netSamurai Application
Privacy Policy
IKUSA CYBERSECURITY, S.L.
Plaça Pau Vila, 1 - Palau de Mar, Pier 01, Office 2B · 08039 Barcelona
Version 1.0 · Effective date: June 1, 2026
TL;DR
- We do not sell your data, show you ads, or share data with advertisers.
- We do not embed any third-party analytics, crash-reporting, or tracking SDKs.
- We do not maintain user accounts. The app identifies itself to our backend with a random, locally-generated value that we only ever store as a one-way hash.
- Traffic logs, scanner results, firewall rules, and app activity stay on your device. We never receive them.
- The only data our servers see is what your device sends when it contacts our backend: a hashed identifier, the requests it makes, and standard web-server access information (such as your IP address). We use this to operate the service, protect it from abuse, and estimate the number of active installations.
- The app is built and operated from the European Union under the GDPR.
1. Who we are
The data controller for the limited processing described below is:
IKUSA CYBERSECURITY, S.L.
Plaça Pau Vila, 1 - Palau de Mar, Pier 01, Oficina 2B
08039 Barcelona, Spain
Privacy contact: admin@ikusa.tech
Phone: +34 93 215 77 35
We have not appointed a Data Protection Officer because our processing does not meet the criteria of Article 37 GDPR. You can reach us about any privacy matter at the address above.
2. Scope
This policy covers the netSamurai Android application ("the App") and the supporting backend operated by IKUSA CYBERSECURITY, S.L. ("the Service"). The App is currently distributed only on Android; an iOS version is planned for a future release and is not covered here.
3. Our approach: privacy by design
netSamurai is a security app. Most of what it does (inspecting your traffic to detect malware, phishing, and scam attempts, auditing your network, and checking system integrity) happens entirely on your device. Information about what you visit, which apps you run, or what your network looks like never leaves your device through netSamurai.
The only data that reaches our backend is what is strictly necessary to deliver the parts of the service that require a backend (currently: delivering security-list updates to the App).
4. What stays on your device
The following information is processed and stored only on your device, in a local database and the Android app data area. We never receive it, and you can delete it at any time by using the in-app clear actions or by clearing the App's data from Android settings.
| Category | Examples |
|---|---|
| Traffic statistics | Aggregated counts of network connections per app and endpoint over time |
| Observed endpoints | IP addresses and domain names that apps on your device contacted |
| Quarantine logs | Apps, domains, IPs, ports, and timestamps for connections the App quarantined for security reasons |
| Per-app network settings | Your per-app preferences (allowed, trusted, whitelist mode, etc.) |
| Security rules and lists | The active set of security rules and protection lists your device uses, including list content downloaded from us |
| Network security scan results | Wi-Fi details (SSID, BSSID, signal, security type), gateway info, ARP table, DNS configuration, captive-portal status |
| System integrity scan results | Android version, security patch level, lock-screen state, root indicators, developer-options state, installed device admins and accessibility services |
| Application inventory | The list of apps installed on your device, used to power the per-app firewall UI |
| VPN configurations | WireGuard configurations (including private and pre-shared keys) and encrypted-DNS configurations you have added |
| App preferences | Theme, language, autostart, logging toggle, sorting options, etc. |
Because this data never leaves your device, we are not its "controller" in the sense of the GDPR; you are. The App gives you the tools to inspect and erase it.
5. What our servers see
Your device contacts our backend in a small number of situations. Here is exactly what happens in each case.
5.1 Initial registration
The first time the App runs, it generates a random local identifier ("install_id") and registers itself with our backend in order to obtain an access token used to download security-list updates.
- The App sends an HMAC-signed registration request.
- Our server stores only: the SHA-256 hash of the install_id and the SHA-256 hash of the issued token. The original values never reach us and never leave your device.
- These hashes are random-looking values that cannot be linked back to you or your device by us.
There is no email, phone number, name, account profile, or any other identifier associated with this registration.
5.2 Security-list updates
The App periodically downloads list manifests and individual list files from our backend. Each request includes your access token so that the backend can authenticate it.
The request itself reveals:
- That a device holding a given token requested a given list file at a given time.
- Standard HTTP information (see §5.4).
We do not receive what your device does with these lists, the apps you run, or the destinations they contact. All processing happens locally after the lists are downloaded.
5.3 Connectivity watchdog
While the VPN is active, the App periodically performs a plain HTTPS request to a default endpoint we operate (or a URL you have configured yourself in the App settings) to verify that traffic is still flowing through the tunnel. No payload, identifier, or token is sent in this request; it is a connectivity test only.
If you change the watchdog URL to point at a server you control or a third party, the relevant operator's privacy practices apply, not ours.
