HoneyLabs

Privacy

Last updated 2026-05-16. Short, plain English. If something isn't clear, email info@honeylabs.net and we'll explain.

What this site is

HoneyLabs runs honeypots on the public internet and indexes the probe traffic that arrives at them. The honeypot data is about the attackers, not about you. Anyone can browse it for free at /lookup without signing up.

You only give us personal data if you choose to sign in (to get a higher quota or wire up an MCP client). This page describes what happens then.

What we store about you

  • Email address. You give this when you ask for a sign-in link. We use it to send the link and to contact you about your account.
  • API keys. Hashed, not stored in plaintext. We can't recover a key for you; you mint a new one if you lose it.
  • Sessions. A signed-in browser session token (hashed) and its expiry. Backs the __Host-hlsess cookie. No tracking IDs, no third-party state.
  • Magic-link records. Hashed tokens plus their expiry, so we know whether a link is still valid and whether it's already been used.
  • Usage events. When you call a tool or the API, we record which tool, how long it took, and how many rows it scanned. We use this for your daily credit budget and to spot abuse. We do not log the contents of your queries or the responses.
  • Billing data, only if you pay. Stripe holds your card details directly; we store only a Stripe customer ID and a subscription ID alongside your account.

What we don't do

  • We don't sell your data.
  • We don't use third-party analytics or advertising trackers.
  • We don't log the bodies of your queries or the data we return.
  • We don't share your account with anyone outside of HoneyLabs operations.

Where data lives

Account data sits on a Hetzner virtual machine in Germany. Honeypot telemetry sits on ClickHouse in the same region. Stripe holds billing data in the US under standard contractual clauses for EU transfers. Cloudflare fronts the site globally as a CDN and does not persistently store request bodies.

How long we keep things

  • Account, API keys, sessions: kept while your account exists.
  • Usage events: 90 days, then dropped.
  • Magic-link records: kept while your account exists, but they're useless after the 15-minute expiry.
  • Stripe records: per Stripe's retention policy, which we don't control.
  • Honeypot probe telemetry (not user-tied): 90 days, then aged out.

Your rights

You live in the EU/EEA or UK? Then under GDPR you have, at minimum, the right to:

  • Access. Download everything we have on you as a JSON file from the dashboard. Or email us and we'll send it.
  • Erasure. Delete your account from the dashboard. The account row and all related rows (keys, sessions, usage events) go away. If you have a paid subscription, we cancel it with Stripe at the same time.
  • Rectification. Email us if anything we store about you is wrong and we'll fix it.
  • Portability. Same as access; the export is JSON.
  • Objection / restriction. Email us; we'll act inside one calendar month.
  • Complaint. If you're unhappy with how we handle a request, you can complain to your local data-protection authority.

We don't require ID to act on any of these; signing the request from the email on file is enough.

Cookies

One cookie, __Host-hlsess, set after you sign in. It's host-scoped, HttpOnly, Secure, SameSite=Lax, and ties your browser to your account. No tracking cookies. No third-party cookies.

Contact

Email info@honeylabs.net for anything in this document, or just to ask what we know about you. We reply in English or Dutch.