D DISASM

Privacy Policy

Last updated: 21 June 2026 · Operated by YOGHURT DIGITAL LTD

1. Privacy Policy — DISASM (effective date and coverage)

Effective date / Last updated: 21 June 2026. Version 1.0.

This Privacy Policy explains how YOGHURT DIGITAL LTD ("we", "us", "our") collects, uses and protects personal data in connection with the DISASM service, including the website at disasm.dev and the DISASM API. DISASM is a developer API service operated under YOGHURT DIGITAL LTD and has been in operation since 2022.

This policy should be read together with our Terms of Service, under which YOGHURT DIGITAL LTD is the contracting party. We process personal data in accordance with the UK GDPR, the Data Protection Act 2018 and, in relation to electronic marketing and cookies, the Privacy and Electronic Communications Regulations (PECR).

2. Scope — who we are and who this applies to

DISASM is a developer API operated by YOGHURT DIGITAL LTD. The API accepts anti-bot challenge context and returns the corresponding solved token or payload for the customer to use with their own requests, proxies, cookies and sessions. The service is provided business-to-business (B2B) to developers and businesses who contract with us in the course of business, and not as consumers.

This policy applies to personal data we process about the individuals who register for, access, pay for, partner with, join our waitlist for, or communicate with us about the DISASM service. Where individuals interact with us through a business customer's account, this policy still describes how their personal data is handled.

3. Data controller identity and contact details

The data controller for the personal data described in this policy is:

  • YOGHURT DIGITAL LTD, a company registered in England and Wales (United Kingdom).
  • Company number: 13295779.
  • Registered office address: 86-90 Paul Street, London, England, EC2A 4NE.
  • Operating the DISASM service (disasm.dev and the DISASM API).

For any privacy query or to exercise your rights, contact us at contact@disasm.dev. Our community and support Discord is available at https://discord.gg/ukxJm45r7Q.

4. Data Protection Officer

YOGHURT DIGITAL LTD is not required to appoint a statutory Data Protection Officer (DPO) under the UK GDPR, and we have not appointed one. This does not reduce our obligations to protect your personal data.

Please send all privacy enquiries, including questions about this policy or about how we handle personal data, to contact@disasm.dev.

5. Categories of personal data we process

We process the following categories of personal data:

  • Account data — your email address, username, and hashed authentication credentials.
  • Discord sign-in data — where you choose to sign in using Discord (OAuth), the limited profile information we receive from Discord, such as your Discord user ID, username/handle, and (if provided) email address.
  • Service usage data — API request metadata, request volumes, timestamps, and logs.
  • Billing / payment status — subscription and payment status received via Stripe. DISASM does not store full card numbers.
  • Partner / referral programme data — where you apply to or take part in our partner programme: your business name and business description, country, user-count band, services offered, referral code, commission and payout records, and the identifiers associated with your Stripe Connect payout account. Identity and bank-account details needed for payouts are collected and verified by Stripe directly during Stripe Connect onboarding.
  • Waitlist / pre-registration data — where you join a waitlist before holding an account, the email address you provide and whether your interest is registration or partner related.
  • Support communications — the content of messages you send to contact@disasm.dev or to us via Discord.

We do not knowingly collect special category data (such as data revealing health, race, religion, political opinions, or similar), and we ask customers not to submit any special category data to the service or in support communications.

6. Challenge-context data submitted to the API

To deliver the service, customers POST technical challenge context to the API — typically the target page URL, the protection script, and the intended user-agent string — and we return a solved token or payload (for example, the reese84 payload or ___utmvc cookie for Imperva Incapsula, or the device/cookie payload for DataDome).

This challenge context is technical in nature and is not generally intended to contain personal data, although we recognise that URLs and user-agent strings can in some cases incidentally contain or contribute to personal data (for example, identifiers in a URL path or query string).

The customer decides what to submit and is the controller of the challenge context and of any personal data it contains. For that content, DISASM acts as a processor under Article 28 UK GDPR, processing it only on the customer's documented instructions for the sole purpose of returning the solved token, and governed by a Data Processing Agreement (see section 23). DISASM does not rely on its own Article 6 lawful basis for this customer-controlled content; the customer is responsible for the lawfulness of what it submits.

7. Sources of data

Most of the personal data we hold is provided directly by you or your organisation through registration, use of the API, billing, partner onboarding, joining our waitlist, and support contact.

Some data is received from third parties:

  • Stripe — your subscription and payment status in connection with payments you make and, for partners, confirmation of Stripe Connect onboarding and payout status.
  • Discord — where you choose to sign in using Discord (OAuth), we receive limited profile information from your Discord account.

