Privacy Policy

Who is the data controller

The data controller for cryptokiller.org is DEX Algo Technologies Pte Ltd., a company registered in Singapore. All questions about this privacy policy, data requests, or complaints should be directed to corrections@cryptokiller.org.

For EU/UK data subjects, we have appointed a representative who can be contacted at the same email address. For CCPA requests from California residents, the verified-request process is described in the "Your rights" section below.

What information we collect

We practise data minimisation: we collect only what we need for the specific, disclosed purpose, and we keep it only as long as we need it.

• When you submit a scam report through our reporting form, we collect the information you provide in that form — which typically includes your name or pseudonym, your email address, and the details of the scam incident. This is the only category of personal information we actively collect.
• Standard server access logs (IP address, user agent, referring URL, timestamp) are recorded for security, abuse prevention, and to detect infrastructure issues. These logs are retained for 30 days and then deleted.
• We do not use tracking cookies. We do not use third-party analytics (Google Analytics, Facebook Pixel, or equivalents). We do not use behavioural advertising pixels of any kind.
• We do not collect biometric data, precise geolocation, health information, or any special category of personal data under GDPR Article 9.
• We do not knowingly collect personal information from children under 16 years of age. If you believe a minor has submitted information to us, please contact corrections@cryptokiller.org and we will delete it.

Why we collect it — our legal basis

Under GDPR Article 6, we rely on the following legal bases:

• Consent (Article 6(1)(a)) — when you submit a scam report, you consent to us processing the details of that report for the specific purpose of investigating and publishing about the brand in question.
• Legitimate interest (Article 6(1)(f)) — for server access logs and basic site operation. Our legitimate interest is in maintaining site security and detecting infrastructure abuse, balanced against your privacy interests. IP addresses are not used for profiling or advertising.
• Legal obligation (Article 6(1)(c)) — when law enforcement or a regulator makes a legally binding request for specific information, we comply with the minimum disclosure required by law.

How we share your information

We do not sell personal information. We do not share personal information with advertisers, data brokers, or marketing services. We do not license our data.

• Reporter information is shared only with the CryptoKiller research team, bound by internal NDAs.
• Reporter information may be shared with law enforcement or regulators when they make a specific legal request tied to an active investigation — with prior notice to you where legally permitted.
• Server access logs may be provided to law enforcement pursuant to a valid subpoena or legal process.
• We use a small number of service providers (email hosting, server hosting) that act as data processors under our instructions. These processors are under GDPR-compliant Data Processing Agreements and do not use the data for their own purposes.

How long we keep it

Reports are retained in our internal intelligence system for as long as they remain relevant to an ongoing or archived investigation. You can request deletion at any time by emailing corrections@cryptokiller.org — see the "Your rights" section.

Server access logs are retained for 30 days and then deleted.

Email correspondence with you is retained for three years or until you request deletion, whichever comes first.

Your rights

Under GDPR, CCPA, and equivalent frameworks, you have the following rights with respect to your personal information:

• Right of access — you can request a copy of any personal information we hold about you.
• Right to rectification — you can request correction of inaccurate personal information.
• Right to erasure ("right to be forgotten") — you can request deletion of your personal information. We honour erasure requests in full for reporter submissions and email correspondence.
• Right to restriction — you can request that we stop processing your information while a dispute is being resolved.
• Right to object — you can object to processing based on legitimate interest.
• Right to data portability — you can request a copy of your information in a machine-readable format.
• For California residents under CCPA — the right to know what personal information is collected, the right to delete personal information, the right to opt out of sale (we do not sell personal information regardless), and the right to non-discrimination for exercising these rights.
• Right to lodge a complaint with your data protection authority if you believe we have mishandled your information. The lead supervisory authority for our EU/UK representative is available on request.

How we protect your information

Transport encryption — all traffic to cryptokiller.org is served over HTTPS with modern TLS.

Storage encryption — our databases are encrypted at rest. Reporter submissions are additionally encrypted with a separate key held only by the research team.

Access controls — only named research-team members with NDAs and multi-factor authentication can access reporter data. Access is logged and audited.

Data minimisation — we simply do not collect what we do not need. The less data we hold, the less there is to lose in a worst-case scenario.

Changes to this policy

We update this policy when our practices change or when legal requirements change. Material changes are announced at the top of this page and by email to anyone who has submitted a report. The last-updated date at the top of this policy is always current.

Frequently Asked Questions