1. Controller
The data controller for sitereport.su is 78 OVER 37 LIMITED. Contact: support@overload.su.
2. What we collect when you visit the website
This site is delivered through bunny.net's content delivery network. The CDN logs basic request metadata — IP address, requested URL, response code, user agent, referrer and timestamp — for security and traffic-analysis purposes. We treat that metadata as a transient operational log and do not combine it with your identity unless we are investigating abuse of the website itself.
We do not run advertising trackers. We do not place third-party analytics cookies on first visit. If we add an analytics tool we will document it here and configure it with IP truncation enabled.
3. What we collect when you submit a report
When you submit a report through this website, by email or via Telegram, we receive whatever you send: the suspicious URL, your description of the harm, screenshots and any other artefacts you attach, and (optionally) your email address or Telegram identifier so we can send you a case number and a closure note.
Reporter identity is treated as confidential. We will not share it with the operator of the abusive site. We will share only the evidence required by hosts, registrars, registries, browser safe-browsing partners or ad networks to act on the abuse — and we will redact reporter details from that evidence by default.
4. Evidence we capture about third-party infrastructure
To process a report we capture and store evidence about the abusive website: time-anchored screenshots, source HTML, redirection chains, DNS, WHOIS, certificate transparency, and (where applicable) network-level captures. This evidence is hashed and stored in immutable archives; access is restricted to assigned investigators.
5. How long we keep things
Reports and case files are retained for the duration of active casework plus a reasonable period after closeout for recurrence monitoring and audit purposes (typically up to 24 months). CDN access logs are retained for the period configured at our infrastructure provider, which does not normally exceed 30 days for unaggregated records. Aggregated, non-identifying statistics may be retained indefinitely.
6. Lawful basis
Where the GDPR or analogous regimes apply, we process personal data on the basis of: (a) legitimate interests — operating an abuse-reporting service used by victims, brand owners and security professionals; (b) consent — where you submit information voluntarily and ask us to act on it; and (c) legal obligation — where required by law.
7. Sharing
We share information with: (a) infrastructure providers strictly necessary to operate the service (CDN, email, Telegram); (b) abuse contacts at the host, registrar, registry, browser, ad network or payment processor whose action we are seeking — limited to the evidence necessary; (c) law enforcement and regulators on lawful request. We do not sell personal data and we do not transfer evidence to data brokers.
8. International transfers
Abusive infrastructure and the parties responsible for taking it down are spread across many jurisdictions. Transfers from the European Economic Area or the United Kingdom rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or another lawful transfer mechanism, where applicable.
9. Your rights
Subject to local law you may have rights of access, correction, deletion, portability and objection. To exercise any right, contact support@overload.su. Where evidence is held in connection with an active or recently closed case, deletion may be limited by our legal-interest basis and our duties to the victims of the campaign.
10. Reporter anonymity
If you do not include any contact information in a report, we have no way to identify you. We treat anonymous reports the same as identified ones. If you choose to give us a contact, that contact will only be used for case-related messages unless you ask us to use it for something else.
11. Security
Role-based access control, hardware-backed multi-factor authentication for staff, encrypted-at-rest evidence archives, segregated client environments. If a breach affects your data, we will notify you and (where required) the relevant supervisory authority within statutory timelines.
12. Children
This service is not directed to children. We do not knowingly collect personal data from children under 16 except as part of evidence relating to a report (for example, a screenshot of a phishing page that targeted a child).
13. Changes
Material changes to this policy will be posted here with a new "last updated" date.
14. Contact
78 OVER 37 LIMITED — privacy contact: support@overload.su. Telegram: @OverSupBot.