Privacy Policy

Effective date: 12 September 2025
Last updated: 12 September 2025

Minimal disclosure notice: To protect both our users and the HackAware.org team, we publish only the contact details necessary to provide our Services. We do not list postal addresses or phone numbers. If we ever need to disclose additional details, we will update this page and clearly ask for consent where required.

Thank you for visiting HackAware.org (“HackAware”, “we”, “us”, or “our”). We are a Sri Lanka–based cyber‑awareness initiative sharing investigations, guides, and community reports about scams and digital safety. This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our websites, forms, newsletters, and social channels (together, the “Services”).

1) Who we are (Data Controller)

  • Operator: HackAware.org
  • Primary contact: HackAware.org Team
  • Privacy email: [email protected]

We primarily operate from Sri Lanka and may process data in other countries through trusted service providers.

2) Scope

This policy covers:

  • Websites: hackaware.org and relevant subdomains (e.g., report.hackaware.org)
  • Forms: submission tools used to receive reports, tips, and feedback
  • Newsletters: our email lists and updates
  • Social: our official pages/channels where this policy is linked

It does not apply to third‑party sites or services we link to.

3) Personal data we collect

3.1 Data you provide directly

  • Contact details: email address
  • Newsletter data: email preferences, opt‑in/opt‑out records
  • Threat/abuse reports: narrative descriptions, screenshots, files, links, usernames/handles, and any personal data you include
  • Event/training registrations: name and email
  • Support/tip‑off messages: message content and attachments

Please share only what is necessary. If you include other people’s personal data, ensure you have a lawful basis to do so.

3.2 Data collected automatically

  • Technical: IP address, device/browser type, operating system, referral URLs
  • Usage: pages visited, timestamps, approximate geolocation derived from IP, clickstream data
  • Cookies & similar tech: see Section 8

3.3 Data from third parties

  • Analytics & anti‑abuse tools may provide aggregate or pseudonymous metrics.
  • Public sources / OSINT: When you ask us to investigate, we may combine your submission with publicly available information strictly for the purpose of investigating the reported issue.

3.4 Children’s data

Our Services are not directed to children under 16. If a child has provided personal data, contact us to delete it.

4) Why we process your data (Purposes) and legal bases

We process data to:

  • Operate and secure the Services (hosting, load‑balancing, security logging, fraud prevention)
  • Respond and support (reply to emails, process report forms, handle take‑down requests)
  • Investigate and educate (verify submissions; prepare redacted/anonymised awareness content)
  • Communicate (send newsletters and safety alerts to those who opt in)
  • Organise events/training (manage registrations and materials)
  • Comply with law (respond to lawful requests; enforce terms; defend legal claims)

Legal bases depend on your jurisdiction and may include legitimate interests, consent (which you can withdraw), contract, and legal obligation.

5) How we share information

We do not sell personal data. We may share data with:

  • Service providers (e.g., hosting/CDN, analytics, email delivery, form tools, security tools) acting under our instructions and safeguards.
  • Law enforcement/regulators when legally required or to protect vital interests and safety.
  • Public interest reporting: We may publish redacted or anonymised excerpts of reports (e.g., blurred screenshots) to educate the public. If you object to publication, tell us when you submit.
  • Business transfers: If our operations are reorganised, this policy and your data may transfer subject to the same protections.

6) International transfers

We use service providers globally. When data moves across borders, we apply appropriate safeguards and work only with providers that commit to adequate protection.

7) Retention

We keep personal data only as long as needed to provide the Services, resolve issues, meet security and legal requirements, and maintain reliable records. When data is no longer needed, we delete or anonymise it. Examples:

  • Contact/newsletter data: kept while you are subscribed and for a short audit period thereafter.
  • Technical logs: kept for a short period to operate and secure the Services.
  • Investigation submissions: kept while the matter is active and for a reasonable period afterward, unless you request deletion and we have no legal basis to retain it.

8) Cookies & similar technologies

We may use essential, functional, and analytical cookies to operate the site and understand usage. You can control cookies in your browser and via any consent banner we display. Turning off some cookies may affect site functionality.

9) User‑generated content & evidence files

When you submit content (text, images, video, documents):

  • Do not upload illegal content or others’ personal data without a lawful basis.
  • We may scan files for malware and remove harmful content.
  • We may redact names, numbers, or identifiers before any public use.
  • You retain copyright. By submitting, you grant us a non‑exclusive licence to use the content for investigation, moderation, awareness publication, and public‑interest reporting, consistent with this Policy and our Terms.

10) Security

We use proportionate technical and organisational measures, including HTTPS, hardened hosting, access controls, least‑privilege access to submissions, and routine updates/monitoring. No system is perfectly secure; if you suspect an issue, email [email protected].

11) Your privacy rights

Depending on your jurisdiction (e.g., Sri Lanka PDPA, EU/UK GDPR, California CCPA/CPRA), you may have rights to access, rectify, erase, restrict or object, port, and withdraw consent. To exercise rights, contact [email protected]. We may need to verify your identity and jurisdiction.

12) Contact

  • Email: [email protected]
    If you require an alternative contact method for accessibility or safety reasons, email us and we will accommodate where feasible.

13) Changes to this Policy

If we change this Policy, we will update the Last updated date and, where appropriate, provide additional notice (e.g., banner or email). Your continued use of the Services means you accept the updated Policy.

14) Sri Lanka‑specific information

We comply with the Sri Lanka Personal Data Protection Act, No. 9 of 2022 (PDPA) to the extent applicable and will update this page with any regulator contact details if/when formally designated.

15) Categories of third‑party services we use (illustrative)

We keep an internal register of processors/sub‑processors. We reference categories rather than vendor names on this public page.

  • Hosting/CDN providers
  • Analytics providers
  • Email/newsletter providers
  • Form submission tools
  • Error monitoring & security tools
  • Social media platforms for embeds

Disclosure preferences confirmation

We intentionally do not publish a postal address or phone number and refer to the HackAware.org Team rather than named individuals. If you believe additional disclosures would benefit transparency without creating safety risks, contact [email protected] so we can evaluate and, if appropriate, update this page.