Privacy Policy

1. Effective Date

This Privacy Policy was last updated on March 2, 2026. It is effective as of that date and supersedes all prior versions. This Privacy Policy describes how PyLocket collects, uses, discloses, and protects information when you access or use our website, platform, tools, and services. By using any part of the PyLocket Service, you acknowledge that you have read and understood this Privacy Policy.

2. Introduction

PyLocket (“we,” “us,” “our”) operates a cloud-based platform for protecting Python applications through encryption, obfuscation, and license enforcement. We are committed to safeguarding the privacy and security of the data entrusted to us by our customers and their end users.

This Privacy Policy applies to all of the following (collectively referred to as the “Service”):

• The PyLocket website at pylocket.com and all associated subdomains
• The Developer Portal (the web-based dashboard for managing applications, builds, licenses, and account settings)
• The PyLocket CLI (command-line interface) and REST API
• The PyCharm/IntelliJ plugin distributed via the JetBrains Marketplace
• The native Runtime embedded in Protected Applications (the component that enforces licenses and collects Telemetry Data on End User devices)

This Privacy Policy explains what data we collect, why we collect it, how we use it, with whom we share it, how long we retain it, and what rights you have regarding your data. We comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable data protection and privacy laws worldwide.

If you are a Developer using the Service to distribute Protected Applications to End Users, please also review Section 15 (Developer Responsibilities as Data Controller), which outlines your obligations regarding your End Users’ data.

If you are an End User of a Protected Application, the data collected by the PyLocket Runtime on your device is governed by the PyLocket Runtime End User License Agreement in addition to this Privacy Policy.

3. Definitions

The following terms have specific meanings when used in this Privacy Policy:

• “Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to a natural person or household. This includes, but is not limited to, names, email addresses, IP addresses, and device identifiers.
• “Processing” means any operation or set of operations performed on Personal Data, whether by automated or manual means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• “Data Controller” means the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
• “Data Processor” means a natural or legal person, public authority, agency, or other body that processes Personal Data on behalf of the Data Controller.
• “Device Fingerprint” means a one-way cryptographic hash derived from a combination of hardware and software attributes of an End User’s device. The hash uniquely identifies a device for license enforcement purposes without revealing the underlying hardware attributes.
• “Telemetry Data” means security events, anti-tamper signals, and related metadata collected by the Runtime during the execution of a Protected Application. This includes events such as debugger detection, integrity check failures, and unauthorized modification attempts.
• “End User” means a natural person who uses a Developer’s Protected Application. End Users interact with the PyLocket Runtime but do not necessarily have a direct account or relationship with PyLocket.
• “Developer” means our customer—a natural person or legal entity that registers for a PyLocket account and uses the Service to protect, distribute, and license their Python applications.

4. Information We Collect

We collect information in several categories depending on how you interact with the Service. Below is a comprehensive description of each category.

4a. Developer Account Data

When you register for a PyLocket account, we collect the following information:

• Name — your full name as provided during registration
• Email address — used as your account identifier and for transactional communications
• Company name (optional) — if you are registering on behalf of a business entity
• Password — stored exclusively as a bcrypt hash; your plaintext password is never stored or logged

When you add billing information to your account, payment processing is handled entirely by Stripe, Inc. We do not receive, process, or store your credit card number, bank account details, or other financial instrument data. We store only your Stripe customer ID, which allows us to reference your payment history and subscription status through Stripe’s secure API.

4b. Developer Usage Data

We automatically collect the following information when you interact with the Service:

• API call logs — timestamps, endpoints accessed, request parameters (excluding sensitive payloads), and response status codes
• Build history and metadata — Build identifiers, submission timestamps, Build configuration options, and Build status (success/failure)
• Login timestamps — the date and time of each successful and failed authentication attempt
• IP addresses — the Internet Protocol address from which you access the Service
• Pages viewed in the Developer Portal — navigation patterns, features used, and time spent on each page
• CLI version and usage patterns — the version of the PyLocket CLI you are running, commands executed, and associated metadata

4c. End-User Device Data (Collected via the Runtime)

When an End User activates a License Key, the Runtime embedded in the Protected Application collects hardware and software attributes from the End User’s device to generate a Device Fingerprint. These attributes include identifiers such as:

• Network interface identifiers (e.g., MAC address hashes)
• Storage device identifiers (e.g., disk serial number hashes)
• Operating system identifiers (e.g., OS installation UUID)
• Hostname

