Matomo

Privacy Policy | Cossack Labs

Privacy Policy

Last updated: 12 June 2026

1. Introduction #

This Privacy Policy explains how Cossack Labs Limited (“we”, “us”, “our”) collects, uses, and shares personal data when you visit https://www.cossacklabs.com/ (the “Site”) and its subdomains, and when you submit an inquiry through our contact form.
Cossack Labs Limited is the data controller for personal data collected through this Site.
We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR 2016/679) where applicable. By using the Site, you acknowledge this Privacy Policy.
If you do not agree with this Privacy Policy, please refrain from using the Site.

2. Personal data we collect #

2.1 Data you provide via the contact form #

When you visit the Site, we automatically collect certain technical information about your device and browsing behaviour, including:

  • IP address and approximate geographic location
  • Web browser type and version
  • Device type, operating system, and time zone
  • Pages viewed, time spent on each page, and navigation paths
  • Referring website or search terms that brought you to the Site
  • Date and time of each visit

We refer to this as «Device Information» throughout this Policy. It is collected via cookies, server log files, and third-party analytics tools (see Section 4).

2.2 Data you provide via the contact form #

When you submit an inquiry through our «Contact us» form, we collect the following:

  • Name and company name (entered in a single field)
  • Business email address

This data is collected only when you actively submit the form and only after you have ticked the consent checkbox confirming your agreement to this Policy and our Cookie Policy.
We use the contact form data solely to respond to your inquiry and follow up on potential business engagement. We do not use it for unsolicited marketing.

2.3 What we do not collect #

The products and open-source libraries of Cossack Labs do not collect any user data. This Policy applies only to the Site itself.

We process your personal data under the following legal bases (Article 6 UK GDPR / EU GDPR):

  • Consent (Art. 6(1)(a)) — Contact form submissions. You provide explicit consent by ticking the consent checkbox before submitting the form. You may withdraw consent at any time by contacting us (see Section 13).
  • Legitimate interests (Art. 6(1)(f)) — Website analytics and security. We have a legitimate interest in understanding how visitors use the Site so we can improve it, and in protecting the Site from abuse via reCAPTCHA. We have assessed that these interests are not overridden by your fundamental rights and freedoms.

4. Third-party services and data processors #

We use the following third-party services on the Site. Each acts as a data processor or independent controller and has its own privacy policy.

4.1 Matomo analytics #

We use Matomo — a self-hosted, open-source web analytics platform — hosted exclusively on our own infrastructure. Matomo collects Device Information to help us understand how the Site is used: traffic sources (search engines, referral links, direct visits), number of visitors, most visited pages and URLs, session duration, and similar aggregate statistics. Because Matomo runs on our own servers, your data never leaves our controlled environment and is not transmitted to Matomo’s or any other third party’s servers. IP addresses are anonymised before storage.

4.2 Hotjar #

We use Hotjar to analyse user behaviour on the Site. Hotjar may collect information about mouse movements, scrolls, clicks, and pages visited in order to generate heatmaps and session-level analytics. This helps us identify usability issues and improve the Site experience. Hotjar is configured to suppress all form field inputs — meaning any data you type into forms (including the contact form) is never captured or transmitted to Hotjar. Hotjar’s data is processed on Hotjar’s servers (Hotjar Ltd, Malta, EU). Privacy policy: https://www.hotjar.com/legal/policies/privacy/. To opt out of Hotjar tracking across all sites: https://www.hotjar.com/legal/compliance/opt-out.

4.3 Google reCAPTCHA #

Our contact form is protected by Google reCAPTCHA to prevent spam and automated abuse. reCAPTCHA analyses behavioural signals and device characteristics (including IP address and browser fingerprint) to distinguish humans from bots and sends this information to Google. This processing is carried out under our legitimate interest in protecting the integrity of the contact form. Google’s privacy policy: https://policies.google.com/privacy.

5. Cookies #

We use cookies and similar tracking technologies on the Site. For full details of which cookies we use and how to manage them, please see our Cookie Policy. You can manage your cookie preferences through the consent banner displayed on your first visit.

6. How we use your personal data #

We use the data we collect for the following purposes:

  • To respond to inquiries submitted via the contact form and to engage with potential business relationships;
  • To analyse how visitors use the Site and to improve the user experience;
  • To assess the effectiveness of our content and marketing communications;
  • To protect the Site from spam, fraud, and abuse;
  • To comply with legal obligations.

7. Sharing your personal data #

We do not sell your personal data. We share personal data only in the following circumstances:

  • Third-party service providers — as described in Section 4, solely to the extent necessary to deliver the services listed there.
  • Legal compliance — if required to do so by law or in response to valid requests from public authorities (e.g. a court or government agency).
  • Business transfers — in the event of a merger, acquisition, or asset sale, your personal data may be transferred. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

8. Data retention #

We retain personal data only for as long as necessary to fulfil the purposes described in this Policy:

  • Contact form data (name, company, email): retained for as long as there is an active business relationship, or for up to 3 years from the date of last contact — whichever comes first. You may request deletion at any time.
  • Device Information and analytics data: retained in aggregated or pseudonymised form for up to 24 months, after which it is automatically deleted or further anonymised.

To request deletion of your data, please contact info@cossacklabs.com.

9. Your rights #

Under the UK GDPR and EU GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15) — you may request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — you may ask us to correct inaccurate or incomplete data.
  • Right to erasure (“right to be forgotten”) (Art. 17) — you may ask us to delete your personal data. Please note that legal limitations may apply on your request.
  • Right to restriction of processing (Art. 18) — you may ask us to restrict how we use your data while a dispute is resolved.
  • Right to data portability (Art. 20) — where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, machine-readable format.
  • Right to object (Art. 21) — you may object to processing based on legitimate interests at any time. We will cease processing unless we can demonstrate compelling legitimate grounds.
  • Right to withdraw consent (Art. 7(3)) — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
  • Right to lodge a complaint — you have the right to complain to a supervisory authority: UK: Information Commissioner’s Office (ICO) — https://ico.org.uk | 0303 123 1113. EU: your local data protection authority within your EU member state.

To exercise any of these rights, contact us at info@cossacklabs.com. We will respond within one calendar month.

10. International data transfers #

Some of the third-party services described in Section 4 (including Google and Hotjar) may transfer and process your data outside the UK and the European Economic Area (EEA). Where such transfers occur, they are subject to appropriate safeguards, such as Standard Contractual Clauses (SCCs) approved by the relevant authorities, or adequacy decisions.

11. Minors #

The Site is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has submitted personal data to us, please contact us and we will delete it promptly.

12. Changes to this policy #

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this document reflects the most recent revision. For material changes (e.g. a new category of data collected, a new third-party processor, or a change of legal basis), we will provide a prominent notice on the Site and, where we hold your email address, notify you directly at least 14 days before the change takes effect. For minor clarifications, we may update this document without separate notice.

Continued use of the Site after any change constitutes acceptance of the updated Policy.

13. Contact us #

For any questions, requests, or complaints regarding this Privacy Policy or our data practices, please contact us:

Cossack Labs Limited
Address: 190 Clarence Gate Gardens, Glentworth Street, London NW1 6AD, United Kingdom

Email: info@cossacklabs.com

Start a conversation

Get whitepaper

Apply for the position

Our team will review your resume and provide feedback
within 5 business days

Thank you!
We’ve received your request and will respond soon.
Your resume has been sent!
Our team will review your resume and provide feedback
within 5 business days