8. Purposes of processing and lawful basis

We process personal data for the following purposes, each relying on the lawful basis shown:

  • Creating and administering your account and authenticating you — Article 6(1)(b), performance of a contract.
  • Providing the API service (returning tokens for your own controller data, such as your account/usage records) — Article 6(1)(b), performance of a contract. For the challenge-context content you submit, we act as your processor under Article 28 (see section 6).
  • Taking payment and managing subscriptions and pay-as-you-go billing via Stripe — Article 6(1)(b), performance of a contract.
  • Operating the partner / referral programme, including processing referrals and arranging payouts via Stripe Connect — Article 6(1)(b), performance of a contract, and Article 6(1)(f), legitimate interests.
  • Keeping usage logs and metadata for billing accuracy, rate-limiting, abuse prevention, security and service reliability — Article 6(1)(f), legitimate interests.
  • Responding to support requests via email and Discord — Article 6(1)(b), performance of a contract, and/or Article 6(1)(f), legitimate interests.
  • Sending transactional and service emails via Amazon SES — Article 6(1)(b), performance of a contract.
  • Complying with legal, accounting and tax obligations — Article 6(1)(c), legal obligation.
  • Direct marketing email to our business customers — Article 6(1)(f), legitimate interests, together with the PECR "soft opt-in" where applicable (see below).
  • Setting any non-essential cookies, or sending marketing where you have opted in — Article 6(1)(a), consent, and the relevant PECR consent requirement.

For direct marketing email, we contact existing customers and people who have engaged with us in a sales process for our own similar products and services. We rely on the PECR "soft opt-in", which requires that we obtained the contact details in the course of a sale or negotiation for similar products or services, that we offer an opt-out at the point we collect the details, and that every message includes an easy way to opt out. We do not send marketing to individual subscribers, sole traders or unincorporated partnerships who have not engaged with us, except where they have consented. Where we contact corporate (role-based) business addresses, we do so in reliance on legitimate interests with an opt-out in every message. You can opt out of marketing at any time using the unsubscribe link in any message or by emailing contact@disasm.dev.

9. Our legitimate interests

Where we rely on Article 6(1)(f) (legitimate interests), our specific interests are:

  • Preventing abuse, misuse and fraud against the service.
  • Securing the service and protecting our infrastructure and other customers.
  • Ensuring accurate billing and enforcing usage limits and rate-limiting.
  • Operating, maintaining and improving our business and the DISASM service, including the partner programme.
  • Conducting B2B direct marketing to relevant business contacts, consistent with PECR.

For each of these purposes we have carried out a legitimate interests assessment (a balancing test) to ensure our interests are not overridden by your interests, rights and freedoms. You may request a summary of the relevant assessment at contact@disasm.dev. You also have the right to object to processing based on legitimate interests (see section 14).

10. Recipients, processors and other controllers

We use the following service providers as processors, who process personal data on our behalf and on our instructions:

  • Amazon Web Services (AWS) — cloud hosting and infrastructure, primarily in the London (eu-west-2) region, and Amazon SES for sending transactional email.
  • Zoho — our business email mailbox, hosted in an EU data centre.

The following providers act as independent controllers for their own purposes (such as their own payment, compliance, fraud-prevention and platform purposes), and have their own privacy policies which we encourage you to read:

  • Stripe — payment processing for inbound customer payments (Stripe handles card data; DISASM does not store full card numbers) and, via Stripe Connect, the onboarding, identity/bank verification and payment of partner payouts. Identity and bank details for partner payouts are provided to and handled by Stripe directly.
  • Discord — optional third-party sign-in (OAuth) and our community server.

Our self-hosted authentication (Ory Kratos) and our self-managed database are software we run on our own AWS infrastructure; they are not separate third-party processors.

We may also disclose personal data to professional advisers (such as legal or accounting advisers) or to public authorities, but only where we are legally required or permitted to do so. We do not sell personal data, and we do not share it with any recipient other than those described above.

11. Support handled in-house

All support for the DISASM service is handled in-house by our UK-based team of experienced reverse engineers. We do not use any third-party or outsourced support teams, and support is not handled by anyone outside the United Kingdom.

For clarity, while our support personnel are UK-based, support communications may still be stored or transmitted through the processors and platforms described in sections 10 and 12 — for example our Zoho mailbox (EU data centre) or Discord — so the underlying messages may be held outside the UK at the storage or platform level.

12. International transfers and safeguards

Personal data is hosted primarily in the United Kingdom (AWS London, eu-west-2). Some personal data is processed in the EEA or in other countries:

  • Zoho (business email) — hosted in an EU/EEA data centre. Transfers from the UK to the EEA rely on the UK's adequacy regulations for the EEA, so no additional transfer mechanism is required.
  • Stripe and Discord — may process personal data outside the UK and the EEA. For any transfer to a country not covered by UK adequacy regulations, we rely on appropriate safeguards, namely the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, supported by a transfer risk assessment where required.

