Privacy Policy

Last updated: 31 March 2026

In this policy, we lay out: what data we collect and why; how your data is handled; and your rights with respect to your data. We never sell your data.

As a part of establishing trust, 404 collects as little information about you as possible. By using the service, you agree to the collection and use of your information in accordance with this privacy policy.

This policy applies to our handling of information about site visitors, prospective customers, and customers of 404. Because 404's core product runs locally on your machine, this policy primarily covers information collected through the 404 website, account registration, billing, and related support channels, not the local operation of the software itself.

Important: local processing. 404's core functionality (TLS interception, fingerprint analysis, and any related traffic inspection) executes entirely on your local machine. Network traffic processed by the local software is never transmitted to, received by, or accessible to 404's servers or visible to any 404 human. That locally processed traffic is not collected by 404 within the meaning of this policy and is expressly excluded from its scope.

What we collect and why

Our guiding principle is to collect only what we need. Here's what that means in practice:

Identity and access

When you sign up for a 404 account, we ask for basic identifying information such as your email address. This is so we can associate your account, send you essential product and service communications, and provide billing support. With your consent, we may also send you our newsletter or other updates.

We'll never sell your personal information to third parties, and we won't use your name or company in marketing statements without your permission.

Billing information

If you sign up for a paid 404 account, payment and billing details are collected and processed by our payment processor (Stripe), not directly by 404. Full payment card data does not hit 404 systems. We generally retain only limited transaction metadata needed to confirm payment status, maintain account history, and provide billing support.

Product interactions

We do not use this service to broadly store or process your personal content. The primary time our servers look up account-related information is for payment operations: billing, invoice support, and verifying whether an account has an active paid status. In other words, account checks are used to confirm payment eligibility and service status, not to profile your identity.

General geolocation data

We may log the IP address used to sign up for an account for the purpose of mitigating fraudulent or spammy signups. IP-based data may also be logged incidentally by our hosting provider (Cloudflare) as part of standard request handling. We do not maintain our own long-term IP activity logs beyond what is operationally necessary.

Website interactions

We collect limited information about your browsing activity for analytics and statistical purposes, such as conversion testing and improving product design. For this, we use Plausible CE, a self-hosted analytics platform designed to be privacy-respecting and GDPR-compliant. Depending on configuration, this may include data such as browser and operating system versions, pages visited, referral source, and basic request metadata needed to generate aggregate traffic insights. We use this information to understand site performance and usage trends while minimizing personal data collection.

Anti-bot assessments

We use CAPTCHA across our applications to mitigate brute force logins and as a means of spam protection. We have a legitimate interest in protecting our apps and the broader Internet community from credential stuffing attacks and spam. When you log into your 404 accounts and when you fill in certain forms, the CAPTCHA service evaluates various information (e.g., IP address, how long the visitor has been on the app, mouse movements) to try to detect if the activity is from an automated program instead of a human. The CAPTCHA service then provides 404 with the spam score results; we do not have access to the evaluated information.

Voluntary correspondence

When you email 404 with a question or to ask for help, we retain that correspondence, including your email address, so that we have a history of past communications to reference if you reach out in the future. We do not use support correspondence for marketing purposes.

When we access or disclose your information

404 is built to minimize data collection. We do not collect personal data by default for profiling, tracking, or resale. Any personal data we process is information you explicitly provide for a specific, limited purpose.

To run billing and payment operations

We process only the information necessary to administer paid service, including billing, invoicing, payment-status verification, payment fraud prevention, and related billing support.

To provide support, with your permission

If you request support, we access only the minimum account information reasonably required to resolve that request. Because 404 is designed not to broadly collect user data or retain extensive activity logs, we may ask you to provide supplementary information (for example, screenshots, timestamps, error text, reproduction steps, or related technical details) when submitting a bug report.

To comply with legal obligations

We disclose personal data only where required by applicable law or valid legal process (for example, a court order or subpoena). Where legally permitted, we will provide notice before disclosure.

