District 4 Labs Database Privacy Policy (“Policy”)
Updated: 22 September 2023
District 4 Labs, LLC (“District 4”) collects breached and compromised data from the open, deep and dark web. Collected data is uploaded into our Darkside database (“Darkside”). We offer access to Darkside as a part of the products and services we provide to clients (collectively, the “Offerings”) to help clients manage risk; conduct investigations; and gather intelligence. “Personal Data” means any information that identifies or relates to a particular individual and also includes information referred to as “personally identifiable information” or “personal information” under applicable data privacy laws.
This Policy applies to District 4’s collection, use, sharing, and processing of data collected from available open sources on the internet. For the avoidance of doubt, Darkside may or may not include your personal data. This Policy only applies to the extent that your data is actually collected by District 4. For information on how we collect, share, use, and protect your data when you visit our website, please refer to our Website Privacy Policy. This Policy supplements but does not supersede our Website Privacy Policy; however, in the event of any conflict, this Policy shall prevail.
Types of Data We Collect
In the process of collecting data for Darkside, we may collect any exposed data about you (including Personal Data) that can be found in the open, deep, and dark web. In most cases, categories of Personal Data we collect may include: first and last name, username, email address, and telephone number.
In limited cases, the categories of Personal Data we collect through the Internet may also include: date of birth, physical address, social security numbers and other national ID information, passwords, credit card numbers, and other account numbers.
We do not review each element of the data we collect for Darkside, nor do we have the ability to separate out specific data elements from any specific source or breach corpus that we find on open sources on the internet. As such, while data that we collect for Darkside may contain your Personal Data, we have no control over what data is included in each source or breach.
How We Use Your Data
We use and process data (including Personal Data) from available open sources as described in this Policy for the purpose of enabling vetted clients to use our Offerings to investigate fraud and other criminal activity, protect their personnel and assets, mitigate cybersecurity risks, and collect security-related intelligence, collective the (“Acceptable Use”). We also use and process data to develop new Offerings which are used largely for the same purposes.
We will not use the Personal Data we collected for materially different, unrelated, or incompatible purposes. We require clients to only use the Services pursuant to their intended and agreed upon acceptable use. We prohibit all uses involving the Offerings that are illegal, infringe on the rights of others, interfere with or diminish the use of the Offerings by others, or that otherwise adversely affect the Offerings or District 4.
How We Share Your Data
District 4 makes every effort to limit the number of third parties with whom we share Personal Data. However, we do share such data with vetted clients who are using our Offerings for the above outlined acceptable uses, so it is possible such clients will gain access to your Personal Data. These clients by and large do not conduct large queries of Darkside and are seeking information about a limited number of potential research subjects. Certain law enforcement and government agencies will also use our Offerings to investigate criminal activity and gather intelligence for security purposes.
We also share data with third party hosts like Amazon Web Services (“AWS”) that allow us to develop our Offerings. In certain cases, we will share data with third party service providers who are engaged by District 4 to assist with, among other use cases:
- Auditing, compliance, and internal information security
- Investigating District 4-related security incidents
- Fixing bugs and/or other errors related to one of our Offerings
- Infrastructure improvements, re-indexing, and other related internal projects
Security & Retention
We seek to protect your Personal Data from unauthorized access, use and disclosure using appropriate physical, technical, organizational and administrative security measures based on the type of Personal Data and how we are processing that data. All Personal Data is encrypted while under our control.
If Darkside contains your Personal Data, we will retain that data for at least ten (10) years. After the initial ten (1-) year period has expired, District 4 will review that Personal Data on an annual basis to determine whether it remains relevant to or necessary for the provision of Offerings. In some cases we may retain Personal Data for longer periods if doing so is necessary to comply with our legal obligations, resolve disputes, or is otherwise permitted or required by applicable law, rule or regulation.
California Resident Rights
If you are a California resident, you have the rights set forth in this section.
