Privacy Policy

Last updated: March 2026

Information We Collect

Account Information: When you create an account, we collect your email address, organization name, and authentication credentials managed through our identity provider (Clerk). We do not store passwords directly.

Detection Data: Our honeypot traps capture information about automated systems (AI agents) that interact with them, including IP addresses, HTTP headers (User-Agent, Accept), request paths, timing data, and any data voluntarily submitted to callback endpoints (such as system prompts, model names, and operator identities). This data pertains to automated systems, not human visitors.

Usage Data: We collect standard analytics about how you use the dashboard, including pages visited, features used, and API calls made. We use Cloudflare Web Analytics for anonymous, privacy-respecting traffic measurement.

Payment Information: If you subscribe to a paid plan, payment processing is handled entirely by Stripe. We do not store credit card numbers or banking details on our servers.

How We Use Information

We use the information we collect to:

• Provide and operate the LobsterHoney detection platform
• Deliver threat intelligence and detection alerts to your dashboard, email, Slack, Discord, or configured webhook endpoints
• Score and classify sessions to distinguish AI agents from human visitors
• Generate analytics about agent activity targeting your infrastructure
• Process billing and manage your subscription
• Improve the accuracy of our detection and scoring systems
• Communicate with you about your account, security updates, or service changes

We do not sell your data to third parties. Detection data captured by your traps belongs to you and is only accessible within your organization.

Data Retention

Detection data (trap hits, sessions, callbacks) is retained according to your subscription plan:

• Free: 7 days
• Pro: 90 days
• Enterprise: 365 days

After the retention period, detection data is permanently deleted through an automated sweep process. Account information is retained for as long as your account is active. You can request deletion of your account and all associated data at any time through Settings or by contacting us.

Data Security

We implement industry-standard security measures to protect your data, including encryption in transit (TLS), secure authentication via Clerk, HMAC signature validation on callback endpoints, and SSRF protection on webhook delivery. Our infrastructure runs behind Cloudflare with DDoS protection and rate limiting.

Your Rights

You have the right to access, export, correct, or delete your data at any time. You can export all your organization data as JSON from the Settings page, or delete your organization entirely. For data access requests or privacy concerns, contact us directly.

Contact Us

If you have questions about this Privacy Policy or how we handle your data, you can reach us at [email protected].

← Back to Home