In addition to the Device Fingerprint, we collect:

• The End User’s IP address at the time of activation
• The activation timestamp
• Periodic license validation requests, each of which includes the End User’s IP address and the timestamp of the validation

4d. Telemetry / Anti-Tamper Data

When Telemetry is enabled by the Developer in their application configuration, the Runtime collects security events including:

• Debugger detection events — attempts to attach a debugger to the running process
• Integrity verification failures — mismatches detected during cryptographic integrity checks of protected code
• Unauthorized modification attempts — detected changes to protected code, resources, or Runtime components
• Other anti-tamper signals — instrumentation framework injection, timing anomalies, and other indicators of reverse-engineering attempts

Each Telemetry event record includes:

• A timestamp of when the event was detected
• The Device Fingerprint hash of the device on which the event occurred
• The IP address of the device at the time of the event

Telemetry Data is retained for 90 days and is then automatically and permanently deleted from our systems.

4e. Website & Analytics Data

When you visit the PyLocket website or Developer Portal, we may collect:

• Cookies — see Section 17 (Cookies) for details
• Browser type and version
• Operating system
• Referring URL — the website that linked you to our site
• Pages visited and navigation patterns within our site
• Time spent on each page
• General geographic location derived from your IP address (city/region level; we do not perform precise geolocation)

4f. PyCharm Plugin Data

When you use the PyLocket plugin for PyCharm or other JetBrains IDEs, the following data is involved:

• Authentication tokens — stored locally in the IDE’s credential store on your machine; these tokens are not transmitted to PyLocket except as part of authenticated API requests
• Build submission requests — when you submit a Build via the plugin, your source code and Build configuration are transmitted to PyLocket servers for processing (see Section 8)
• Plugin usage analytics — which plugin features are used, frequency of use, and plugin version information, collected to improve the plugin experience

5. How We Collect Information

We collect information through the following methods:

Directly from Developers

We collect information that you voluntarily provide when you:

• Register for a PyLocket account and complete your profile
• Configure billing and subscription settings (payment data is collected directly by Stripe)
• Contact us through support channels, email, or other communications
• Submit feature requests, bug reports, or feedback

Automatically via the Runtime

The PyLocket Runtime embedded in Protected Applications automatically collects data from End User devices, including:

• Device Fingerprints — generated at license activation and verified during periodic license validation
• License validation requests — periodic check-ins to verify that the license remains valid and has not exceeded its device limit
• Telemetry Data — security events collected from End User devices when Telemetry is enabled by the Developer

Automatically via the Website

When you visit our website or use the Developer Portal, we automatically collect data through:

• Cookies — small data files stored on your browser (see Section 17)
• Server logs — standard HTTP access logs maintained by our infrastructure
• Analytics tools — privacy-respecting analytics services used to understand website and portal usage patterns

From Third Parties

• Stripe, Inc. — payment confirmation, subscription status changes, and billing-related notifications
• Analytics service providers — aggregated and anonymized usage data to help us understand how the Service is used

6. How We Use Information

We use the information we collect for the following purposes:

• Provide and maintain the Service — account management, application Build processing, Protected Artifact delivery, license key generation and management, and license enforcement through Device Fingerprint-based activation
• Process payments — manage subscriptions, process billing through Stripe, generate invoices, and handle refunds
• Enforce software licenses — verify License Key validity, enforce per-device activation limits using Device Fingerprints, and manage license lifecycle operations (activation, deactivation, revocation)
• Detect tampering and piracy — analyze Telemetry Data to identify unauthorized use, reverse-engineering attempts, and integrity violations in Protected Applications
• Communicate with Developers — send transactional emails (account confirmations, password resets, Build notifications), product updates, security advisories, and respond to support requests
• Improve the Service — analyze usage analytics to identify areas for improvement, monitor performance and reliability, track and resolve errors, and develop new features
• Ensure security — detect and prevent fraud, abuse, and unauthorized access; enforce rate limits; monitor for suspicious activity; and protect the integrity of our infrastructure
• Comply with legal obligations — maintain records required by tax and financial reporting laws, respond to lawful government requests and legal processes, and enforce our Terms of Service

7. Legal Basis for Processing (GDPR)

For individuals located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process Personal Data under the following legal bases as defined by the General Data Protection Regulation:

Contractual Necessity — Article 6(1)(b)