To address restricted uses and abuse reports

We take credible abuse reports seriously, but 404 is intentionally designed with limited centralized visibility. Core product behavior runs locally on user-controlled systems, and we do not continuously monitor user activity content.

As a result, we may not be able to independently verify every allegation of misuse through platform telemetry alone. We may rely on information provided by reporters, customers, payment processors, infrastructure providers, or other reliable third parties (for example, abuse complaints or indicators that an account or associated IP has been flagged for bot or abusive activity).

Where we determine there is sufficient evidence of restricted use, our primary enforcement action is to suspend or terminate the account. Where required or appropriate under applicable law, we may also report suspected unlawful conduct to relevant authorities.

If you believe your account was wrongly suspended or terminated, you may appeal by emailing support@404privacy.com with the subject line "ACCOUNT WRONGLY TERMINATED," and we will review the request and do what we reasonably can to remedy the situation.

What we do not do

At this time, our privacy commitments are straightforward:

We do not run third-party ad trackers, retargeting pixels, or behavioral ad-profiling scripts on this service.
We do not sell, rent, trade, or broker personal data.
We do not build cross-site advertising profiles about users.
We do not enrich user records with purchased data-broker information.
We do not use aggregated or de-identified user profiles for ad targeting or marketing segmentation.
We do not share personal data with other companies for their own marketing purposes.
We do not operate VPN infrastructure, proxy-routing networks, or hosted traffic-relay services; 404 is not a VPN.

Data controller and sub-processors

Data controller

404 is the data controller for personal information collected through our website, account registration, billing, and support channels. 404 does not act as a data processor with respect to traffic or content handled locally by the software on your machine.

Sub-processors

We use a limited number of third-party service providers to deliver the service:

Provider	Role	Data involved
Cloudflare (Pages, Workers, KV)	Website hosting, serverless compute, key-value storage	IP addresses (incidental to request handling), email addresses stored in KV
Stripe	Payment processing	Payment card data, billing contact details, transaction records
Plausible CE (self-hosted)	Privacy-respecting website analytics	Aggregate, cookieless usage metrics — no personally identifiable information

We do not share personal data with any other third-party service providers for processing. Each sub-processor is bound by its own data processing terms.

Legal basis for processing

If you are located in the European Economic Area, the United Kingdom, or another jurisdiction that requires a stated legal basis for processing personal data, we rely on the following:

Contractual necessity. Processing your email address and account information is necessary to create and maintain your account and deliver the service you signed up for.
Legitimate interest. We process limited data (such as IP addresses for anti-fraud checks and aggregate analytics) where we have a legitimate business interest that is not overridden by your rights. You may object to processing based on legitimate interest by contacting us.
Legal obligation. We may process or retain data where required to comply with applicable law or valid legal process.
Consent. Where you have given explicit consent (i.e. to receive our newsletter) you may withdraw that consent at any time by contacting support@404privacy.com or using the unsubscribe mechanism provided.

Your rights with respect to your information

At 404, we aim to apply the same core privacy rights to all users regardless of location, subject to applicable law.

Right to know

You have the right to know what personal information we collect, use, and disclose, and for what purposes. This policy describes those categories and uses.

Right of access

You have the right to request access to personal information we hold about you, including information about how it is processed, stored, and disclosed.

Right to correction

You have the right to request correction of inaccurate personal information.

Right to erasure

You have the right to request deletion of your personal information, subject to legal and operational limitations. In some cases, deletion may require suspension or closure of the account if the service cannot function without that data.

Right to complain

You have the right to lodge a complaint with your local data protection or supervisory authority regarding our handling of personal information.

Right to restrict processing

You have the right to request restriction of processing in certain circumstances, as provided by applicable law.

Right to object

You have the right, in certain circumstances, to object to our processing of your personal information.

Right to portability

Where applicable, you have the right to receive a copy of personal information you provided to us in a structured, commonly used format, and to request transfer to another controller where technically feasible.

