Privacy Policy

Who are we?

“We” are Netcraft, the UK-based cybersecurity company (officially Netcraft Limited of 63 Catherine Place, London, SW1E 6DY, UK, Company No. 02161164). The Netcraft Privacy Policy explains how and why we collect and process any personal information about you when you use our services, as well as the rights you have over your personal data.

If you’d like to talk to us about your personal information, please contact us at privacy@netcraft.com.

Who’s the Netcraft Privacy Policy for?

Different parts of our Netcraft Privacy Policy apply to:

To learn about the information we collect, how we use it and why we need it, please consult the section(s) relevant to you under “What information do we collect and how do we use it?”.

Please note: the Netcraft Privacy Policy does not apply when you’re using third-party (non-Netcraft) websites linked to by us. The information practices and the content of such other websites are governed by their own privacy policies. Please consult the privacy policy of such other websites to find out about their information practices.

What information do we collect, and how do we use it?

Visitors

Website Analytics

Our sites use various analytics platforms to monitor the activity of users, so that we can make improvements to provide a better user experience. This information is not personally identifiable: it cannot be used to identify you and your browsing habits.

You can opt out of these analytics at any time by clicking the buttons below:

Advertising

Our sites use Facebook and Google Analytics to generate audience lists for re-marketing adverts. This means that after visiting our site you might see our adverts on other sites in Facebook’s audience network or Google’s content network.

By opting out of analytics above you can exclude yourself from being added to our audience lists in future. You can also configure your Google or Facebook settings to prevent these adverts.

You may still occasionally see our adverts around the web, but they won’t have been personally targeted.

Cookies

Our sites make use of cookies to improve user experience by allowing us to monitor your usage. You may see the following cookies in use:

Essential

Cookie Name Purpose Expires
Cloudflare __cf_bm This cookie is used by Cloudflare for bot management After 30 minutes of continuous inactivity by the end user
Cookie Preference cookiesConsented This cookie remembers your preference as to whether you’d like to store cookies in your browser 1 Year
Analytics opt-out analyticsOptOut This cookie is set when you choose to opt out of optional analytics cookies 1 Year
Cookie Law cookie_law_seen This cookie is used by report.netcraft.com to record whether you have seen the cookie policy notification 1 Year
App Notification app_notification_seen This cookie is used by report.netcraft.com to record whether you have seen the Netcraft Apps notification 1 Month

Optional

Cookie Name Purpose Expires
Facebook Pixel _fbp These cookies are used by Facebook to store and track visits across websites 3 Months
_fbc 3 Months
Google Tag Manager _dc_gtm_
 This cookie is used by Google to throttle request rate 1 Minute
Google Analytics _ga These cookies are used by Google Analytics to collect site usage information and generate audience lists for advertising. This information is anonymised so cannot be used to personally identify you 2 Years
_gid 24 Hours
Google Ads _gcl_au This cookie is used by Google Adsense to store and track conversions 3 Months
Bing Ads _uetsid This cookie is used by Bing Ads to store and track conversions 1 Day
HubSpot _hstc These cookies are used by HubSpot to collect site usage information. 6 Months
_hssc 30 Minutes
_hsrc End of session
hubspotutk 6 Months
Google Optimize _gaexp Used to determine a user’s inclusion in an experiment and the expiry of experiments a user has been included in. Depends on the length of the experiment, but typically 90 days.
_opt_awcid Used for campaigns mapped to Google Ads Customer IDs. 24 hours
_opt_awmid Used for campaigns mapped to Google Ads Campaign IDs. 24 hours
_opt_awgid Used for campaigns mapped to Google Ads Ad Group IDs 24 hours
_opt_awkid Used for campaigns mapped to Google Ads Criterion IDs 24 hours
_opt_utmc Stores the last utm_campaign query parameter. 24 hours
_opt_expid This cookie is created when running a redirect experiment. It stores the experiment ID, the variant ID and the referrer to the page that’s being redirected. 10 seconds
Leadfeeder _lfa Used to store a unique visitor ID. Detailed description in this article. 1 Year
_lfa_consent Used to store Dealfront consent status. 2 Years
_lfa_test_cookie_stored Used to temporarily check if the browser supports cookies or not. Immediately
_lfa_expiry A local storage variable used store the duration for the Dealfront clientID stored in browser LocalStorage. 2 Years

