Privacy Policy

Last updated: March 2026

1. Overview

Has This Site Been Poisoned? ("HTSBP", "we", "the service") is an open-source threat intelligence service for AI agents. This policy describes what data is collected, how it is used, and your rights.

2. Data Collected

2a. API & MCP Usage

When you query the REST API or MCP server, we may log:

  • The domain or URL queried
  • Timestamp of the request
  • HTTP method and response status

We do not collect IP addresses, user identifiers, or personal information from API requests. Analytics are server-side via Netlify Analytics and contain no personally identifiable information.

2b. Threat Contributions (Pull Requests)

When you contribute a threat entry via Pull Request on GitHub, the submission is governed by GitHub's Privacy Policy. The PR validation workflow fetches the contributed URL once to verify reachability and presence of IDPI payloads; no information about the contributor is collected by HTSBP beyond what GitHub already exposes via the PR.

3. How Data Is Used

  • API logs: operational monitoring and abuse prevention only. Not used for tracking.
  • Threat reports: verification and, if confirmed, publication in the public threat database on GitHub.
  • Aggregate statistics (total threats, domains flagged) are published on the site. No individual request data is published.

4. Data Storage & Retention

  • All threat data is stored as JSON files in the public GitHub repository.
  • Server logs are retained for up to 30 days via Netlify's infrastructure.
  • No database. No third-party analytics services beyond Netlify's server-side analytics.

5. Third-Party Sharing

We do not sell, rent, or share personal data with third parties. Threat intelligence data (domain names, attack patterns) is published publicly as part of the service's open-source mission.

Infrastructure providers:

  • Netlify — hosting and serverless functions
  • GitHub — source code and data storage

6. MCP Server & Claude Integration

When used as an MCP connector via Claude, tool call parameters (domains/URLs queried) may be logged by Anthropic per their Privacy Policy. HTSBP does not receive or store user identity information from MCP connections.

7. Open Source

HTSBP is fully open source under the MIT license. All data processing logic is publicly auditable at github.com/tanbablack/htsbp.

8. Your Rights

If you submitted a threat report and wish to have it reviewed or removed, open a GitHub Issue. We will respond within 14 days.

9. Contact

For privacy-related questions, open an issue at github.com/tanbablack/htsbp/issues.