• Processing Developer Account Data and Developer Usage Data to provide, maintain, and administer the Service that you have signed up for under our Terms of Service
• Processing End User Device Fingerprints and license validation data to fulfill the software protection and license enforcement functionality that is the core purpose of the Service
• Processing source code to generate Protected Artifacts as part of the Build service

Legitimate Interest — Article 6(1)(f)

• Processing Telemetry Data for anti-tamper and piracy detection purposes, which serves the legitimate interest of both PyLocket and our Developers in protecting intellectual property
• Processing IP addresses for security monitoring, fraud prevention, and abuse detection
• Analyzing aggregated usage patterns and performance data to improve the reliability, functionality, and user experience of the Service
• Sending non-marketing service-related communications (e.g., security advisories, deprecation notices)

We have conducted balancing tests to ensure that our legitimate interests do not override the fundamental rights and freedoms of data subjects. You have the right to object to processing based on legitimate interests (see Section 16).

Consent — Article 6(1)(a)

• Marketing communications — we send promotional emails and product announcements only with your explicit opt-in consent. You may withdraw consent at any time by clicking the “unsubscribe” link in any marketing email or by contacting us at privacy@pylocket.com
• Optional analytics cookies — non-essential cookies are placed only after you provide consent through our cookie banner (see Section 17)

Legal Obligation — Article 6(1)(c)

• Retaining billing and payment records for the period required by applicable tax, accounting, and financial reporting laws
• Responding to lawful requests from government authorities, including law enforcement, regulatory bodies, and courts
• Maintaining records necessary to demonstrate compliance with data protection laws

8. Source Code Processing

The protection of your source code is of paramount importance to us. We have designed our Build pipeline with strict safeguards to ensure the confidentiality and integrity of your intellectual property.

• Purpose limitation: Developer Application source code is uploaded to our servers solely for the purpose of Build processing — applying encryption, obfuscation, and embedding the license enforcement Runtime to produce a Protected Artifact.
• Encryption in transit: Source code is encrypted during transmission using TLS 1.2 or higher, ensuring that your code cannot be intercepted during upload.
• Encryption at rest: While on our servers awaiting or undergoing processing, source code is encrypted at rest using cloud-managed encryption keys provided by AWS Key Management Service (KMS).
• Automated processing only: Source code is processed exclusively by automated systems. No PyLocket employee accesses your source code during or after the Build process. Human access to source code is prohibited by policy and enforced through access controls.
• Post-processing deletion: After Build processing is complete and the Protected Artifact has been generated, your original unencrypted source code is permanently deleted from our servers. Only the encrypted Protected Artifact is retained for your download and distribution.
• No secondary use: We never share, sell, sublicense, analyze, train models on, or use your source code for any purpose other than providing the Build service you have requested.

The legal basis for Processing your source code is contractual necessity — it is required to provide the core Build and protection service that you have contracted for under our Terms of Service.

9. Device Fingerprinting Disclosure

What Is Collected

The Runtime collects the following categories of hardware and software attributes from the End User’s device at the time of license activation:

• Network interface identifiers — such as MAC addresses associated with network adapters
• Storage device identifiers — such as serial numbers of hard drives or solid-state drives
• Operating system identifiers — such as the OS installation UUID or machine GUID
• Hostname — the device’s configured network name
• Other machine-specific attributes that contribute to the uniqueness and stability of the fingerprint

How It Is Processed

All collected attributes are combined into a single composite value and processed through a one-way cryptographic hash function with a per-application salt (a unique, random value assigned to each Protected Application). The resulting hash is the Device Fingerprint. This process occurs entirely on the End User’s device before any data is transmitted to PyLocket servers.

What Is Stored

PyLocket stores only the one-way hash (the Device Fingerprint). The original hardware attributes — MAC addresses, serial numbers, hostnames, and other raw identifiers — are never transmitted to or stored on PyLocket servers in their original form.

Purpose

Device Fingerprints are used solely for per-device license enforcement — ensuring that each License Key is activated on no more than the number of devices permitted by the Developer’s licensing terms. Device Fingerprints are not used for tracking, profiling, advertising, or any purpose other than license enforcement.

Reversibility

The one-way cryptographic hash function used to generate the Device Fingerprint is computationally irreversible. The original hardware attributes cannot be recovered from the stored hash. Additionally, the per-application salt ensures that the same device will produce different Device Fingerprints for different Protected Applications, preventing cross-application tracking.

