BoarNetBOARNET
Sign in
Legal

Privacy Policy

Last updated · 2026-04-18

BoarNet captures network metadata about active attackers — people or automated tooling that probe sensors we operate or that operators in our community run. This policy explains what we collect, what we do with it, and how the distinction between operator data (you) and attacker data (the source IPs hitting the honeypots) works.

Data about you (the operator)

When you sign up and run the service, we store:

  • Your email address (for authentication + service-critical notifications).
  • The email display name you choose, if any.
  • SHA-256 hashes of every API key and ingest token you mint. The raw token is shown once at creation and never persisted server-side.
  • Sensor metadata: the sensor id you chose, its fleet (core/mesh), the public IP it used to reach our ingest endpoint, and a GeoIP-derived country/city/coordinate pair for the live-map display.
  • Your current tier and the rolling 48h grace-window expiry timestamp.

We do not collect or store anything from inside your host — no filesystem state, no process list, no network topology, no WiFi SSIDs, no running-service inventory.

Data about attackers

When an attacker probes a BoarNet sensor, we store the network-layer metadata the attacker voluntarily emits:

  • Source IP address and source port of the incoming connection.
  • A salted HMAC-SHA-256 hash of the source IP (for privacy-preserving joins between sensors without exposing raw IPs to low tiers).
  • Destination port on the sensor (22/80/443/etc.) and transport (TCP).
  • Event timestamp (millisecond resolution, UTC).
  • Protocol-specific content the attacker sent: SSH auth attempts (hashed username + password-hint, never the raw password), TLS ClientHello bytes used to derive JA3/JA4 fingerprints, HTTP request headers and body preview, any shell commands issued.
  • GeoIP and ASN enrichment derived from the source IP via public datasets (iptoasn.com, MaxMind GeoLite2-style data).
  • Threat-intel tags (tor-exit, open-proxy, asn-abuse, cve-probe,scanner:shodan, …) matched against bundled public lists.

We treat raw source IPs as attacker data, not personal data about the operator running the scanner — scanning internet services without permission is itself an act. However, because a source IP may correspond to a natural person in some jurisdictions (residential IP, Tor exit, shared VPN), we apply these mitigations:

  • Raw source IPs are never exposed on the Observer tier. Paste-in single-IP lookups return only a verdict + confidence + tags, not the full sighting list.
  • The HMAC-hashed IP is shared with higher tiers for correlation. Raw IP exposure is limited to Participant+ tiers who have a legitimate defensive use (blocking, scoring, alerting).
  • Rate-limit metadata and scan-probe attempts from residential ISPs with no attack signature are low-value and pruned early.

Who we share it with

We do not sell operator data. We do not sell attacker data. We provide attacker data to paying customers through our API — that's the product — but the contract forbids using it for anything other than defensive purposes (see Terms).

We use third-party services strictly as infrastructure: Supabase for the primary database, Vercel for hosting the web app, GitHub for source code and container image registry. These providers see the data you send us in the normal course of being our infrastructure.

How long we keep it

  • Operator account data: while your account exists. Delete it anytime from Settings.
  • Attacker events: at least 90 days, up to the history window of the highest tier that has ever queried them. Aggregated statistics may be retained longer.
  • Revoked tokens: the hash stays (to block reuse) but becomes inert.

Your rights

If you're a BoarNet operator:

  • Export your data from the dashboard.
  • Delete your account — every profile / token / sensor row tied to it goes with you, except for aggregated event counts which are not individually identifiable.
  • Request correction of anything we have about you by emailing boarthreatintelligence@proton.me.

If you believe your IP is in our dataset and you want it removed, see Abuse & Removal for the process.

Changes

Policy changes get announced via email 14 days before taking effect if they materially reduce your privacy posture. Cosmetic / clarifying updates just bump the Last updated date above.

Contact

Privacy questions: boarthreatintelligence@proton.me.