Privacy policy

How Dokima collects, uses, and protects your information. UK GDPR and Data Protection Act 2018 aligned.

This policy is being formally reviewed and may be updated before launch. Email [email protected] with concerns.v0.2 — 2026-05-10

The data controller

The data controller for the Dokima service is Daniel Iwugo, trading as The Malware Files, registered in the United Kingdom. Privacy contact: [email protected].

The Malware Files is currently an unincorporated trading name. As such, the legal contracting party for these processing activities is Daniel Iwugo personally. We will update this notice promptly upon incorporation as a UK private limited company and notify all account holders by email.

What we collect

Account information. Your email address; your display name (optional); a hashed copy of your password using a modern memory-hard hashing function configured per current OWASP Password Storage Cheat Sheet recommendations; your subscription tier.

Authentication tokens. Session tokens transmitted over TLS 1.3 only; HttpOnly + Secure + SameSite=Lax cookies; rotated on privilege change.

API keys. Argon2id-hashed copies of your API keys (the raw key is shown to you exactly once at creation and is never logged, stored in plaintext, or recoverable by us); the key prefix and last four characters for display; created and last-used timestamps; per-key usage counters.

Usage data. The Hugging Face model identifiers you scan; the resulting score Verdicts; the timestamps of your scans; your monthly scan count.

Technical and abuse-prevention data. Your IP address (rate-limiting and abuse detection); browser User-Agent; lightweight anti-abuse signals including a browser fingerprint hash; for paid-tier customers, a one-way SHA-256 hash of normalised email retained on account deletion to prevent quota-circumvention via re-signup.

Payment data. Handled by Lemon Squeezy as Merchant of Record. We receive your transaction status, plan name, billing-cycle dates, and the last four digits of your card; we do not see, store, or process your full card number, CVV, or bank details.

Why we collect it (per-purpose lawful basis)

Under UK GDPR Article 13(1)(c), every processing purpose has a specific lawful basis. The full table:

Purpose
Data
Lawful basis
Retention
Account creation + auth
Email, hashed password
Contract — Art 6(1)(b)
Lifetime + 30 days
Billing + UK tax
Name, billing address, card last-4
Legal obligation — Art 6(1)(c) (HMRC)
6 years
Transactional email
Email address
Contract — Art 6(1)(b)
Lifetime of account
Score submission + history
Model identifier, scan timestamps
Contract + legitimate interests
24 months
Security + abuse prevention
IP, User-Agent, request rate, fingerprint
Legitimate interests — Art 6(1)(f)
90 days
Error monitoring
Anonymised stack traces (Sentry)
Legitimate interests
30 days
Aggregate analytics
De-identified usage counts
Legitimate interests
Indefinite (no PII)
Marketing email
Email + opt-in flag
Consent — Art 6(1)(a)
Until withdrawn

Subprocessors

We use a small number of subprocessors, each contracted under a Data Processing Agreement and bound to process your data only on our instructions. We aim to give reasonable prior notice of subprocessor changes (typically before they go live, by email or banner) and you may terminate your subscription with a pro-rata refund if you object to a new subprocessor.

Processor
Role
Location
Transfer mechanism
Hetzner Online GmbH
Hosting (servers + databases)
Germany (EEA)
None required (intra-EEA)
Cloudflare, Inc.
CDN, WAF, edge cache
Global edge; HQ US
UK IDTA + UK Addendum to EU SCCs
Lemon Squeezy
Payments + Merchant of Record
US, Delaware
UK–US Data Bridge / UK IDTA
MailerSend (Progress Software)
Transactional email
EU data centres
UK IDTA where applicable
Sentry (Functional Software)
Error monitoring
US
UK IDTA
Grafana Labs
Metrics + structured logs
US (EU options)
UK IDTA
Hugging Face, Inc.
Public data source (model identifier only; no PII)
US
N/A — public API queries only

We do not sell, rent, trade, or otherwise commercially exploit your personal data. We do not share data with advertising networks, data brokers, or AI training datasets.

What we DO and DON'T fetch from Hugging Face

Dokima's primary data source is the public Hugging Face API. Across all tiers we fetch public model metadata only (model card text, file listing, license tag, namespace info, safety flags). No model weights are downloaded. No inference is performed.

International data transfers

Primary data is stored at Hetzner Cloud in Germany (EEA), so the bulk of your personal data never leaves the European Economic Area. Where transfers to non-EEA countries are required (specifically to our US-based subprocessors listed above), we rely on one or more of the following Article 46 transfer mechanisms: the UK International Data Transfer Agreement (IDTA); the UK Addendum to the EU Standard Contractual Clauses; the UK Extension to the EU–US Data Privacy Framework (where the recipient is certified). Copies of the executed transfer instruments are available on request to [email protected].