Data Controller

The Developer who distributes the Protected Application is the Data Controller for their End Users’ Device Fingerprint data. The Developer determines whether to use license enforcement, how many devices to permit per license, and whether to distribute their application with PyLocket protection enabled. PyLocket acts as the Data Processor, processing Device Fingerprint data on behalf of and according to the instructions of the Developer.

End Users can find additional information about Device Fingerprinting in Section 5 of the PyLocket Runtime EULA.

10. Telemetry & Anti-Tamper Disclosure

When Telemetry is enabled by the Developer in their application configuration, the Runtime monitors for the following categories of security threats on End User devices:

• Debugger attachment — attempts to attach interactive debuggers or memory inspection tools to the running Protected Application process
• Integrity check failures — mismatches detected when the Runtime verifies the cryptographic integrity of protected code modules, indicating potential unauthorized modification
• Unauthorized code modification — detected changes to protected source code, bytecode, resources, or Runtime components that were not authorized by the Build process
• Instrumentation framework injection — detection of dynamic instrumentation frameworks (e.g., Frida, DynamoRIO) being loaded into the application process
• Timing anomalies — abnormal execution timing patterns that may indicate single-stepping, breakpoint-based analysis, or other reverse-engineering techniques

Event Reporting

When a security event is detected, the Runtime reports the following information to PyLocket servers:

• The event type (category of security threat detected)
• A timestamp of when the event was detected
• The Device Fingerprint hash of the device on which the event occurred
• The IP address of the device at the time of the event

Transmission

Telemetry Data is transmitted to PyLocket servers via encrypted channels using TLS 1.2 or higher. Events may be batched and transmitted periodically rather than in real time, depending on network conditions and Runtime configuration.

Access

Telemetry Data is made available to the Developer via the Developer Portal dashboard, where they can view security events, analyze patterns, and take appropriate action (such as revoking compromised License Keys).

Retention

Telemetry Data is automatically and permanently deleted after 90 days. This retention period provides Developers with sufficient time to review security events while limiting the duration for which End User data is stored.

Opt-Out

Developers can disable Telemetry Data collection in their application configuration at any time. When Telemetry is disabled, the Runtime does not monitor for security events and does not transmit any Telemetry Data. License enforcement (Device Fingerprinting and license validation) continues to function independently of the Telemetry setting.

Data Controller

The Developer is the Data Controller for Telemetry Data collected from their End Users. The Developer decides whether to enable Telemetry and is responsible for disclosing this data collection in their own privacy policy or EULA. PyLocket is the Data Processor, collecting and storing Telemetry Data on behalf of the Developer.

11. Data Retention Schedule

We retain different categories of data for different periods depending on the purpose of collection and legal requirements. The following table summarizes our retention practices:

When data reaches the end of its retention period, it is permanently deleted or irreversibly anonymized. Deletion timelines are approximate and may vary by up to 30 days due to automated processing schedules and backup rotation cycles.

12. Data Sharing & Sub-Processors

Amazon Web Services (AWS)

Role: Infrastructure provider and sub-processor.

• S3 — object storage for Protected Artifacts, Build assets, and application data
• KMS — encryption key management for data-at-rest encryption
• CloudFront — content delivery network for serving Protected Artifacts and static website assets
• SES — Simple Email Service for sending transactional emails (account confirmations, password resets, Build notifications)

Data location: US-East-1 (N. Virginia, United States). See Section 13 for international transfer information.

Stripe, Inc.

Role: Payment processor.

Stripe receives billing information (including credit card details) directly from your browser during the checkout process. PyLocket does not handle, process, or store credit card data. We interact with Stripe’s API using only your Stripe customer ID. For information about how Stripe handles your data, please review Stripe’s Privacy Policy.

JetBrains s.r.o.

Role: Plugin distribution platform.

The PyLocket plugin for PyCharm and other JetBrains IDEs is distributed via the JetBrains Marketplace. JetBrains may independently collect plugin download statistics, usage analytics, and crash reports as described in JetBrains’ Privacy Policy. PyLocket does not control the data JetBrains collects through the Marketplace.

Analytics Providers

We may use privacy-respecting analytics tools to understand how the Service is used, identify performance bottlenecks, and improve user experience. We select analytics providers that prioritize user privacy and data minimization. No Personal Data is shared with advertising networks, and we do not participate in any advertising tracking ecosystems.