5.4 Server access logs
For every request your device makes to our backend (registration, list updates, watchdog), our web servers record standard access information:
- Source IP address
- Timestamp
- HTTP method and path
- User-agent string
- Response status and size
Retention: raw access logs are kept for 90 days and then deleted.
We may derive aggregate, non-identifying statistics from these logs, for example, an approximate count of daily active installations, and keep those aggregates indefinitely. Aggregates never contain IP addresses or any other per-device identifiers.
5.5 What we do not do
For the avoidance of doubt:
- We do not embed Firebase, Crashlytics, Sentry, Google Analytics, Meta SDK, PostHog, Mixpanel, or any other analytics, crash-reporting, attribution, or advertising SDK.
- We do not collect crash reports or diagnostic data automatically.
- We do not collect device fingerprints or advertising identifiers.
- We do not share, sell, or rent data to third parties.
- We do not build behavioral profiles of users.
6. Why we are allowed to process this data
We process the limited backend data described in §5 because we need it to deliver the App (registering your device and serving you security-list updates) and because we have a legitimate interest in keeping our service running and free from abuse (the watchdog check and server access logs). We do not rely on consent for any of this, and we do not use any of it for advertising, profiling, or third-party sharing.
7. Android permissions
The App requests the following Android permissions. Each is used solely for the purpose described.
| Permission | Why we need it |
|---|---|
| INTERNET | Required for the VPN tunnel and backend communication |
| ACCESS_NETWORK_STATE | Detect changes in connectivity to manage the tunnel |
| ACCESS_WIFI_STATE | Read Wi-Fi details for the network security audit |
| NEARBY_WIFI_DEVICES (Android 13+) | Scan visible networks for evil-twin / rogue-AP detection |
| FOREGROUND_SERVICE | Run the VPN as a foreground service with a persistent notification, as required by Android |
| POST_NOTIFICATIONS (Android 13+) | Show the foreground-service notification and security alerts |
| WAKE_LOCK | Keep the CPU awake while the VPN is processing packets |
| RECEIVE_BOOT_COMPLETED | Optionally auto-start the VPN at device boot, if you enable that setting |
| REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | Optionally ask Android to exempt the VPN service from battery optimizations |
| QUERY_ALL_PACKAGES | Enumerate installed apps so you can apply per-app network rules |
Android also requires the VPN service permission, which is granted via the system's standard VPN consent dialog the first time you enable the tunnel.
8. Retention
- On-device data (§4): kept until you delete it (in-app clear actions, uninstall, or "Clear data" in Android settings). We do not impose an automatic retention period because the data does not reach us.
- Hashed install_id and token hash: kept for as long as the App on your device continues to use the corresponding token. If you uninstall the App, the local values are deleted from your device and the hash on our side becomes orphaned and cannot be linked to anything.
- Raw server access logs: 90 days.
- Aggregate active-installation statistics: indefinitely (these contain no per-device or per-user identifiers).
9. Where the data is stored
The backend that handles the data described in §5 runs on servers located in the European Union. The data does not leave the EU/EEA.
10. Your rights
You have the rights granted by EU data protection law: to access, correct, delete, port, restrict, or object to the processing of your personal data. In practice, because we do not maintain user accounts and the data we hold on our servers cannot be linked back to you by us, these rights apply to netSamurai in a fairly direct way:
- Almost all data the App handles is on your device and already visible to you in the App's UI. You can clear it at any time using the in-app clear actions or by clearing the App's data in Android settings.
- Uninstalling the App removes the local install_id and token. The corresponding hashes on our server become orphaned and cannot be linked to anything; raw server access logs containing your IP age out after 90 days.
- You can stop all backend communication by uninstalling the App or disabling features that require network access.
- You can contact us at the address in §1 with any request relating to your data. If you believe we have not handled your data correctly, you have the right to complain to the data-protection authority in your EU member state.
netSamurai is not directed at children under 16, and we do not knowingly process any data from them.
11. Security
All communication with our backend uses TLS, and the App rejects certificates that don't chain to the Let's Encrypt roots used by our infrastructure. The install_id and token are stored only on your device; only one-way hashes ever reach our servers. Local data lives inside Android's per-app sandbox, and our server-side logs are held in access-controlled infrastructure in the EU. No system is perfectly secure; if you find a vulnerability, please contact us at the address in §1.
12. Changes to this policy
If we make material changes to this policy, we will update the version number and effective date above and surface the change through the App's release notes and the netsamurai.app website. A history of changes will be kept alongside this document in our public repository.
13. Contact
For any question about this policy or your data, write to admin@ikusa.tech or to the postal address in §1.