Privacy Policy
Last updated: March 2026
1. Introduction
EncryptCodec, a product of Aviera Labs ("we", "us", or "our"), operates encryptcodec.com, a security training platform and developer toolkit offering interactive simulations, educational games, browser-based cryptography tools, and a REST API. We are committed to protecting your privacy and being transparent about how information is handled when you use our services. This Privacy Policy explains what data is collected, how it is used, and your rights with respect to that data. By using encryptcodec.com or the EncryptCodec API, you agree to the practices described in this policy.
2. How Our Services Work
EncryptCodec provides the following categories of services: 2.1 Security Simulations (Browser-Based) We offer 16 interactive attack simulations covering SQL injection, XSS, CSRF, JWT forgery, padding oracle attacks, and more. These simulations run entirely in your browser against fictional, locally-generated data. No simulation data is sent to our servers. 2.2 Security Games (Browser-Based) We offer 13 score-based educational games including log analysis, certificate inspection, cipher challenges, and others. These games run entirely in your browser. Game scores and high scores are saved to localStorage on your device and, if you are signed in, recorded in your account for progress tracking. 2.3 Browser-Only Tools (No Network Requests) 49 browser tools — including AES encryption/decryption, SHA hashing, Base64 encoding/decoding, JWT decoding and signing, HMAC generation, password strength checking, RSA/EC key generation, TOTP generation, bcrypt/Argon2 hashing, JSON/YAML/CSV formatting, regex testing, diff checking, cron building, and all other crypto and formatting tools — run entirely inside your browser using the Web Crypto API and JavaScript. This means: • The plaintext, ciphertext, keys, passwords, tokens, or any other sensitive material you enter is never sent to our servers or any third party. • We have no technical ability to access, read, log, or store the content you process. • Closing or refreshing the page clears all tool state immediately. • You can verify this by inspecting network requests in your browser's developer tools. 2.4 Browser Network Tools (External API Calls) Some web tools make requests to third-party public APIs directly from your browser. These requests go straight from your browser to the API provider — they are never proxied through or logged by our servers. These tools are: • Site Auditor — calls the Google PageSpeed Insights API (googleapis.com). • DNS Lookup — queries Google Public DNS (dns.google). • WHOIS Lookup — queries RDAP servers (rdap.org). • SSL Checker — calls the Qualys SSL Labs API (ssllabs.com). • Password Breach Checker — uses the Have I Been Pwned API (haveibeenpwned.com) with k-anonymity. Only the first 5 characters of your password's SHA-1 hash are sent — your full password never leaves your browser. • SRI Hash Generator — may fetch resources from CDN URLs you provide (subject to CORS restrictions). 2.5 EncryptCodec API (Server-Side Processing) The EncryptCodec REST API offers 35+ endpoints for cryptography, hashing, encoding, JWT operations, format conversion, and utilities. When you use the API, your request data is transmitted to our servers, processed, and the result is returned to you. We do not store or log the content of your API request payloads or response payloads. Only metadata (endpoint called, timestamp, response status) is recorded for usage tracking and rate limiting.