If there are any conflicts between this section and any other provision of this Database Policy and you are a California resident, the portion that is more protective of Personal Data shall control to the extent of such conflict. If you have any questions about this section or whether any of the following rights apply to you, please contact us at info@district4labs.com
Please follow the instructions and requirements described below and on our websites when submitting your requests. Requests that fail to comply with any of these instructions and requirements may result in delayed or no response.
To exercise the rights described below as a California resident, you must send us a request (1) that provides sufficient information (including, without limitation, email verification) to allow us to verify that (i) you are the person about whom we have collected Personal Data, (ii) you, as the requester, are the same person as the data subject for whose information you’re requesting (or such person’s parent/guardian), (2) that describes your request in sufficient detail to allow us to understand, evaluate and respond to it, (3) that declares, under the penalty of perjury, that you’re exercising your rights under the CCPA as a California resident solely for lawful purposes, and (4) in a way that does not and would not unduly burden or otherwise abuse our data request system, our Darkside, and/or our Services. Each request that meets all of these criteria will be considered a “Valid Request.” We may not respond to requests that do not meet these criteria. We will use commercially reasonable efforts to determine whether a request may be for harmful, fraudulent, deceptive, threatening, harassing, defamatory, obscene, or otherwise objectionable purposes, and we reserve the right not to respond to such request. We will only use Personal Data provided in a Valid Request to verify your identity and complete your request. You do not need an account to submit a Valid Request.
We will work to respond to your Valid Request within 45 days of receipt. We will not charge you a fee for making a Valid Request unless your Valid Request(s) is excessive, repetitive or manifestly unfounded. If we determine that your Valid Request warrants a fee, we will notify you of the fee and explain that decision before completing your request. You may submit a Valid Request by emailing us at info@district4labs.com
You may also authorize an agent (an “Authorized Agent”) to exercise your rights on your behalf. To do this, you must provide your Authorized Agent with written permission to exercise your rights on your behalf, and we may request a copy of this written permission from your Authorized Agent when they make a request on your behalf.
You have the right to request certain information about our collection and use of your Personal Data over the past 12 months. In response to a Valid Request, we will provide you with the following information:
- The categories of Personal Data that you requested and that we can reasonably determine, via a review of Darkside, that we have collected about you.
- The categories of sources that we can reasonably determine, via a review of Darkside, from which that Personal Data was collected.
- The business or commercial purpose for collecting or selling your Personal Data.
- The categories of third parties with whom we have shared your Personal Data.
- The specific pieces of Personal Data that you explicitly requested and that we can reasonably determine, via a review of Darkside, that we have collected about you.
If we have disclosed your Personal Data to any third parties for a business purpose over the past 12 months, we will identify the categories of Personal Data shared with each category of third party recipient, unless we’re restricted from doing so by law or court order. If we have sold your Personal Data over the past 12 months, we will identify the categories of Personal Data sold to each category of third party recipient, unless we’re restricted from doing so by law or court order.
You acknowledge that in some cases, we may not know whether your Personal Data is contained in Darkside. For example, if a password happens to be contained in Darkside, we have no way to know whether that password, absent any other information clearly identifying you as the source of the password, is your Personal Data (or possibly the Personal Data of someone else who uses the same password).
You have the right to request that we delete the Personal Data that we have collected about you. Under the CCPA, this right is subject to certain exceptions: for example, we may need to retain your Personal Data to provide you with the Offerings or complete a transaction or other action you have requested. If your deletion request is subject to one of these exceptions, we may deny your deletion request, even if it otherwise constitutes a Valid Request. You acknowledge that we are constantly collecting exposed identity information found in open sources on the open, deep, and dark web, and placing that information into Darkside. With that in mind, in the event that we delete your Personal Data in response to a Valid Request, you acknowledge that nothing will prevent the possible collection of that Personal Data at some future time, if that Personal Data happens to be contained in other sources.