Web server logs

When you browse our sites or use our APIs (such as a contact form), information will be received in our web server logs containing:

  • Your IP address
  • Information about your device (such as operating system and browser)
  • The URL you requested
  • The referring page from which the request was made

Site Report and Search DNS

When you look up a hostname on sitereport.netcraft.com or domain on searchdns.netcraft.com, in order to collect the information you requested, check for malicious content and collect data for our Web Server Survey, we may take the URL/hostname/domain queried and visit it either immediately or with a delay.

Blog Subscribers

When you sign up to our blog mailing list, we use your email address to send you emails. You can unsubscribe at any time using the unsubscribe link in the email.

Inquirers

Support Requests and Sales Inquiries

When you raise a support ticket or make an inquiry about one of our products either by submitting a form on our sites or by emailing us, we keep a record of the information you provide such as your email address, name and other information provided as part of the discussion.

Public Reporters

Malicious Email Reports

When you report a malicious email by forwarding it to scam@netcraft.com, we get:

  • Your email address
  • Subject
  • Message headers and body
  • Email address(es) of the original recipient(s)
  • Attachments

Malicious Site reports

When you report a malicious URL on report.netcraft.com, or via our extensions or apps, we get:

  • The URL (e.g., https://www.example.com/phish/) of the site
    • These URLs are often visited by an automated process to check for malicious content and in some scenarios sites might be visited which contain personal information. For instance, the URL might contain your email address.
  • Your email address if you provide it

Netcraft App Users, Netcraft Browser Extension Users and Netcraft Mail Extension Users

We don’t use the Netcraft App, Netcraft Browser Extension or Netcraft Mail Extension to collect personal information which we could use to identify your personal browsing habits. Depending on the service you’re using, we do however collect certain data relating to your internet use in order to detect and disrupt cybercrime:

Blocked Sites Analytics

Netcraft Browser Extension Users: Analytics information is provided to us when an attempt to visit a URL is blocked by the Netcraft Browser Extension. This is collected to improve the quality of the Netcraft Cybercrime Feed and aid in the identification of false positives. The following information is sent to us:

  • The URL that was blocked
  • The reason the URL was blocked
  • The version of the extension that you are using
  • The country the URL was visited from
  • Information about your device, such as operating system and browser

To opt out, go to the options page of the Extension (usually located in your browser’s Extensions Manager) and disable the ‘Allow analytics’ option.

  • Firefox Extensions Manager can be found at Firefox Menu > ‘Add-ons’ > ‘Extensions’.
  • Chrome Extensions Manager can be found at Google Chrome Menu > ‘More tools’ > ‘Extensions’.
  • Opera Extensions Manager can be found at Opera Menu > ‘Extensions’ > ‘Manage Extensions’.
  • Edge Extensions Manager can be found at Options Menu > ‘Extensions’ > ‘Netcraft Extension’ > ‘Remove’.

Malicious JavaScript URL Collection

Netcraft Browser Extension Users: Where a website you visit loads malicious JavaScript, or where a credential leak is detected, the URL of the website is also collected to aid analysis of the attack.

To opt out, go to the options page of the extension (usually located in your browser’s Extensions Manager) and disable blocking for shopping site skimmers, web miners, other malicious scripts and credential leaks. Note that this also disables your protection against these scripts and credential leaks.

  • The Firefox Extensions Manager can be found at Firefox Menu > ‘Add-ons’ > ‘Extensions’.
  • The Chrome Extensions Manager can be found at Google Chrome Menu > ‘More tools’ > ‘Extensions’.
  • The Opera Extensions Manager can be found at Opera Menu > ‘Extensions’ > ‘Manage Extensions’.
  • The Edge Extensions Manager can be found at Options Menu > ‘Extensions’ > ‘Netcraft Extension’ > ‘Remove’.