Right regarding automated decision-making

You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, except where permitted by applicable law.

Right to non-discrimination

We do not discriminate against users for exercising privacy rights. However, certain requests (such as deletion or restriction) may limit or prevent use of features that depend on the relevant data.

How to exercise your rights

To submit a rights request, contact support@404privacy.com. We may need to verify your request using information reasonably necessary to confirm account ownership, payment status, or legal authority to act.

Response timeline

We will confirm receipt of your request within 15 days and provide information about how we will process it. We will respond substantively within 30 days. If we need additional time, we will notify you of the reason and the expected timeframe. We do not charge a fee to process or respond to a verifiable request unless the request is manifestly unfounded or excessive.

How we secure your data

404 is designed so that sensitive processing happens on your local machine whenever possible, not on centralized application servers.

Hosting model

We currently deliver the website and related application endpoints through Cloudflare's serverless platform (including Cloudflare Pages and Cloudflare Workers). We do not operate self-managed infrastructure for traffic routing, and we do not maintain separate hosted application servers on cloud server providers.

Data in transit

Connections to our web properties are protected using HTTPS with SSL/TLS in transit.

Data at rest and storage minimization

We intentionally minimize stored data. At this time, the primary persisted application data is limited key-value records used for operational purposes (for example, email addresses for waitlist or account-contact workflows). We do not intentionally maintain broad user-content databases or extensive behavioral activity logs on our own infrastructure.

Operational safeguards

We apply least-data and least-access principles in product design and operations. Access to account-related data is limited to defined business purposes such as billing operations, payment-status checks, and user-requested support.

Data breach notification

If we become aware of a security breach affecting personal data we control, we will notify affected users without undue delay in accordance with applicable data breach notification laws. Where required, we will also notify the relevant supervisory authority. Because 404 retains minimal personal data, the scope of any potential breach is inherently limited.

Important limitation

No method of transmission or storage is 100% secure. While we take reasonable technical and organizational measures appropriate to our architecture, absolute security cannot be guaranteed.

What happens to the logs on my machine

404 is designed so that logs do not persist on our infrastructure as a default product behavior. Limited high-level metrics may be available for research, product quality, or performance analysis, and such metrics are generally associated with paid plans. Where log export functionality is available, exported logs are provided as-is and are not sanitized by 404 before leaving the application. Once exported, those logs are your responsibility to store, handle, and transmit securely. Exported logs may contain sensitive material, including plaintext HTTP traffic and embedded secrets. For that reason, we strongly recommend that you do not share exported logs with unauthorized parties and do not send them over non-secure channels, including unencrypted email, text messaging, or other insecure communication methods.

Data retention

404 is designed to retain as little information as possible. We do not maintain persistent project-content stores, machine-level telemetry stores, or broad behavioral log archives about you. In normal operation, the primary information we retain is limited account and operational data such as your email address, certain IP-related security records, and minimal payment-status metadata required to operate paid accounts.

Payment and billing records are primarily held by Stripe as the payment processor. To the extent billing detail records are controlled by Stripe, legal process seeking those records may need to be directed to Stripe rather than 404. Where 404 receives legal process, we respond in accordance with applicable law and with the limited records we actually control.

Where optional export features are used, exported data leaves the controlled application environment and becomes your responsibility to secure and handle appropriately.

Cookies and Do-Not-Track

404 does not use advertising cookies, third-party tracking cookies, or behavioral profiling cookies. We do not run A/B testing scripts that set persistent cookies.

Our website analytics are provided by a self-hosted instance of Plausible CE, which is designed to operate without setting cookies and without collecting personally identifiable information. If a CAPTCHA service is used on any form, it may set its own cookies or use local storage as part of its bot-detection process; those cookies are controlled by the CAPTCHA provider and are not used by 404 for any other purpose.

Your browser settings allow you to control or block cookies. Blocking cookies should not affect your ability to use the 404 website or product, since the product itself runs locally on your machine.