3. Information We Collect
3.1 Account Information When you create an EncryptCodec account, we collect: • Email address — used for authentication, password resets, and service notifications • Name — used for display purposes in your dashboard, public profile, and certificates • Password — stored as a bcrypt hash (cost factor 12). We never store or have access to your plaintext password. 3.2 Training Progress Data When you use EncryptCodec as a signed-in user, we record: • Simulation completions — which simulations you have completed and when • Game scores — your scores for each game session and highest scores • Achievements — badges and milestones earned through training activities • Learning path progress — your advancement through structured learning paths • Streaks — consecutive days of training activity This data is used to provide progress tracking, generate completion certificates, and power team progress reports. 3.3 Activity Log We maintain a unified activity log for authenticated users that records: • Action type (login, simulation completion, game score, achievement earned, profile update, etc.) • Timestamp of the action • IP address and user agent at the time of the action This data is used for security monitoring, audit purposes, and to provide your activity history in the dashboard. Activity logging for authenticated users is part of the service and is not gated by cookie consent — it is covered by these Terms when you create an account. 3.4 Team Data If you create or join a team, we store: • Team name and team settings • Member list (user accounts associated with the team) • Member roles (admin, member) • Aggregated training progress visible to team admins Team admins can view progress reports for their team members and export team data as CSV. 3.5 Certificates and Public Profiles • Certificates — when you complete a learning path, we generate a completion certificate linked to your account. Certificates include your name, the learning path completed, and the date of completion. • Public profiles — you may optionally enable a public profile that displays your name, achievements, and training progress. Public profiles are disabled by default and fully controlled by you. 3.6 API Keys When you generate an API key, we store a SHA-256 hash of the key. The full key is shown to you once at creation and is never stored or retrievable by us afterward. 3.7 API Usage Data When you use the EncryptCodec API, we record: • Which endpoint was called • Timestamp of the request • API key used (hashed) • Response status code This data is used for usage tracking, rate limiting, and billing. We do not log request or response payloads. 3.8 Billing Information If you subscribe to a paid plan (Training or API), payment processing is handled entirely by Stripe. We do not collect, store, or have access to your credit card numbers or bank account details. We receive from Stripe: • Your Stripe customer ID and subscription ID • Plan type and subscription status (Training and API subscriptions are managed separately) • Payment status (success, failure, cancellation) • For Team plans: per-seat billing information See Stripe's privacy policy at stripe.com/privacy for details on how they handle payment data. 3.9 Monitoring Service Data If you use our monitoring services (SSL certificate monitoring, uptime monitoring, security header scanning), we store: • The domains and URLs you add for monitoring • Check results (certificate details, uptime status, response times, header scan reports) • Alert history This data is associated with your account and retained as long as the monitor is active. 3.10 Cookie Consent and Analytics Data We use a cookie consent system to give you control over non-essential tracking: • Your consent choice ("accepted" or "rejected") is stored as ec_consent in localStorage on your device. • Google Analytics 4 (GA4) only loads if you have accepted cookies. GA4 collects anonymous usage statistics including pages visited, general geographic region, browser type, and referral source. • Anonymous session tracking (ec_anon_session in localStorage) is only activated if you have accepted cookies. This generates a random session identifier stored locally to help us understand anonymous usage patterns. • If you reject cookies or have not made a choice, neither GA4 nor anonymous session tracking will activate. 3.11 What We Do Not Collect We do not collect: • Content of API request or response payloads (encryption inputs, hash inputs, converted data, etc.) • Content entered into browser-based tools, simulations, or games • Credit card numbers or bank details (handled by Stripe) • Precise geolocation data
4. How We Use Your Information
We use the information we collect for the following purposes: • Authentication — to verify your identity when you log in and access your dashboard • Training delivery — to track your simulation completions, game scores, achievements, and learning path progress • Certificates — to generate completion certificates when you finish learning paths • Team features — to provide team admins with aggregated progress reports and enable team collaboration • Service delivery — to process API requests, enforce rate limits, and track usage against your plan quota • Activity logging — to maintain a security audit trail and provide your activity history • Billing — to manage subscriptions for both Training and API plans, process payments through Stripe, and handle per-seat team billing • Monitoring — to perform scheduled checks on domains and URLs you configure and send alerts • Communication — to send password reset emails, payment failure notifications, and critical service notifications via AWS SES • Security — to detect abuse, enforce rate limits, and protect the platform • Improvement — to understand aggregate usage patterns and improve the service (only with your consent for non-essential analytics) We do not sell, rent, or share your personal information with third parties for marketing purposes.