Hostnames

Netcraft App (Android) and Netcraft Browser Extension Users: When you use the Netcraft App (Android version) and the Netcraft Browser Extension we collect the website hostnames (not full URLs) visited by your IP address whilst browsing the web with Netcraft protection enabled (in the URL https://www.example.com/home/aboutwww.example.com is the hostname).

These hostnames are used to help us identify malicious URLs (e.g. http://www.example.com/fake-bank-login.html) that should be blocked within the hostname being visited (www.example.com). We do not collect details of the URLs that you are visiting, as these are only checked locally on your device (except for malicious JavaScript URLs, see above).

On the Netcraft App (Android), this happens only when accessing sites through a supported app on your device: a list of supported apps installed on your device can be found under “Your supported apps” in the App’s settings.

Netcraft App (iOS) Users: Hostnames are not collected.

SMS Protection

Netcraft App Users: Some versions of the Netcraft App provide an SMS protection feature. These versions can be identified by a “SMS Protection” checklist item in the Netcraft App’s home screen. These versions of the Netcraft App collect hostnames (e.g. www.netcraft.com) contained within incoming SMS messages that you receive while the “Scan SMS messages” option is enabled. The hostnames are used to identify malicious URLs (e.g. /fake-bank-login.html) within the SMS message. We do not collect details of the full URLs in the SMS message, as the full URL is only checked locally on the device. If we detect a malicious URL within an SMS, then we will also collect the timestamp, caller-id of the sender, cryptographic hash of the message body (the message itself is not readable), and a list of the phishing URLs found.

Reporting a Malicious Site

Netcraft App and Netcraft Browser Extension Users: When reporting a malicious site through the Netcraft App or the Netcraft Browser Extension, we ask you for the following information:

  • The URL of the site you’re reporting as malicious
    • These URLs may be visited by an automated process to check for malicious content and in some scenarios may visit sites that contain personal information. For instance, the URL might contain your email address.
  • An email address (if you provide one)
    • If you opt to provide an email address, we will store it on your device. Whenever you submit a malicious URL via the Netcraft App, this email address will be included in the report so that you can track your submissions.

Reporting a Malicious Email

Netcraft Mail Extension Users: when reporting a malicious email through the Netcraft Mail Extension, we collect:

  • Your email address
  • Subject
  • Message content
  • Email address(es) of the original recipient(s)

Client Organization Users

In addition to Support Requests and Sales Inquiries above, the following applies:

Netcraft’s Single Sign-On (SSO) Service

If you are using Netcraft’s services on behalf of a Client Organization that currently has a contract with us, in order to fulfil that contract we may issue you as a member of that organization a single sign-on (SSO) account.

For this, we normally receive the following information about you (unless your Client Organization has arranged anonymous SSO accounts):

  • Your name
  • Your business email address (we can’t see your SSO password)

Your information will be used by us for the creation of your SSO account. The SSO account is then used to verify your identity to access certain Netcraft services so we can fulfil our contract with your Client Organization.

Client Organization Applications

The SSO service protects our Client Organization Applications (e.g. the portals for our countermeasures and fraud detection services). We may collect data about how you have interacted with our Client Organization Applications. This may include the pages or features accessed and links clicked, the date and time of the interaction, content inserted, error logs, and similar information. Some of this information may be made available to your Client Organization via audit logs for the service.

We may make use of your name and business email address to provide you with relevant updates on our products and services. If you’re receiving unwanted emails from us which you don’t think are relevant to your role in your Client Organization, please contact privacy@netcraft.com.

Job Applicants

We collect and process some or all of the following types of information from you:

  • Your correspondence and information that you provide to us and/or that may be acquired or produced by us when you apply for a role. This includes information provided through an online job site, via email, at interviews and/or by any other method.
  • Information that you provide to us or we acquire as part of our wider recruitment efforts. This may include information acquired and/or produced as a result of participation in careers fairs and recruitment events (including those run in collaboration with third parties such as universities); and information shared with us by recruitment platforms to which you have uploaded information and Netcraft may have access as an employer.
  • In particular, we process personal details such as name, email address, address, telephone number, date of birth, qualifications, and information relating to your employment history, skills and experience.
  • A record of your progress through any hiring process that we may conduct.

