Privacy Policy · JavaObf

1. Who we are

The data controller for everything described below is Starux GmbH, a limited liability company registered in Switzerland under UID CHE-172.944.998, operating the JavaObf service at javaobf.com and its subdomains. References to "we", "us", "our", and "JavaObf" in this Policy mean Starux GmbH.

Reach us for any privacy matter at [email protected] or [email protected].

2. Data we collect

We only collect what we need to run the service and to honour our legal obligations.

2.1 Account data

Email address (required for sign-in and account-related notices).
Argon2id hash of your chosen password. We never store the password itself.
Account status, account creation timestamp, last sign-in timestamp.
Optional Stripe customer identifier when you start a paid plan.

2.2 Session and security data

Server-side session token, the IP address and user-agent string that opened the session, last-seen timestamp, revocation timestamp.
Audit log entries for sensitive actions (sign-in, password change, license issuance, admin actions). Each entry stores the event type, the IP at the time, and a small JSON payload describing what happened.
Rate-limit counters keyed by IP and (where available) account identifier.

2.3 Project content

Project name, description, slug, and any presets you save.
The original Java archives you upload for protection. Each upload replaces the previous one for that project, and any upload is hard-deleted within 24 hours regardless.
Static analysis snapshots derived from those archives (class lists, locks, descriptor metadata).
Build configuration JSON (the protection profile and per-build options you submit).

2.4 Build outputs

Protected jars produced by the engine.
Build reports, mapping files, and analysis artifacts associated with each build.
A per-build fingerprint code that lets us trace a leaked artifact back to the build that produced it.

2.5 Payment data

We use Stripe as our payment processor. Stripe handles card numbers; we never see them.
We store the Stripe customer identifier, subscription identifier, plan, status, current period start/end, and Stripe webhook events we have processed.

2.6 Product Licensing add-on data (Pro and Enterprise)

Products you register, including name, description, and the per-product cryptographic identity material we provision for you. The secret half of that material is held only by us and is encrypted at rest.
License keys you issue, plus optional customer email, tier label, expiry, max activations, and notes.
Activations recorded by the licensing gateway: only an opaque machine ID derived locally on the end-user's machine (not the underlying hardware identifiers), the IP address that performed the handshake, the user-agent string, timestamps, and the activation status.
License events triggered by the gateway and the notifier worker (activation, validation, machine ID mismatch, replay attempt, signature failure, and similar), including IP, geo, and a small JSON payload with the reason.
Notification channel configuration (Discord webhook URL, generic webhook URL, email address) and the secret used to sign outbound webhook bodies.

2.7 hCaptcha

Sign-in, registration, and license redemption are protected by hCaptcha. Solving a challenge sends a token to hCaptcha (Intuition Machines, Inc.) for verification. We receive only the verification result.

2.8 Cloudflare

Inbound traffic passes through Cloudflare for TLS termination, DDoS protection, and basic firewall. Cloudflare may briefly retain connection metadata (IP, ASN, request method) per its own policy.

3. Why we use it

Under Swiss FADP and (where applicable) Article 6 GDPR, our legal bases are:

Performance of contract for everything required to provide JavaObf to you (account, project storage, build pipeline, Product Licensing gateway, billing).
Legitimate interest in keeping the service secure and operable (audit logs, rate limits, anti-abuse, incident response, fraud detection).
Legal obligation for tax-relevant billing records.
Consent where we explicitly ask for it (for example, optional notification channels you configure).

4. Retention windows

The exact, non-negotiable lifetimes baked into the system:

