Privacy Policy

Last updated: 22 April 2026

1. Introduction

This Privacy Policy explains how Forum Fortress collects, uses, stores, protects, and deletes personal data when you use our websites, APIs, plugins, software, and related services (the Services).

We are committed to handling personal data in accordance with the UK GDPR, EU GDPR, and other applicable data protection laws.

Where we process data on behalf of customers using our anti-spam and moderation tools, we generally act as a data processor. Where we collect data directly for our own business purposes (such as contact enquiries, support, or account administration), we act as a data controller.

2. Who We Are

Forum Fortress is a privacy-conscious anti-spam and abuse prevention service designed to help online communities reduce spam, fraud, and malicious activity while minimising unnecessary data collection.

For privacy enquiries or data rights requests, please contact us via the contact form on the main website.

Forum Fortress

3. What Personal Data We Process

Depending on how the Services are used, we may process the following categories of personal data.

A. Network and Device Data

IP address (IPv4 / IPv6)
Derived subnet information
ASN / network provider data
Approximate country or region
Browser / device metadata
User-Agent strings
Referrer information

B. Online Account Identifiers

Username or forum handle
Email address
Site or account identifiers
Activation codes or API credentials

C. Content and Behavioural Data

Submitted text content for spam or abuse checks
Reports of suspicious activity
Registration attempt metadata
Signature text or profile fields supplied by customer systems
URLs or links submitted for analysis
Moderation outcomes and risk events

D. Derived / Pseudonymous Data

Hashed usernames
Hashed email addresses
Hashed identifiers
IP subnet reputation signals
Content fingerprints
Reputation scores
Pattern or campaign indicators

E. Website Communications

If you contact us or join the service:

Name
Email address
Message content
IP address
Browser metadata
Referrer
Website URL (if supplied)

4. How We Use Personal Data

We use personal data for the following purposes:

Security and Abuse Prevention — To detect, block, investigate, and reduce spam, fraud, coordinated abuse, and malicious automation.

Service Delivery — To operate APIs, plugins, accounts, activations, support systems, and customer functionality.

Communications — To respond to enquiries, support requests, and business contact submissions.

Product Improvement — To improve detection quality, tune systems, troubleshoot issues, and maintain reliability.

Legal Compliance — To comply with legal obligations, enforce terms, and protect our legitimate interests.

5. Legal Bases for Processing

Where GDPR applies, we rely on one or more of the following lawful bases:

Legitimate Interests — Preventing abuse, securing systems, improving services, and operating our business responsibly.

Contract — Where processing is necessary to provide requested services to customers.

Consent — Where legally required, such as optional marketing communications.

Legal Obligation — Where processing is required by law.

6. Privacy by Design

We aim to reduce unnecessary personal data use wherever practical.

Pseudonymisation — Where suitable, usernames and email addresses may be converted into keyed cryptographic hashes.

Data Minimisation — We aim to retain only the information reasonably required to provide the service and combat abuse.

Link Reduction — Where appropriate, URLs may be reduced to domain or hostname level for analysis.

Limited Decision Logging — Decision records may contain summarised metadata rather than full raw content where possible.

7. Retention of Data

We use different retention periods depending on the type of data and operational need.

Operational Retention of Raw Identifiers — Where raw identifiers such as usernames, email addresses, IP addresses, or submitted content are temporarily retained for abuse prevention, correlation, or operational review, they are normally deleted, redacted, or pseudonymised within five (5) days of collection.

Derived and Reputation Data — Hashed, aggregated, reputation, or statistical data may be retained for longer where reasonably necessary to maintain protection quality and service integrity.

Contact and Business Enquiries — Contact form submissions may be retained for as long as reasonably necessary to respond, maintain correspondence records, or manage legitimate business enquiries.

8. Backups

Encrypted backups may temporarily contain historical copies of data pending normal backup rotation cycles.

Backup data is maintained for disaster recovery, resilience, and service continuity purposes only. It is access-restricted and is not routinely used for profiling, moderation decisions, or day-to-day operational analysis.

9. Automated Decision Making

Our systems may automatically classify events such as registrations, posts, or reports into outcomes such as:

allow;
suspicious;
moderation queue;
temporary block; or
reject.

These decisions are based on risk signals such as reputation, behavioural patterns, submitted indicators, and network intelligence.

Where customers control moderation workflows, final decisions may remain with the customer administrator.

10. Sharing of Data

We do not sell personal data.

We may share data only where reasonably necessary with:

hosting and infrastructure providers;
technical service providers;
security and fraud-prevention partners;
professional advisers;
regulators or law enforcement where legally required; and
customers where we process data on their behalf.

11. International Transfers

Where data is transferred outside the UK or EEA, we use appropriate safeguards such as adequacy decisions, contractual protections, or equivalent lawful transfer mechanisms.

12. Security

We use reasonable technical and organisational safeguards including:

access controls;
encryption in transit;
restricted administrative access;
pseudonymisation where practical;
logging and monitoring;
retention controls; and
secure hosting practices.

No internet service can guarantee absolute security, but we take protection seriously.

13. Your Rights

Depending on your jurisdiction, you may have rights to:

request access to your personal data;
request correction of inaccurate data;
request deletion of data;
object to certain processing;
restrict processing;
request portability where applicable; and
complain to a relevant supervisory authority.

Where we act solely as processor for a customer, requests may need to be directed to that customer first.

14. Cookies and Website Technologies

Our website may use essential cookies or similar technologies required for security, session handling, spam prevention, and core functionality.

We do not use unnecessary tracking technologies unless we state otherwise.

15. Children

Our Services are not directed at children under 13 (or any higher minimum age required by local law). We do not knowingly collect personal data from children without lawful basis.

16. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be reflected by updating the “Last updated” date.

17. Customer Responsibilities

Customers using Forum Fortress remain responsible for ensuring they have an appropriate lawful basis to submit user data to us and for providing any privacy notices required to their own users.

18. Contact

For privacy enquiries, requests, or complaints, please contact Forum Fortress using the contact form on the main website.

Forum Fortress