Law Enforcement

We may disclose Personal Data if we are required to do so by law, or if we believe in good faith that such disclosure is reasonably necessary to:

• Comply with a legal obligation, subpoena, court order, or government regulation
• Protect the rights, property, or safety of PyLocket, our Developers, or the public
• Detect, prevent, or address fraud, security issues, or technical problems

We will notify you of any law enforcement request for your data unless we are legally prohibited from doing so (e.g., by a court-ordered gag order or national security letter).

Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or asset sale, your Personal Data may be transferred as part of the transaction. We will notify you before your data becomes subject to a different privacy policy. See Section 19 for details.

13. International Data Transfers

All data collected by PyLocket is stored and processed primarily in the United States, specifically in the AWS US-East-1 (N. Virginia) region.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your Personal Data is transferred to the United States when you use the Service. We recognize that such transfers require appropriate safeguards under the GDPR and UK GDPR.

To ensure the lawful transfer of Personal Data outside the EEA/UK/Switzerland, we rely on the following mechanisms:

• Standard Contractual Clauses (SCCs) — as approved by the European Commission (Decision 2021/914), incorporated into our agreements with sub-processors and available in our Data Processing Agreement
• EU-US Data Privacy Framework — where applicable and where our sub-processors (such as AWS and Stripe) have self-certified under the framework
• AWS compliance — AWS maintains compliance with international data transfer requirements, including the EU-US Data Privacy Framework and adherence to SCCs

We regularly review our data transfer mechanisms to ensure they remain valid and effective in light of regulatory developments and court decisions.

If your organization requires data residency within the EEA or another specific jurisdiction, please contact sales@pylocket.com to discuss regional deployment options.

14. Data Security

We implement comprehensive technical and organizational security measures to protect the confidentiality, integrity, and availability of your data. While no system can guarantee absolute security, we employ industry-standard and advanced security controls, including:

• Encryption at rest: All stored data — including Developer account information, Protected Artifacts, Device Fingerprints, and Telemetry Data — is encrypted using cloud-managed encryption keys via AWS Key Management Service (KMS)
• Encryption in transit: All data transmitted between clients (browsers, CLI, Runtime, plugin) and PyLocket servers is protected using TLS 1.2 or higher. We enforce HTTPS on all endpoints and employ HTTP Strict Transport Security (HSTS)
• Cryptographic signing keys: Keys used for signing Protected Artifacts and Runtime components are managed in Hardware Security Modules (HSMs), ensuring they cannot be extracted or compromised
• Access controls: We enforce the principle of least privilege across all systems. Access to production infrastructure and data is restricted through role-based access controls (RBAC) and requires multi-factor authentication (MFA) for all staff
• Web Application Firewall (WAF): Our API endpoints are protected by industry-standard WAF rule sets that detect and block common attack patterns including SQL injection, cross-site scripting, and request smuggling
• Regular security audits: We conduct periodic internal security reviews and engage independent third-party firms for penetration testing of our infrastructure, API, and Runtime components
• SOC 2 Type II compliance: We are actively working toward SOC 2 Type II certification to provide independent assurance of our security, availability, and confidentiality controls (in progress)
• Incident response: We maintain documented incident response procedures to ensure prompt identification, containment, and notification of security breaches. In compliance with GDPR Article 33, we will notify the relevant supervisory authority within 72 hours of becoming aware of a Personal Data breach that is likely to result in a risk to the rights and freedoms of data subjects. Affected individuals will be notified without undue delay when the breach is likely to result in a high risk

We encourage Developers to also implement strong security practices, including using unique and complex passwords, enabling multi-factor authentication on their PyLocket accounts, and keeping their CLI and plugin installations up to date.

15. Developer Responsibilities as Data Controller

When you use the PyLocket Service to distribute Protected Applications to End Users, a specific data protection relationship is established between you, PyLocket, and your End Users. It is important that you understand your obligations under applicable data protection laws.

Your Role: Data Controller

You are the Data Controller for your End Users’ Personal Data that is processed through the PyLocket Service. This includes:

• Device Fingerprints generated from End User devices
• IP addresses collected during license activation and validation
• Telemetry Data collected from End User devices (if Telemetry is enabled)

As the Data Controller, you determine the purposes for which this data is collected (software protection and license enforcement) and the means of processing (using PyLocket as your chosen technology provider).

