Legal

Privacy Policy

Last updated: 21.05.2026

1. Who we are

Fusengine Sàrl (CHE-144.098.128), Boulevard Saint-Martin 29, 1800 Vevey, Switzerland, is the data controller for any personal data processed through this website and the Bastion Security extension. Contact for privacy inquiries: support@bastion-security.io.

2. Scope

This policy covers data processed by (a) the bastion-security.io marketing website, (b) the Bastion Security Plesk extension running on customer servers, and (c) the customer subscription lifecycle (sign-up, billing, support).

3. What we collect and why

  • Marketing website: server logs (IP address, user agent, request path, timestamp) for the duration of a session. No analytics SDK, no advertising pixel, no tracking cookie.
  • Subscription billing: business name, billing address, contact email, VAT identifier (where applicable), payment method tokens. Collected by our payment processor and shared with us in tokenised form for invoicing and support.
  • License activation: a per-server cryptographic fingerprint (hash of Plesk instance UUID + hostname) used to bind an active subscription to a deployed install. No content of customer sites is included.
  • Extension diagnostic bundles: when an active subscriber opens a support ticket and explicitly attaches a bundle, we receive anonymised counts of decisions, bouncer health, and recent error logs. Telemetry is never collected silently.
  • Contract (GDPR art. 6(1)(b), FADP art. 31): billing, license issuance, customer support.
  • Legitimate interest (GDPR art. 6(1)(f)): defensive logging of the marketing website, abuse prevention.
  • Legal obligation (GDPR art. 6(1)(c), Swiss CO): bookkeeping retention.

5. Retention

Marketing website server logs: maximum 30 days. Billing and invoice records: 10 years (Swiss accounting law). License activation records: lifetime of the active subscription plus 12 months. Support tickets: 24 months after closure. Diagnostic bundles: deleted within 30 days of ticket closure unless the customer asks us to retain them for follow-up.

6. Cookies and tracking

bastion-security.io serves no first-party tracking cookie and embeds no third-party analytics or advertising script. A strictly functional session cookie may be set inside the authenticated customer portal once issued. No consent banner is required for the marketing site under its current scope.

7. Sub-processors

Bastion Security is hosted and serviced through the following processors. We share only the minimum data each requires.

  • Lemon Squeezy, Inc. (United States) as Merchant of Record, including its sub-processors Stripe Payments Europe Ltd. (Ireland) for card processing and Paddle-equivalent tax remittance.
  • Marketing website hosting on infrastructure operated by Fusengine Sàrl in Switzerland.
  • Transactional email delivery for billing receipts and support correspondence.

The Bastion Security extension itself does not contact any third-party service beyond the CrowdSec local API on the customer server. Optional CrowdSec community blocklists and CTI lookups are governed by CrowdSec’s own privacy policy.

8. International transfers

Customer data stays in Switzerland and the European Economic Area where possible. Transfers to processors outside the EEA (United States in particular) rely on Standard Contractual Clauses adopted by the European Commission and, where applicable, the EU-US Data Privacy Framework. The Swiss FDPIC adequacy framework applies between Switzerland and the EU.

9. Automated decision-making

The Bastion Security extension applies enforcement actions (ban, captcha, throttle) based on CrowdSec community decisions and local AppSec rules. These decisions are not made on the data subject’s personal data but on technical signals tied to the originating IP address (reputation, scenario, frequency). Human operators can review, override or scope every decision from the panel.

10. Your rights

Under the revised Swiss FADP and the GDPR you may request access to your personal data, request rectification or erasure, restrict or object to a processing activity, withdraw a consent at any time, and ask for portability of data you provided to us. Email support@bastion-security.io with proof of identity. We answer within 30 days.

11. Security and breach notification

We follow industry standard practices: TLS everywhere, hashed payment tokens, principle of least privilege on internal access, encrypted backups, documented incident response. In the event of a personal data breach likely to result in risk for the persons concerned, we notify the Swiss FDPIC within 72 hours (FADP art. 24) and the relevant EU supervisory authority where GDPR art. 33 applies, then inform affected customers without undue delay.

12. Changes to this policy

Material changes are announced through the customer portal and take effect 30 days after publication. The current version always lives at this URL.

13. Supervisory authority

For Switzerland: Federal Data Protection and Information Commissioner (FDPIC), Berne. For the EU: the supervisory authority of your member state of residence.