Why do we collect personal information?

Legitimate Interest

(For all users)

We process some data for particular legitimate business purposes, such as:

  • Monitoring how our services are used through logs, in order to determine their effectiveness and make improvements where necessary
  • Troubleshooting issues with and maintaining security of our services by using web server logs
  • Aggregating hostname data from users of our apps in order to determine the busiest websites and other statistics, as well as using them as candidates for inclusion in our monthly Web Server Survey
  • Notifying you via email when the status of a malicious site submission has been updated. If you do not want to receive these updates, we provide an unsubscribe link in every email sent to you concerning your reports, which can be used to stop any further email updates regarding any and all of your reports
  • For recruitment, our legitimate business interests in evaluating your application to ensure that we recruit appropriate employees, verify your information, to contact you in respect of your application, and to improve our processes and recruitment strategy.

Contract

(For Netcraft App/Extension Users, Netcraft Client Organization Users, Blog Subscribers)

Some data collected is required by us to provide the service which you have requested, or which your Client Organization has subscribed to, for reasons such as:

  • Using a website hostname to detect whether malicious content is being hosted there
  • Responding to a query/request which you have submitted
  • Notifying you via email when new articles are posted on the mailing list
  • Providing you with information about a site
  • Access to the services your Client Organization has purchased

We might have to process your personal data where it’s necessary for compliance with a legal obligation.

When will we hold onto your personal information?

We only hold on to the personal information that we get from you as long as we need to for the particular purpose we collected it for, or where we have a legitimate business reason for holding onto that data (for example, to provide you with a product or service you’ve requested, to sort out transactions and to identify fraud, for our own audit purposes), or where we have to comply with certain legal, regulatory or tax requirements. Even when you stop using our services, we may have to retain some information to meet our obligations.

Where there’s no longer a legitimate business need for processing your personal information, we’ll either securely destroy, erase, delete it or make it anonymous: if we can’t do that (for example if your personal information has been stored in a backup archive), we’ll store that information securely and keep it isolated from further processing until it can be deleted.

When will we share your personal information with third parties?

We may share your personal information with third parties, but do not grant permission to those third parties to use the information for their own business interests. In particular, we may share your personal information with third parties in the following cases:

To combat cybercrime – data pertaining to threat indicators may be shared (this may entail us disclosing information to the relevant hosting company, registrar, platform, internet or telecoms service provider, any relevant law enforcement authority and any other relevant party capable of helping us stop a particular cyberattack).

If legally required to by government bodies and law enforcement agencies.

If you perform unlawful acts or attempts to conduct such acts or in any dispute, claim, action, demand or legal proceedings concerning you and Netcraft.

How secure is your data with us?

Netcraft is certified by the UK Government’s Cyber Essentials scheme. We are also a PCI Approved Scanning Vendor (ASV).

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. These people will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

What are your rights?

Under data protection law you have the right to:

  • Access – You have the right to ask us for copies of your personal information.
  • Rectification – You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • Erasure – You have the right to ask us to erase your personal information in certain circumstances. We will honour this request unless deleting that information prevents us from fulfilling our legal obligations; or carrying out necessary business functions, like billing for our services, calculating taxes, or conducting required audits. Please note that if you ask us to remove your SSO account you will no longer be able to access certain Netcraft services.
  • Restrict processing – You have the right to ask us to restrict the processing of your information in certain circumstances.
  • Object to processing – You have the right to object to the processing of your personal data in certain circumstances.
  • Data portability – You have the right to ask that we transfer the information you gave us to another organization, or to you, in certain circumstances.

We don’t charge you for exercising your rights. If you make a request, we have one month to respond to you.

To talk to us about your personal information, please contact us at:

What if we update the Netcraft Privacy Policy?

Netcraft reserves the right to make changes to the Netcraft Privacy Policy for emerging legal, regulatory or business reasons. We’ll take appropriate measures to inform you of these changes, depending on their significance and impact. We’ll seek your consent in cases where a material change would require your consent under applicable data protection law.