How we secure your data

We do not claim our security measures are infallible (no system can be) and we do not use vague descriptors like "industry-standard" or "bank-grade". Concretely: TLS 1.3 only on all public endpoints; Argon2id for password and API key hashing per OWASP recommendations; per-tenant rate-limit isolation in DragonflyDB; bounded SurrealDB connection pools with deadline-bounded acquisition; AGPL-3.0-or-later open-source engine code reviewable on request to [email protected]; multi-layer abuse defence (Cloudflare WAF + per-IP token bucket + per-API-key rate limit + tarpit for repeat offenders); secrets scrubbing on all log paths; constant-time comparisons for credential verification.

Breach notification

If a personal data breach occurs that is likely to result in a risk to the rights and freedoms of individuals, we will notify the UK Information Commissioner's Office within 72 hours of becoming aware of it, and where the risk is high, will notify affected individuals without undue delay, in line with UK GDPR Articles 33 and 34. We maintain a written incident-response runbook.

How long we keep it (retention schedule)

  • Active account data: for the lifetime of your account.
  • Deleted accounts: 30-day soft-delete grace period (recoverable on request); permanent removal thereafter, except a one-way SHA-256 hash of your normalised email which we retain solely to prevent quota-circumvention via re-signup with the same address.
  • Scan history: retained until you delete it from your account or delete your account. The aggregated, anonymous scan corpus that informs methodology calibration is kept indefinitely as it contains no personal data.
  • Operational logs: 30 days for structured logs; 24 hours for raw access logs.
  • Payment records: 6 years per HMRC tax record-keeping requirements (Companies Act 2006).
  • Security incident records: 5 years from the date of the incident or its resolution, whichever is later.

Your rights under UK GDPR

You have the following rights, all of which we will action within one calendar month of a verified request (UK GDPR Article 12(3)):

  • Access (Art 15) — request a copy of the personal data we hold on you.
  • Rectification (Art 16) — correct inaccurate or incomplete data.
  • Erasure (Art 17) — request deletion of your data subject to our legal obligations.
  • Restriction (Art 18) — restrict processing in defined circumstances.
  • Portability (Art 20) — receive your data in a structured machine-readable JSON bundle.
  • Object (Art 21) — object to processing based on legitimate interests.
  • Withdraw consent (Art 7(3)) — for marketing email and optional analytics, at any time, from your Settings.
  • Complain — lodge a complaint with the Information Commissioner's Office at ico.org.uk or by phone on 0303 123 1113.
Self-serve options are available from your account Settings; for anything else, email [email protected].

AI-specific transparency

Dokima is an AI-adjacent service: it scores publicly available AI models. To be explicit:

  • We do not use customer data, scan history, or account data to train AI models — ours or anyone else's.
  • We do not sell or licence customer data to AI training datasets, brokers, or third parties.
  • We do not use AI to make decisions about individual users that produce legal or significant effects on them, within the meaning of UK GDPR Article 22.
  • The Dokima scoring engine is rule-based and reproducible. The same Hugging Face metadata, scored under the same methodology version, will produce a byte-identical Verdict every time. The full rubric is published on the methodology page.

Cookies + tracking

At launch Dokima sets exactly one cookie: a session cookie required for sign-in (HttpOnly, Secure, SameSite=Lax, deleted on browser close or sign-out). We do not use analytics cookies, advertising cookies, social-media tracking pixels, or third-party analytics scripts. If we add optional analytics in future, we will request opt-in consent via a cookie banner with reject-as-easy-as-accept controls (per ICO PECR enforcement guidance) before any non-essential cookie is set. The cookie banner will not include pre-ticked boxes and will not use a cookie wall.

Children

Dokima is not directed at people under 18 and we do not knowingly collect personal data from anyone under 18. If you believe a child has signed up, contact [email protected] and we will delete the account within 72 hours.

Anonymity in dispute and appeal communications

If you submit a score dispute, score appeal, or support ticket relating to a third party's model, we will not voluntarily disclose your identity to the third party. We will only disclose in response to a valid court order from a court of competent jurisdiction in England and Wales, after exhausting reasonable objections on your behalf.

Changes to this policy

We will give 30 days' prior notice by email to your account address, and a banner on the site, of any material change to this policy. Non-material changes (typos, formatting, link updates) may be made without notice; the version stamp at the top of this page reflects the current revision.

Contact

For privacy questions or to exercise any of the rights above: [email protected]. For security disclosure see our security policy. Postal address available on request.