Legal

Privacy Policy

Last updated: 17 April 2026

Webatrisk ("we", "us", "our") operates the Remote Browser Isolation (RBI) platform at webatrisk.com and its associated subdomains. This policy explains what data we process when you visit this website or use the Webatrisk service.

1. Summary

Zero session data retention. When you browse a website through Webatrisk, we do not persist the content of that session — no cache, no cookies, no history, no screenshots. Each browsing session runs inside a fresh Firecracker microVM that is destroyed when the session ends.

2. Data we process

2.1 Website visitors

When you visit webatrisk.com we collect minimal, standard server logs:

  • IP address (truncated after 24 hours)
  • User agent
  • Requested path and referrer
  • Timestamp

These logs are used only for security, abuse prevention, and aggregate analytics. We do not use third-party advertising trackers.

2.2 Contact & sales enquiries

If you submit the contact form or email us, we store your name, company, email address, and the content of your message in our support system. We use this information to reply to you and for sales follow-up. We retain it for as long as the relationship is active, and for up to 24 months after the last interaction.

2.3 Webatrisk service (if you are a customer)

When your organisation uses Webatrisk to isolate browsing sessions, we process:

  • Session metadata: session ID, tenant ID, start time, end time, target URL category. Retained for billing and abuse detection for 90 days.
  • Session content: executed only in-memory inside the microVM. Never persisted. Destroyed at session end.
  • Authentication: API key identifiers (not the key itself), last-used timestamp.

3. Legal bases (GDPR)

  • Service delivery — performance of a contract with your organisation.
  • Security logs — legitimate interest in protecting our service.
  • Marketing enquiries — consent, which you can withdraw at any time by emailing us.

4. International transfers

Webatrisk is operated from the European Union. Enterprise customers can request regional data residency (EU-only or US-only) as part of their plan.

5. Your rights

Under GDPR and similar laws, you have the right to access, correct, delete, or export your personal data, and to object to processing. To exercise any of these rights, email [email protected]. We respond within 30 days.

6. Sub-processors

We use a small number of sub-processors to operate the service (infrastructure hosting, email delivery, payment processing). A current list is available on request at [email protected].

7. Security

See our Security & Trust page for a summary of our technical and organisational measures.

8. Changes

We will publish any material change to this policy on this page and notify active customers by email at least 30 days before it takes effect.

9. Contact

Data Protection contact: [email protected]