for rate limiting, security, and abuse prevention purposes. Server logs are automatically rotated and deleted after 14 days. These logs are never shared with third parties or used for analytics or marketing.

Your Rights Under UK GDPR

If we hold personal data about you (e.g. from a contact form submission), you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete data.
  • Right to erasure: Request deletion of your personal data.
  • Right to restriction: Request that we limit how we process your data.
  • Right to data portability: Request your data in a structured, machine-readable format.
  • Right to object: Object to processing based on legitimate interest.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email privacy@thethreatmodel.com. We will respond within one calendar month.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection. You can contact the ICO at ico.org.uk/make-a-complaint or by phone at 0303 123 1113.

California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights regarding your personal information:

  • Right to know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you.
  • Right to delete: You have the right to request deletion of personal information we have collected from you.
  • Right to opt-out of sale: You have the right to opt out of the sale of your personal information. We do not sell personal information to third parties.
  • Non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

Beyond contact form submissions, we collect only anonymous, aggregate analytics data through Plausible. If you have submitted a contact form, you may request disclosure or deletion of that data. If you wish to exercise any of these rights or have questions about our data practices, please visit our contact page.

Children's Privacy

This website is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us so we can take appropriate action.

Changes to This Policy

We may update this privacy policy from time to time. Changes will be reflected by the "last updated" date at the top of this page. We encourage you to review this page periodically. Continued use of the website after changes constitutes acceptance of the updated policy.

Contact

If you have questions about this privacy policy or wish to exercise any data protection rights, you can email privacy@thethreatmodel.com or reach us through our contact page.