PyLocket’s Role: Data Processor

PyLocket is the Data Processor, processing End User data on your behalf to provide the license enforcement and anti-tamper services you have configured.

Your Obligations as Data Controller

• Privacy disclosures: Include appropriate disclosures in your own privacy policy, EULA, or terms of service informing your End Users about the collection of Device Fingerprints, license validation communications, and Telemetry Data (if enabled). Your disclosures should explain what data is collected, why, and how it is processed. A Developer EULA Template with the required PyLocket disclosures is available. You must also include or link to the PyLocket Runtime EULA in your end-user agreement (see Terms of Service, Section 16).
• Legal basis / consent: Obtain any legally required consent or establish an appropriate legal basis before distributing Protected Applications that collect End User data. The specific requirements will depend on the laws applicable in your End Users’ jurisdictions.
• Data subject requests: Forward any data access, rectification, erasure, or other data subject requests received from your End Users to PyLocket at privacy@pylocket.com. We will assist you in processing these requests in a timely manner.
• Legal compliance: Comply with all applicable data protection laws in your End Users’ jurisdictions, including but not limited to the GDPR, UK GDPR, CCPA/CPRA, LGPD, PIPA, and other national or regional data protection regulations.

Our Obligations as Data Processor

• Documented instructions: We will process End User data only according to your documented instructions and the configuration you have set for your Protected Applications
• Security measures: We will maintain appropriate technical and organizational security measures to protect End User data (see Section 14)
• Breach notification: We will notify you without undue delay upon becoming aware of any Personal Data breach affecting your End Users’ data
• Data subject assistance: We will assist you in responding to data subject access, rectification, erasure, portability, and objection requests from your End Users
• Data return and deletion: Upon termination of your PyLocket account, we will delete or return all End User data within 30 days, unless retention is required by law
• Audit cooperation: We will make available information necessary to demonstrate compliance with our data processing obligations

Data Processing Agreement

A formal Data Processing Agreement (DPA) that meets the requirements of GDPR Article 28 is available upon request. To request a DPA, contact legal@pylocket.com. The DPA includes Standard Contractual Clauses for international data transfers.

16. Your Rights (GDPR & CCPA)

If You Are in the EEA/UK (GDPR)

Under the General Data Protection Regulation, you have the following rights with respect to your Personal Data:

• Right of Access (Article 15) — You have the right to request a copy of the Personal Data we hold about you, along with information about how it is processed, the purposes of processing, and the recipients to whom it has been disclosed.
• Right to Rectification (Article 16) — You have the right to request that we correct any inaccurate Personal Data and complete any incomplete Personal Data concerning you.
• Right to Erasure / “Right to be Forgotten” (Article 17) — You have the right to request the deletion of your Personal Data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, or when other conditions under Article 17 are met.
• Right to Restrict Processing (Article 18) — You have the right to request that we limit how we use your Personal Data in certain circumstances, such as when you contest the accuracy of the data or object to processing based on legitimate interests.
• Right to Data Portability (Article 20) — You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.
• Right to Object (Article 21) — You have the right to object to the processing of your Personal Data based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Right to Withdraw Consent (Article 7(3)) — Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
• Right to Lodge a Complaint — You have the right to lodge a complaint with your local data protection supervisory authority if you believe your data protection rights have been violated.

If You Are in California (CCPA/CPRA)

Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, California residents have the following rights:

• Right to Know — You have the right to request that we disclose what categories and specific pieces of Personal Information we have collected about you, the categories of sources from which it was collected, the business or commercial purposes for collection, and the categories of third parties with whom it is shared.
• Right to Delete — You have the right to request that we delete the Personal Information we have collected from you, subject to certain exceptions (such as completing a transaction, detecting security incidents, or complying with legal obligations).
• Right to Opt-Out of Sale — We do NOT sell Personal Information as defined by the CCPA/CPRA. Because we do not sell your data, there is no need to opt out. We also do not “share” Personal Information for cross-context behavioral advertising.
• Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you the Service, charge you different prices, provide a different quality of service, or retaliate in any way.
• Right to Correct — You have the right to request that we correct inaccurate Personal Information that we maintain about you.

For End Users of Protected Applications

If you are an End User of a Protected Application and wish to exercise your data rights regarding Device Fingerprints, license activation records, or Telemetry Data, please contact the Developer who distributes the application. The Developer is the Data Controller for your data. PyLocket, as the Data Processor, will assist the Developer in fulfilling your request upon their instruction.

