[] OCCLUDE
v1.0.0

Privacy Policy

Last updated: May 2026

1. Data controller

[BUSINESS_NAME]
[BUSINESS_ADDRESS]
Italy

P.IVA: [PARTITA_IVA]
PEC: [PEC_EMAIL]
Contact: hello@occlude.sh

This policy applies to occlude.sh and the OCCLUDE software. We are the sole controller of the data described below. We have no Data Protection Officer because the scale and nature of our processing does not require one under GDPR Art. 37.

2. What we collect

We designed OCCLUDE to collect as little as possible. No accounts, no email, no names, no cookies, no analytics. Here is the exhaustive list.

2.1 Website visits

Our web server (Nginx) logs timestamps and HTTP status codes only. IP addresses are not logged. We serve no cookies, embed no third-party scripts, load no tracking pixels, and make no external requests. All assets — fonts, styles, scripts — are self-hosted.

2.2 Fingerprint test

When you use the fingerprint test at occlude.sh/fingerprint, your TCP/IP, TLS, and HTTP/2 parameters are captured in memory, analysed, and returned to you. Nothing is stored, logged, or transmitted. The connection state is deleted the moment the HTTP response is sent. Memory holding your fingerprint data is zeroed on deallocation. Retention: zero seconds.

2.3 Purchases

When you buy an OCCLUDE Pro license, we store the following:

  • Country code — derived from a GeoIP lookup of your IP address, plus your self-declared country from a dropdown. The IP address itself is discarded immediately after the GeoIP lookup; only the two-letter country code is retained.
  • Order amount in XMR and EUR, and the exchange rate at time of purchase.
  • Monero transaction hash and the Monero subaddress generated for the payment.
  • SHA-256 hash of the license key (not the key itself).
  • VAT rate applied, VAT amount, and net amount.
  • Timestamp of the order.
  • If B2B: your EU VAT number (publicly available data, validated via VIES).

We do not store your name, email, physical address, phone number, or IP address.

2.4 License activation

When you activate a license, the OCCLUDE daemon sends the following to our server:

  • SHA-256 hash of your license key.
  • SHA-256 hashes of hardware components: machine-id, disk serial, CPU model and core count, primary NIC MAC address, and platform (linux/windows). Raw hardware values never leave your machine — only their one-way hashes are transmitted.
  • Client version string.

2.5 License validation (daily)

Pro licenses are validated once per day via a heartbeat to our server. This transmits the same data as activation (license key hash, hardware hashes, client version). Additionally, a SHA-256 hash of your IP address is computed server-side for rate limiting. This IP hash is held in memory only and is not stored persistently, not written to disk, and not logged.

2.6 What we do not collect

  • Names, email addresses, physical addresses, or phone numbers.
  • IP addresses. The GeoIP lookup at purchase produces a country code; the IP is discarded. Nginx does not log IPs. The validation endpoint hashes the IP transiently for rate limiting.
  • Browsing behaviour, usage patterns, or feature-usage statistics.
  • Payment card details — we accept Monero only.

3. Legal basis for processing

Under GDPR Art. 6(1), we rely on the following legal bases:

  • GeoIP country lookup at purchase — Art. 6(1)(c), legal obligation. The EU VAT Directive requires us to determine the customer's country for VAT calculation.
  • Hardware hashes at activation and validation — Art. 6(1)(b), performance of contract. Machine binding is how we deliver the license you purchased.
  • IP hash for rate limiting — Art. 6(1)(f), legitimate interest. Preventing abuse of the validation endpoint is a proportionate security measure. The hash is transient and cannot identify you.
  • Purchase records — Art. 6(1)(c), legal obligation. Italian tax law requires retention of transaction records.

4. Data retention

  • Purchase records: retained for 10 years as required by Italian tax law (DPR 600/1973, DPR 633/1972).
  • License validation logs: 90 days, then deleted.
  • Fingerprint test data: 0 seconds — never stored.
  • Rate-limiting IP hashes: held in memory during request processing only, not persisted.

5. International data transfers

All data is processed on a server hosted by Hetzner Online GmbH in Germany (EU). We do not transfer data outside the European Economic Area. We do not use any non-EU sub-processors.

6. Cookies and tracking

None. We set no cookies. We run no analytics. We load no external resources. There is no cookie banner because there are no cookies.

7. Automated decision-making

We do not perform automated decision-making or profiling as defined by GDPR Art. 22. License validation is a deterministic check against stored hashes — it is not profiling.

8. Your rights

Under GDPR, you have the right to access, rectification, erasure, restriction, portability, and objection regarding your personal data. You also have the right to withdraw consent at any time, though we do not rely on consent as a legal basis for any processing.

In practice, most of these rights have limited applicability: we store no names, no emails, no IP addresses, and no data that directly identifies you. Purchase records are keyed by a SHA-256 hash of a license key, and hardware bindings are keyed by SHA-256 hashes of hardware identifiers. If you can demonstrate that specific records relate to you (for example, by presenting your license key), we will honour your request to the extent permitted by law. We cannot delete records that Italian tax law requires us to retain.

To exercise any right, contact us at hello@occlude.sh.

9. Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority. Our lead authority is:

Garante per la Protezione dei Dati Personali
Piazza Venezia 11, 00187 Roma, Italy
protocollo@gpdp.it · www.garanteprivacy.it

10. Changes to this policy

We may update this policy to reflect changes in our processing or in applicable law. The "Last updated" date at the top of this page will change accordingly. We do not have email addresses to notify, so check this page periodically.

11. Contact

For privacy-related inquiries: hello@occlude.sh

For security issues: security@occlude.sh or see security.txt.