Privacy Policy
Last updated: 2026-07-02
Who we are
DLG Labs LLC ("DLG Labs", "we", "us") is a United States security consulting firm operating the website at dlglabs.io. This policy explains what personal data we collect through the site, why we collect it, how long we keep it, and the rights you have.
This policy covers the public website and its contact form. Confidential data we handle during a paid engagement is governed by the engagement contract, our data handling policies, and, where applicable, a Data Processing Addendum (DPA). For data collected through this site, DLG Labs acts as the data controller under GDPR.
Data we collect
When you submit our contact form, we collect only what you provide:
- Name and email address
- Company or organization and role
- The content of your message
Data collected automatically
When you visit the site, our hosting provider may log standard technical data such as IP address, browser type, pages viewed, and timestamps. We do not knowingly collect sensitive or special-category data through the site, and the site is not directed to children. Please do not submit sensitive personal data through the contact form.
How and why we use your data
We use the data you submit to respond to your inquiry, follow up on your request, and prepare information or a proposal you ask for. We use technical data to operate and secure the site.
Under GDPR, our legal bases are: your consent when you submit the form (Art. 6(1)(a)), our legitimate interest in responding to a business inquiry and keeping the site secure (Art. 6(1)(f)), steps taken prior to entering a contract (Art. 6(1)(b)), and compliance with legal obligations (Art. 6(1)(c)). You may object to processing based on legitimate interest, or withdraw consent, at any time.
We do not sell or share your data
We do not sell your personal data, we do not share it, and we do not disclose it to third parties. No marketing partners, no data brokers, no analytics resellers, no cross-context behavioral advertising as defined by the CCPA/CPRA.
The only exception is legal compulsion: if a valid court order or equivalent legal obligation requires us to produce specific data, we disclose the minimum required and, where the law allows, we notify you first.
Our infrastructure
Your data is processed exclusively by DLG Labs, on infrastructure we operate and control. Cloud hosting providers store that data encrypted, under our exclusive control, bound by data-processing agreements, and are never permitted to access or use it for their own purposes. No third party processes your personal data on our behalf. During client engagements, nothing is delegated to any third party without your prior written approval and a signed DPA.
How long we keep your data
We keep personal data only as long as needed for the purposes above. Our category-level retention periods are:
- Website and contact-form data: no longer than 24 months of inactivity, then deleted. You may request deletion at any time.
- Credentials and secrets captured during a client engagement: destroyed, or force-rotated, on delivery of the final report. They are not held for the 30-day raw-data window.
- Raw engagement data (evidence, scan output, logs, screenshots): securely destroyed within 30 days of final report delivery, a hard deadline anchored to delivery. We prefer destruction over anonymization for this data.
- Final reports: retained at least 12 months after delivery, or until the next annual test report is delivered, whichever is later. This floor reflects PCI DSS 4.0, which requires penetration test results to be kept for at least 12 months.
- Minimal engagement record (scope, dates, and report hash only, with no raw data): may be retained for the applicable limitation period for the defense of legal claims (GDPR Art. 17(3)(e)).
- Contract and billing records: as required by law.
- Legal hold: a live claim, audit, or regulatory obligation pauses the destruction of affected data until it is resolved. Clients may request earlier deletion at any time, subject to those obligations. Full detail is in our Data Retention and Destruction Policy, available on request.
Security
We protect personal data with technical and organizational measures including encryption in transit and at rest, least-privilege access controls, and per-client data isolation. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
Your rights under GDPR
If GDPR applies to you, you have the right to access, rectify, and erase your personal data, to restrict or object to processing, to data portability, to withdraw consent at any time, and to lodge a complaint with your data protection authority.
One qualifier on erasure: under GDPR Article 17(3), we may lawfully decline or defer an erasure request while retention is required to comply with a legal obligation or for the establishment, exercise, or defense of legal claims. For example, penetration test reports we must keep to meet PCI DSS or audit requirements, or data under a legal hold. We will tell you if an exception applies and delete the data once the obligation ends.
To exercise any right, email privacy@dlglabs.io. We respond within the time limits required by law, generally within one month, and may need to verify your identity first.
Your rights under CCPA/CPRA (California)
If you are a California resident, you have the right to know and access the personal information we hold, to correct it, to delete it subject to statutory exceptions (for example, where we must retain it to comply with a legal obligation, defend legal claims, or meet audit or PCI DSS requirements), and to non-discrimination for exercising your rights.
We do not sell or share personal information, so there is nothing to opt out of. The categories we collect are identifiers (name, email), professional information (company, role), the contents of your message, and internet activity (technical logs). We retain them for the periods listed above. To exercise these rights, email privacy@dlglabs.io.
International transfers
DLG Labs is based in the United States. If you contact us from the EEA, the United Kingdom, or Switzerland, your data may be transferred to and processed in the United States. Where we transfer personal data out of those regions, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum. You may request a copy of the relevant safeguards from privacy@dlglabs.io.
Contact and changes
Questions or requests: privacy@dlglabs.io.
We may update this policy from time to time. We will post the updated version here with a new date, and highlight material changes where practical.