Data	Retention	Why
Original uploaded jars	Until you upload a new one for the same project, with a hard cap of 24 hours after which the worker deletes them automatically.	The shortest practical window that still lets builds complete and lets you re-queue with adjusted settings.
Protected jars, build reports, mapping files, analysis snapshots	7 days after the build completes	So you can download your output and inspect the report. Re-queue if you need it back.
Build records (metadata only, not the jar)	Kept while the project exists, removed when the project or the account is deleted	Lets you see your build history and re-derive a fingerprint.
Account data	Until you delete your account, after which it is removed within 30 days	Backups may retain a copy for up to a further 30 days before rotation.
Sessions	Sliding 24 hour window, revoked on sign-out or password change	Limits exposure of a stolen cookie.
Audit log entries	12 months	Security review and incident response.
Rate-limit counters	Rolling window per scope (typically 1 hour)	Anti-abuse only, then discarded.
Stripe billing records	10 years	Swiss accounting and tax law.
Product Licensing: license keys, activations, events	Until you revoke or delete the license. Events kept for 12 months for forensics.	You are the controller for your end-customer data here. See section 8.
Raw hardware identifiers on the end-user's machine	Never sent to us. Never stored. Only an opaque machine ID derived locally reaches the gateway.	Privacy by design.

5. Processors and sub-processors

We use a small, fixed set of processors. None receive more data than necessary for the function listed.

Cloudflare, Inc. (US, with EU/CH presence): edge TLS termination, DDoS protection, WAF.
Stripe Payments Europe, Ltd. (Ireland) and Stripe, Inc. (US): card processing, subscription billing.
Intuition Machines, Inc. (hCaptcha) (US): bot mitigation on auth and license-redemption flows.
Discord Inc. (US): only when you configure a Discord webhook for license notifications. We POST to the URL you provided.
Hosting infrastructure: a Hetzner-class European host runs the application, database, object storage, and licensing gateway. Stored data resides in the EU.

6. International transfers

Where data leaves Switzerland or the EEA (Stripe, Cloudflare, hCaptcha, Discord), the transfer is governed by the European Commission's Standard Contractual Clauses with the Swiss adendum, and by the processor's own corporate transfer mechanisms. We do not sell or rent personal data to anyone.

7. Cookies and similar technologies

JavaObf uses a small number of strictly necessary cookies. We do not run analytics or tracking pixels.

session: the signed cookie that holds your sign-in state and CSRF token. Lifetime sliding 24 hours, SameSite=Lax, HttpOnly, Secure in production.
hCaptcha drops cookies on the captcha challenge frame to detect bot behaviour. Those cookies are subject to hCaptcha's own privacy policy.
Stripe Checkout drops payment-related cookies on its own domain when you go through checkout.

8. Product Licensing add-on

When you use Product Licensing, you are the data controller for the license keys, activations, and events tied to your end-customers. JavaObf acts as your processor for that data. Specifically:

The hardware identifier collected on your customer's machine is reduced to an opaque machine ID locally before transmission. We receive only that opaque value, never the raw underlying components.
IPs and geo derived from the gateway handshake are stored alongside each activation so that you can investigate suspicious behaviour.
You decide who receives notifications about your customers' license events. Channels you configure (Discord, generic webhook, email) receive only the data you subscribed to.
You may revoke, transfer, or delete any license at any time. Deletion removes the license row, its activations, and its events, subject to a 30 day backup window.
If your end-customers exercise rights against you, we will assist where the request reaches us through the wrong channel.

9. Your rights

You have the right to:

Access the personal data we hold about you.
Rectify inaccurate data.
Erase data, subject to legal retention obligations (notably tax records).
Export your data in a portable format.
Object to processing based on legitimate interest.
Withdraw consent for any processing based on consent.
Lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or your local supervisory authority.

To exercise any of these, write to [email protected]. We respond within 30 days. We may need to verify your identity before acting on a request.

10. Security

We apply industry-standard technical and organisational measures to protect your data, including modern transport encryption, salted password hashing, authenticated encryption for sensitive data at rest, anti-CSRF and content-security headers on every page, and audit logging on sensitive actions retained per section 4. We deliberately do not publish the full operational detail of our internal infrastructure here. Security disclosures are handled through our responsible-disclosure channel; reach us at [email protected].

11. Children

JavaObf is not directed at children. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Changes to this Policy

We may update this Policy as the service evolves. Material changes are announced by email to active accounts at least 14 days before they take effect. The "Effective" date at the top reflects the current version.

13. Contact

Starux GmbH
UID CHE-172.944.998
Switzerland
[email protected] or [email protected]