Privacy Policy

This policy explains what personal data Yazoul Security collects when you use this site, why we collect it, how long we keep it, and what rights you have under the EU General Data Protection Regulation (GDPR) and the ePrivacy Directive. It applies to yazoul.net and all of its sub-sections (/advisory, /breaches, /news, /learn, /intel, /research, /malware).

1. Data controller

The data controller is Yazoul Security. Postal address and any registration details for data-subject requests are available on request to the contact below — please include "Privacy request" in the subject line.

Contact for privacy matters: Enable JavaScript to see email. We have not appointed a Data Protection Officer because our processing does not meet the thresholds in GDPR Article 37; the contact above is the single point of contact for all data-subject and supervisory matters.

2. What we collect

The site processes three categories of personal data:

• Newsletter subscription data. When you subscribe to the newsletter we store your email address, the timestamp of your consent, the version of the consent text you saw, and a one-way hash (SHA-256) of your IP address as proof of where the consent originated. We do not store the raw IP address.
• Analytics data (Google Analytics 4). Only loaded if you accept analytics cookies. GA4 collects pseudonymous identifiers, page views, referrer, approximate location (country/region level), and device/browser information. IP addresses are anonymized by Google before storage.
• Server access logs. Cloudflare automatically records standard HTTP request metadata (IP, user agent, requested URL, timestamp, response code) for security and abuse-prevention purposes. These are processed by Cloudflare and not directly retained by us.

We do not run advertising, behavioral profiling, A/B testing, or fingerprinting.

3. Lawful bases (GDPR Article 6)

• Newsletter — Article 6(1)(a): your explicit consent, given by ticking the consent box on the subscription form.
• Analytics cookies — Article 6(1)(a): your consent given through the cookie banner. Required by ePrivacy Directive Article 5(3).
• Server logs — Article 6(1)(f): legitimate interest in operating the service securely and detecting abuse.

4. Recipients and processors

The following third-party processors handle personal data on our behalf under data processing agreements:

• Cloudflare, Inc. — site hosting (Pages), Workers runtime, D1 database (newsletter subscribers), DNS, CDN, and edge logging. Data may be processed in the US under Standard Contractual Clauses.
• Resend — transactional and newsletter email delivery (US-based, SCCs).
• Google LLC — Google Analytics 4 (US-based, SCCs and EU-US Data Privacy Framework).

We do not sell, rent, or share your personal data with any party outside this list. We do not transfer your email address to anyone other than Resend for the sole purpose of delivering the newsletter you subscribed to.

5. Retention

• Newsletter subscriber data — kept until you unsubscribe. Unsubscribed records are retained for 30 days as proof of opt-in/opt-out, then deleted.
• Analytics data — 14 months (Google Analytics 4 default), after which it is automatically deleted by Google.
• Cloudflare access logs — short-term (typically up to 30 days), per Cloudflare's standard retention.

6. Your rights

Under the GDPR you have the following rights regarding your personal data:

• Access (Art. 15) — request a copy of the data we hold about you.
• Rectification (Art. 16) — correct inaccurate data.
• Erasure (Art. 17) — request deletion of your data.
• Restriction (Art. 18) — limit how we process your data.
• Portability (Art. 20) — receive your data in a machine-readable format.
• Objection (Art. 21) — object to processing based on legitimate interest.
• Withdraw consent (Art. 7) — at any time, with no effect on prior lawful processing.

The fastest ways to exercise these rights:

• To unsubscribe from the newsletter — use the unsubscribe link in any email, or visit https://notify.yazoul.net/unsubscribe?email=YOUR-EMAIL.
• To withdraw or change analytics consent — click Manage cookie preferences.
• For all other requests — email Enable JavaScript to see email with "Privacy request" in the subject line. We respond within 30 days as required by Article 12.

You also have the right to lodge a complaint with a supervisory authority (Art. 77). In France this is the Commission Nationale de l'Informatique et des Libertés (CNIL).

7. Cookies and similar technologies

We only set cookies after you explicitly accept them through the cookie banner. Until you make a choice, no analytics cookies are set and Google Analytics runs in Consent Mode v2 with all consent signals defaulted to "denied".

The site may set the following cookies:

You can change your cookie preferences at any time: Manage cookie preferences.

8. International data transfers

Cloudflare, Resend, and Google process data on servers located outside the European Economic Area, primarily in the United States. Transfers rely on the European Commission's Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework as the legal basis under GDPR Article 46. Copies of the relevant agreements are available from each processor at the links in section 4.

9. Updates to this policy

We may update this policy to reflect changes in our processing or applicable law. The version number and last updated date at the top of the page change with every revision. If a change materially affects how we use your data — for example, adding a new processor or a new processing purpose — we will request renewed consent before the change applies to you.

10. Contact

For any privacy question, request, or complaint, email Enable JavaScript to see email with "Privacy request" in the subject line. We respond within 30 days as required by GDPR Article 12.