How to Exercise Your Rights

To exercise any of the rights described above, please contact us at privacy@pylocket.com. In your request, please:

• Clearly describe the right you wish to exercise
• Provide sufficient information for us to verify your identity (we may request additional verification to prevent unauthorized access to your data)
• Specify the scope of your request (e.g., all data, specific categories, specific time period)

We will acknowledge your request within 5 business days and provide a substantive response within 30 days (GDPR) or 45 days (CCPA/CPRA). If we require additional time due to the complexity of the request, we will notify you of the extension and the reasons for it. There is no fee for exercising your rights unless requests are manifestly unfounded or excessive.

17. Cookies

We use cookies and similar technologies on the PyLocket website and Developer Portal. This section explains the types of cookies we use and how you can manage them.

Essential Cookies (Required)

These cookies are strictly necessary for the Service to function and cannot be disabled. They include:

• Session authentication cookies — maintain your authenticated session in the Developer Portal so you do not need to re-enter your credentials on each page
• CSRF protection cookies — protect against cross-site request forgery attacks by verifying that form submissions and API requests originate from your browser
• Language and locale preferences — remember your selected language and regional settings across sessions

Analytics Cookies (Optional, Consent Required)

These cookies help us understand how Developers and visitors interact with the website and Developer Portal. They are placed only after you provide consent through our cookie banner.

• Usage pattern tracking — pages visited, features used, and navigation flow within the Developer Portal and website
• Performance monitoring — page load times, error rates, and other performance metrics

We do not use third-party advertising cookies, retargeting pixels, or any cookies associated with advertising networks.

Managing Cookies

You can manage your cookie preferences through your browser settings. Most browsers allow you to block or delete cookies, set preferences for specific websites, and browse in “private” or “incognito” mode. Please note that disabling essential cookies may prevent you from logging into the Developer Portal and using certain features of the Service. For detailed instructions on managing cookies in your browser, consult your browser’s help documentation.

18. Children's Privacy

The PyLocket Service is designed for professional software developers and businesses. It is not directed to children under the age of 16. We do not knowingly collect, solicit, or process Personal Data from children under 16 years of age.

If we become aware that we have inadvertently collected Personal Data from a child under 16, we will take immediate steps to delete such data promptly from our systems and, where applicable, instruct our sub-processors to do the same.

If you are a parent, guardian, or other person who believes that a child under 16 has provided us with Personal Data, please contact us immediately at privacy@pylocket.com. We will investigate the matter and take appropriate action, including deletion of the data if confirmed.

19. Business Transfers

If PyLocket is involved in a merger, acquisition, bankruptcy, dissolution, reorganization, or sale of all or a portion of its assets, your Personal Data may be transferred, assigned, or disclosed as part of that transaction.

In such an event, we will:

• Notify you in advance — via email to your registered email address and/or a prominent notice posted on the PyLocket website — before your Personal Data is transferred and becomes subject to a different privacy policy
• Provide you with the opportunity to delete your account and associated data before the transfer takes effect
• Require the acquiring entity to honor the commitments made in this Privacy Policy with respect to any Personal Data transferred, or to notify you of any material changes

Any entity that acquires PyLocket or its assets will be bound by the terms of this Privacy Policy with respect to previously collected Personal Data, unless and until you are notified of changes and given the opportunity to consent to or reject the new terms.

20. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will:

• Post the revised policy on this page with an updated “Last Updated” date at the top
• Notify registered Developers via email at least 30 days before material changes take effect, providing a summary of the changes and a link to the updated policy
• Announce changes in the Developer Portal through an in-app notification banner visible upon login

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree with the changes, you may terminate your account at any time before the changes take effect by contacting support@pylocket.com or through the account deletion feature in the Developer Portal.

21. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using the information below.

Privacy Inquiries

• Email: privacy@pylocket.com
• Mail: PyLocket, Sammamish, WA, USA
• Response Time: Within 30 days of receipt

Data Protection

For GDPR-related supervisory authority complaints, you may also contact your local data protection authority. A list of EEA data protection authorities is available on the European Data Protection Board website. For UK residents, you may contact the Information Commissioner's Office (ICO).

Additional Contacts

We are committed to working with you to resolve any concerns about your privacy. If you are not satisfied with our response, you have the right to escalate your complaint to the appropriate regulatory authority as described above.