5. Cookies, Consent, and Local Storage
5.1 Cookie Consent We provide a cookie consent banner when you first visit the site. Your choice controls whether non-essential tracking is activated: • If you accept: Google Analytics loads and anonymous session tracking (ec_anon_session) is activated. • If you reject or make no choice: neither GA4 nor anonymous session tracking will run. Your consent preference is stored as ec_consent in localStorage and can be changed at any time. 5.2 Cookies We do not set first-party cookies for website visitors. If you accept cookie consent, Google Analytics sets its own cookies (_ga, _ga_*) for statistical purposes. These do not contain personally identifiable information and are not used for advertising. You can also prevent Google Analytics cookies by: • Using a browser extension such as uBlock Origin or the Google Analytics Opt-out Add-on • Blocking third-party cookies in your browser privacy settings 5.3 Essential Local Storage (Not Gated by Consent) The following localStorage items are essential to the service and are not gated by cookie consent: • Authentication tokens — your access token is stored in sessionStorage (cleared when you close the tab) and your refresh token is stored in localStorage (persists until logout or expiry). • Game high scores — saved to localStorage so scores persist between visits. • Onboarding progress — tracked in localStorage for dashboard onboarding steps. 5.4 Non-Essential Local Storage (Gated by Consent) The following localStorage items are only created if you accept cookies: • ec_anon_session — a random session identifier for anonymous usage tracking. All localStorage and sessionStorage data exists only on your device and is not accessible to us. You can clear it at any time via your browser settings. 5.5 Authenticated User Activity Logging Activity logging for signed-in users (logins, simulation completions, game scores, etc.) is part of the core service and is not gated by cookie consent. By creating an account, you agree to this logging as described in Section 3.3.
6. Third-Party Services
6.1 Stripe (Payment Processing) Paid subscriptions (both Training plans and API plans) are processed by Stripe. When you subscribe, you interact directly with Stripe's checkout page. We receive subscription metadata but never your payment card details. See stripe.com/privacy. 6.2 AWS (Hosting and Email) Our API is hosted on Amazon Web Services (AWS EC2). Transactional emails (password resets, payment notifications, welcome emails) are sent via AWS Simple Email Service (SES). AWS may retain standard infrastructure logs. See AWS Privacy Notice. 6.3 AWS Amplify (Web Hosting) The website is hosted on AWS Amplify. AWS may retain standard server access logs for a limited period. 6.4 Cloudflare (CDN and DNS) Traffic passes through Cloudflare for performance and DDoS protection. Cloudflare may process request metadata as part of its service. See Cloudflare Privacy Policy. 6.5 Google Analytics We use GA4 for anonymous website usage statistics, gated behind cookie consent. GA4 only loads if you have accepted cookies. See policies.google.com/privacy. Opt out at tools.google.com/dlpage/gaoptout. 6.6 ip-api.com (IP Geolocation) The IP Lookup API endpoint queries ip-api.com for geolocation data. The IP address you submit is sent to their service. See ip-api.com/docs/legal. 6.7 Browser Network Tool APIs The browser-based network tools call external APIs directly from your browser (Google PageSpeed Insights, Google Public DNS, RDAP.org, Qualys SSL Labs, Have I Been Pwned). We do not proxy or log these requests. See each provider's privacy policy for details. 6.8 No Advertising Networks We do not use advertising networks, retargeting pixels, or third-party tracking scripts beyond Google Analytics. We do not sell or share your data with advertisers or data brokers.