Personal Data Sales Opt-Out and Opt-In
We use the term ‘sell’ as it is defined in the CCPA. We sell your Personal Data solely to the extent that: (i) we make Darkside available to our clients via their use of the Offerings; (ii) we make the Offerings available to clients for a fee; and (iii) Darkside contains Personal Data about you at the time that the client is accessing the Offerings that utilize Darkside. The categories of Personal Data that may be sold will vary based on the content of Darkside at any given time. You can submit a data access request for information regarding the categories of Personal Data sold to each category of third party recipient.
You have the right to opt out of sales of your Personal Data. Please note that such an opt-out request also needs to be a Valid Request (as described above). We will not discriminate against you for exercising your rights under the CCPA.
European Union Data Subject Rights
If you are a resident of the European Union (“EU”), United Kingdom, Lichtenstein, Norway or Iceland, you may have additional rights under the EU General Data Protection Regulation (the “GDPR”) with respect to your Personal Data. For this section, we use the terms “Personal Data” and “processing” as they are defined in the GDPR, but “Personal Data” generally means information that can be used to individually identify a person, and “processing” generally covers actions that can be performed in connection with data such as collection, use, storage and disclosure.
If there are any conflicts between this section and any other provision of this Policy, the policy or portion that is more protective of Personal Data shall control to the extent of such conflict. Note that we may also process Personal Data of our customers’ end users or employees in connection with our provision of our Offerings, in which case we are the processor of Personal Data. If we are the processor of your Personal Data (i.e., not the controller), please contact the controller party in the first instance to address your rights with respect to such data.
We may need to collect and process Personal Data in order to provide requested information, provide the Offerings to you, or because we are legally required to do so.
You can contact us at info@district4labs.com with any questions, concerns, or relevant requests. In compliance with data protection regulations, District 4 has appointed a Data Protection Officer (DPO).
Processing Purposes
The purpose of District 4’s Darkside is to support the Offerings by collecting data from available sources on the internet and extracting relevant information from that data. This includes information about individuals, companies, organizations, places, etc. The data is stored in a centrally located and highly secure location. District 4 processes the data contained in Darkside in order to create correlations between data records for legitimate business purposes, which are described above in this Policy. When we process Personal Data that may be contained in Darkisde for these purposes, we make sure to consider any potential impact on potential data subjects and their rights under data protection laws.
Lawful Basis for Processing
In line with the purposes pursued by District 4, the legitimate basis for processing this information is the legitimate interest it has in analyzing the information in Darkside to help clients investigate fraud and other criminal activity, protect their personnel and assets, mitigate cybersecurity risks, and collect security-related intelligence. District 4 does not share your Personal Data with third parties that are not specified in this Policy. District 4 may only disclose your Personal Data without your consent if the disclosure of such information is reasonably necessary to satisfy any applicable law, regulation, legal process or valid governmental request or detect, prevent, or otherwise address fraud, security or technical issues.
Retention Periods
We will retain your Personal Data for as long as necessary in accordance with the purpose(s) for which it was collected and in accordance with applicable law.
How can you exercise your rights?
If you would like to review, correct, update, suppress, delete or otherwise limit our use of your Personal Data that has been previously provided to us, or if you would like to request an electronic copy of your Personal Data for purposes of transmitting it to another company (to the extent you have a right to data portability under applicable law), you may make a request by contacting us using the information provided in the contact section of the website. We will respond to your request in a manner consistent with applicable law.
For your protection, we may only implement requests with respect to the Personal Data associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will try to comply with your request as soon as reasonably practicable and consistent with applicable law.
You acknowledge that we are constantly collecting exposed data from open sources and adding that data to Darkside. With that in mind, in the event that we delete your Personal Data in response to a Valid Request, you acknowledge that nothing will prevent the possible collection of that Personal Data at some future time, if that Personal Data happens to be contained in other sources.
Changes to this Policy
We may need to update or change this policy in the future. We will alert you to any such changes by placing a notice on our website and/or by some other means.
Contact Information
You can reach District 4 at info@district4labs.com