Privacy Policy
Last updated: April 8, 2026
The Short Version
We collect the bare minimum to make the Service work. We do not store your defaced masterpieces. We do not track you across the internet. We do not sell your data. That is not our business model. Our business model is catching state-sponsored hackers with art projects.
1. What We Collect
Challenge Sessions
When a EVANDALIZE challenge is initiated, we generate a session ID and track the verification status (pending, verified, or expired). Session data includes a timestamp and the result of the defacement check. Sessions expire automatically and are purged on a rolling basis.
Dashboard Accounts
If you create a dashboard account, we collect your email address and store your API keys. We use this to authenticate you, deliver service communications, and let you manage your integration. That is it.
API Usage Data
We log API request counts, rate limit hits, and error rates per API key for analytics and abuse prevention. These logs do not contain request payloads or end-user personal information.
Basic Analytics
We collect anonymous, aggregated usage metrics (page views, challenge completion rates) to improve the Service. This data cannot be used to identify individual users.
2. What We Do NOT Collect
This part is important. Read it twice if you need to.
- No defaced images. Canvas data stays in the browser. We verify defacement via metadata analysis, not by storing your artwork. Once the session ends, the canvas is gone.
- No personal browsing data. We do not track what sites you visit, what you search for, or anything outside the EVANDALIZE challenge flow.
- No biometric or fingerprint data. We do not analyze drawing patterns, pressure sensitivity, or any behavioral biometrics from the challenge interaction.
- No IP logging. We do not store end-user IP addresses from challenge sessions. Rate limiting is handled by API key, not by IP.
3. Cookies
We use minimal, session-only cookies to maintain authentication state on the dashboard. No third-party tracking cookies. No advertising cookies. No cookie banners that guilt you into clicking “Accept All.” Our cookies expire when your session ends.
Cookies used:
evdl_session — Dashboard authentication (session duration, HTTP-only, secure)
4. Third-Party Services
The Service is hosted on Vercel. Vercel may process requests and collect infrastructure-level data (request logs, performance metrics) in accordance with their own privacy policy. We recommend reviewing Vercel's privacy policy for details on their data handling practices.
We do not integrate any third-party analytics services, advertising networks, or social media trackers into the Service.
5. Data Retention
Challenge session data is ephemeral and automatically purged after expiration (typically within 24 hours). Dashboard account data is retained for the duration of your account. API usage logs are retained for up to 90 days for analytics and abuse detection.
If you delete your account, we will remove your personal data within 30 days. Aggregated, anonymized data may be retained indefinitely for service improvement.
6. Data Security
We implement reasonable technical and organizational measures to protect the data we collect. API secret keys are hashed before storage. All communications with the Service occur over HTTPS. We do not guarantee absolute security, because nobody can, and anyone who tells you otherwise is selling something.
7. Your Rights
Depending on your jurisdiction, you may have rights regarding your personal data, including the right to access, correct, delete, or export your data. To exercise any of these rights, contact us at the email below. We will respond within 30 days.
8. Children's Privacy
The Service is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.
9. Changes to This Policy
We may update this policy as the Service evolves. Material changes will be communicated via the dashboard or email. The “Last updated” date at the top of this page reflects the most recent revision.
10. Contact
Privacy questions or data requests? Email privacy@evandalize.com. We take these seriously, which is probably obvious given that our entire product is about not trusting authoritarian surveillance regimes.