7. Data Retention
7.1 Account Data Your account information (email, name, password hash) is retained as long as your account is active. You can delete your account at any time from your dashboard settings, which permanently removes your account data, API keys, usage logs, training progress, activity history, team memberships, certificates, and monitoring configurations. 7.2 Training Progress Simulation completions, game scores, achievements, streaks, and learning path progress are retained as long as your account is active. Deleting your account permanently removes all training data. 7.3 Activity Logs Activity log entries (action type, timestamp, IP address, user agent) are retained for the duration of your account. Deleting your account permanently removes all activity log entries. 7.4 Team Data Team data (team name, member list, progress reports) is retained as long as the team exists. If you leave a team, your membership record is removed but your individual training data remains in your account. If a team is deleted, all team-specific data is removed. 7.5 Certificates Certificates are retained as long as your account is active. Deleting your account removes your certificates. 7.6 API Usage Logs API usage logs (endpoint, timestamp, status — no payloads) are retained for the duration of your current billing period plus one prior period for billing reconciliation, after which they are automatically purged. 7.7 Monitoring Data Monitoring check results (uptime checks, SSL certificate snapshots, header scan reports) are retained as long as the monitor is active. Deleting a monitor removes all associated check history. 7.8 Browser Tool Data No tool input or output from browser-based tools, simulations, or games is ever transmitted to our servers. All state exists only in your browser's memory and is discarded when you close or refresh the page. 7.9 Analytics Data Google Analytics retains aggregated session data for 26 months by default. Anonymous session identifiers (ec_anon_session) exist only in your browser's localStorage. 7.10 Server Logs AWS and Cloudflare may retain infrastructure-level access logs for up to 90 days.
8. Data Security
We implement the following security measures to protect your data: • All traffic is encrypted via HTTPS (TLS 1.3) • Passwords are hashed using bcrypt with a cost factor of 12 • API keys are stored as SHA-256 hashes — the plaintext key is shown once and never stored • JWT access tokens expire after 15 minutes; refresh tokens expire after 7 days • Database connections use encrypted transport • DDoS protection via Cloudflare • Rate limiting on all API endpoints • Environment secrets are stored securely and never committed to version control Despite these measures, no method of electronic transmission or storage is 100% secure. We recommend using EncryptCodec on trusted devices and networks, especially when working with sensitive keys or credentials.
9. Your Rights
Depending on your jurisdiction, you may have the following rights: 9.1 Right to Access You can view all personal data we hold about you from your account dashboard (profile, training progress, activity history, API usage, team memberships, certificates, and monitors). 9.2 Right to Rectification You can update your name and email from your dashboard settings. 9.3 Right to Erasure You can delete your account from your dashboard settings. This permanently removes all account data, training progress, activity logs, API keys, usage logs, certificates, team memberships, and monitors. This action is irreversible. 9.4 Right to Data Portability You can export your usage data and training progress from the dashboard. Team admins can export team progress reports as CSV. 9.5 Right to Opt Out You can reject cookie consent to prevent Google Analytics and anonymous session tracking. You can change your consent choice at any time. You can unsubscribe from non-essential emails at any time. 9.6 GDPR (European Users) If you are located in the EEA, our lawful basis for processing your data is: contract performance (account, training, and API service), legitimate interest (security and activity logging), and consent (analytics and anonymous tracking). You have the right to object to processing at any time. 9.7 CCPA (California Users) We do not sell personal information. We do not share personal information for cross-context behavioural advertising. To exercise any of these rights, contact us at contact@avieralabs.com or use the self-service options in your dashboard.
10. Children's Privacy
EncryptCodec is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has created an account, please contact us at contact@avieralabs.com and we will promptly delete the account.
11. Links to Other Sites
Our blog and documentation may contain links to external websites. We are not responsible for the privacy practices of those sites. We recommend reviewing the privacy policy of any external site you visit.
12. International Users
EncryptCodec is operated by Aviera Labs from India. Our API servers are hosted in the United States (AWS us-east-1). By using the service, you consent to the transfer and processing of your data in these locations. Data processed by Google Analytics and AWS may be transferred to and stored in countries with different data protection laws than your own.
13. Changes to This Policy
We may update this Privacy Policy as the service evolves or legal requirements change. We will update the "Last updated" date at the top of this page. For material changes (such as new categories of data collection or new third-party processors), we will notify registered users via email. Continued use of EncryptCodec after changes are posted constitutes your acceptance of the revised policy.
14. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: Email: contact@avieralabs.com Website: encryptcodec.com We aim to respond to all privacy-related enquiries within 7 business days.