Legal
Privacy Policy
How SipRadar (EU-based operator) collects, uses, and protects personal data under GDPR.
Last updated: 15 July 2026
Data controller
SipRadar (EU-based operator) is the data controller for personal data processed through the SipRadar website, customer accounts, and support channels.
For privacy inquiries or to exercise your rights: legal@sipradar.net.
Scope
This Privacy Policy explains how we handle personal data when you visit sipradar.net, create an account, use our API, run PBX scans, or contact support. It does not cover third-party websites linked from our Service.
Data we collect
We may process the following categories of data:
- Account data: name, work email, company name, billing details, plan tier, API key metadata.
- Usage data: API request logs, IP addresses queried, scan targets submitted, webhook delivery logs, feature usage.
- Threat intelligence data: IP addresses, SIP headers, user-agents, ports, and attack patterns observed by our honeypots (generally not personal data, but may occasionally relate to identifiable networks).
- PBX scan results: configuration findings, open ports, extension metadata exposed by public SIP probes (processed only with ownership verification).
- Support and communications: messages sent via contact forms, email, or Discord.
- Scam reports: IPs, SIP URIs, phone numbers, descriptions, and SIP log evidence submitted via the Report a VoIP Scam form.
- Technical data: browser type, device identifiers, cookies, and server logs.
Sources of data
We collect data directly from you, automatically through your use of the Service, and from our honeypot infrastructure when third parties probe SIP endpoints.
We do not intentionally collect special categories of personal data (e.g. health, biometric). SIP traffic processed by honeypots is minimized and should not contain voice content or call recordings.
Purposes and lawful bases (GDPR)
We process personal data for the purposes below:
- Providing the Service (contract performance): accounts, API access, scans, billing, webhooks.
- Security and abuse prevention (legitimate interests): fraud detection, rate limiting, ownership verification.
- Threat intelligence product development (legitimate interests): aggregating honeypot signals into reputation scores.
- Legal compliance: tax, accounting, responding to lawful requests.
- Marketing with consent: waitlist and product announcements where you opt in.
Honeypot and threat feed data
Our honeypots record technical metadata about SIP probes. This data powers the threat feed, IP lookup API, and blacklist exports. Community tier users receive a feed delayed by 48 hours; paid tiers receive real-time data.
Derived reputation scores and blocklists may be retained long-term. Raw honeypot telemetry is retained for up to 90 days unless a longer period is required for security investigations.
User-submitted scam reports and attached SIP logs are retained for verification, moderation, and compliance purposes. Approved report summaries may be published on public scam profile pages. Raw SIP evidence is retained for up to 12 months unless a longer period is required for fraud investigations.
Retention by plan
Log and audit retention depends on your subscription:
- Community: minimal account data; no extended scan log retention.
- Single PBX: 7-day log retention.
- Active Defense Pro: 30-day log retention.
- Enterprise: custom retention under contract.
- Account data: retained while your account is active and for a reasonable period thereafter for legal and billing purposes.
International transfers
Primary processing occurs in the European Union. If data is transferred outside the EEA, we use appropriate safeguards such as Standard Contractual Clauses.
Your rights
Under GDPR, you may have the right to access, rectify, erase, restrict, object to processing, and data portability. You may withdraw consent at any time where processing is consent-based.
You may lodge a complaint with your local supervisory authority. We will respond to rights requests within one month unless extension is permitted.
Children
The Service is not directed at children under 16. We do not knowingly collect data from children.
Data Processing Agreement
Enterprise customers acting as data controllers may request a DPA covering our processing of personal data on their behalf. Contact legal@sipradar.net.
Changes to this policy
We may update this Privacy Policy. Material changes will be notified via email or a prominent notice on the Service. The date at the top indicates the latest revision.
This document is provided for informational purposes and does not constitute legal advice. For legal inquiries, contact legal@sipradar.net.
Related policies