Do-Not-Track signals

Some browsers transmit "Do-Not-Track" (DNT) signals. Because there is no accepted standard for how to respond to DNT signals, we do not currently respond to them. However, because we do not use third-party ad trackers or behavioral profiling, the practical effect is consistent with DNT intent.

Children's privacy

We believe privacy is for everyone, regardless of age. The same minimal-data principles described in this policy apply equally to all users. We do not collect more information from younger users than we do from anyone else.

404 does not collect date of birth, age, or other age-identifying information. We have no reliable mechanism to determine a free user's age. For paid accounts, the ability to complete a transaction through our payment processor (Stripe) serves as a practical indication that the account holder has access to a valid payment method and, where applicable, authorization from a parent or guardian to use it. This is the extent of our age-related verification.

Because we do not knowingly collect personal information from children under the age of 13 (or under 16 in jurisdictions where a higher age of consent applies), if we become aware that a user is a minor without appropriate parental or guardian consent where such consent is required by law, we will delete that user's information promptly. If you believe a child has provided us with personal information without appropriate consent, please contact support@404privacy.com so we can take appropriate action.

California and U.S. state privacy notices

California (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) provides you with additional rights regarding your personal information:

Right to know what personal information we collect, use, and disclose.
Right to delete personal information we hold about you, subject to certain exceptions.
Right to correct inaccurate personal information.
Right to opt out of the sale or sharing of personal information. We do not sell or share personal information as defined by the CCPA.
Right to non-discrimination for exercising your CCPA rights.

To exercise these rights, contact support@404privacy.com. We will verify your identity before processing your request.

Nevada

We do not sell covered information as defined under Nevada law. Nevada residents may submit an opt-out request to support@404privacy.com.

Virginia, Colorado, Connecticut, and other U.S. states

Residents of states with comprehensive consumer privacy laws (including the VCDPA, CPA, and CTDPA) have rights substantially similar to those listed above, including rights to access, correct, delete, and port personal data, and to opt out of targeted advertising, profiling, and sale of personal data. 404 does not engage in targeted advertising, profiling, or sale of personal data. To talk about how we protect your right to privacy, contact support@404privacy.com.

Location of site and data

404 is operated as a U.S.-based sole proprietorship. The website and related serverless endpoints are delivered through Cloudflare's global edge network. Cloudflare may process requests through data centers located in various countries depending on your geographic location.

Because 404 does not operate its own centralized application servers, the limited data we do retain (such as email addresses and payment-status metadata) is stored within Cloudflare's infrastructure or within Stripe's systems for payment data. If you are located outside the United States, please be aware that any information you provide to us may be processed in the United States or in the jurisdiction of the relevant infrastructure provider.

International data transfers

If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction with data transfer restrictions, information you provide may be transferred to and processed in the United States or other countries where our infrastructure providers operate.

We rely on the following mechanisms to ensure adequate protection of transferred data:

Standard Contractual Clauses (SCCs): Our infrastructure providers (including Cloudflare and Stripe) maintain data processing agreements that incorporate EU-approved Standard Contractual Clauses.
Provider certifications: Cloudflare and Stripe each maintain their own compliance programs, including certifications and data processing addenda designed to meet GDPR and UK GDPR requirements.

Because 404 itself retains minimal personal data, the volume and sensitivity of cross-border transfers is limited. We do not independently transfer bulk personal data outside of what is handled by these providers in the normal course of delivering the service.

Ownership transfer or dissolution

While we have no intent of doing so, if 404 is acquired by or merges with another entity, or if the business is dissolved, we will provide notice before any personal information is transferred to a new party or becomes subject to a different privacy policy. In the event of dissolution with no successor, we will delete all retained personal data within a reasonable period.

Changes and questions

We may update this policy as needed to reflect changes in our practices or applicable law. If we make significant changes, we will update the date at the top of this page. Where feasible, we will notify active account holders of material changes.

Have questions, comments, or concerns about this privacy policy, your data, or your rights? Contact us at support@404privacy.com.