We do not rely on the bare EU Standard Contractual Clauses on their own for transfers out of the UK; where EU SCCs are used, they are applied together with the UK Addendum. You can request further details, or a copy of the relevant safeguards, by emailing contact@disasm.dev.

13. Retention periods

We keep personal data only for as long as needed for the purpose for which it was collected, applying the following periods and criteria:

  • Account data — kept for the life of your account and for up to 90 days after the account is closed (to allow for reactivation, dispute handling and account wind-down), after which it is deleted.
  • Service usage data (metadata and operational logs) — retained for up to 12 months for billing accuracy, security, abuse prevention and service reliability, then deleted or irreversibly anonymised. Any usage information that forms part of a financial record is instead retained as part of those records (see below).
  • Partner / referral programme data — kept for the duration of the partnership and for up to 90 days after it ends, except for commission and payout records, which are retained as financial records (see below).
  • Waitlist / pre-registration data — kept until you are onboarded or for up to 12 months from sign-up if not onboarded, then deleted, unless you ask us to remove it sooner.
  • Billing and financial records (including commission and payout records) — retained for 6 years to meet UK accounting and tax law requirements.
  • Support communications — retained for up to 24 months after the matter is resolved, then deleted.

Where we anonymise data instead of deleting it, we do so irreversibly so that it no longer constitutes personal data. Where data is subject to a legal retention obligation, we will retain it for the period required by law even if you request earlier deletion.

14. Your data subject rights

Subject to the conditions in the UK GDPR, you have the following rights:

  • Right of access (Article 15) — to obtain a copy of the personal data we hold about you.
  • Right to rectification (Article 16) — to have inaccurate data corrected.
  • Right to erasure (Article 17), the "right to be forgotten".
  • Right to restriction of processing (Article 18).
  • Right to data portability (Article 20).
  • Right to object (Article 21), including to processing based on legitimate interests and to direct marketing.
  • Rights related to automated decision-making and profiling (Article 22).
  • Right to withdraw consent at any time where processing is based on consent (Article 7(3)), without affecting the lawfulness of processing before withdrawal.

These rights are not absolute and some depend on the lawful basis we rely on. For example, data portability applies only to data you provided that is processed by automated means under contract or consent, and the right to erasure does not override our legal retention duties. Where DISASM acts only as a processor (for example, for challenge-context content), requests about that data should be directed to the customer who is the controller.

15. How to exercise your rights

To exercise any of your rights, email contact@disasm.dev.

  • We will respond within one month of receiving your request.
  • For complex or numerous requests, we may extend this by up to a further two months, and will tell you within the first month if we do.
  • Requests are normally free of charge, unless they are manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline to act.
  • We may need to verify your identity before acting on a request.

16. Complaints to the ICO

If you have a concern about how we handle your personal data, we encourage you to contact us first at contact@disasm.dev so we can try to resolve it.

You also have the right to lodge a complaint with the UK supervisory authority, the Information Commissioner's Office (ICO):

  • Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
  • Helpline: 0303 123 1113.
  • Website: ico.org.uk.

17. Automated decision-making and profiling

We carry out some automated processing, such as automated rate-limiting and automated abuse and fraud detection, to protect and operate the service. Where automated detection could lead to an adverse outcome for you — such as the suspension or termination of your account or service access — a member of our team reviews the matter before that adverse action is taken, so that there is meaningful human involvement.

Because of this human review, we do not make solely automated decisions that produce legal or similarly significant effects on individuals within the meaning of Article 22 UK GDPR. If this position changes and we introduce any such solely automated processing, we will update this policy to describe the logic involved, its significance, the likely consequences, and your right to obtain human intervention, express your point of view and contest the decision.

18. Security

We use appropriate technical and organisational measures to protect personal data, including:

  • Encryption of data in transit.
  • Encryption of data at rest for stored data and backups, using encryption provided by our AWS infrastructure.
  • Hashing of authentication credentials — we do not store plaintext passwords.
  • Not storing full card numbers; card data is handled by Stripe.
  • Access controls limiting who can access systems and data.
  • Hosting on AWS infrastructure, primarily in the London (eu-west-2) region.
  • Logging and monitoring to detect and respond to issues.

While we take security seriously, no method of transmission over the internet or method of storage is completely secure, and we cannot guarantee absolute security.

19. Personal data breaches

We have procedures in place to detect, report and investigate personal data breaches. Where a breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the ICO within the required timeframe, and where there is a high risk, we will notify affected individuals, in accordance with Articles 33 and 34 UK GDPR.

20. Children

DISASM is a business-to-business service that is not directed at children and is not intended for anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will delete it as soon as reasonably practicable.

21. Cookies and similar technologies

We use a limited set of cookies and similar technologies:

  • Strictly necessary cookies - authentication and session cookies (including those set by our self-hosted Ory Kratos authentication) that are required to log you in and operate the service securely. Under PECR, these do not require consent.
  • Analytics cookies - we use Google Analytics 4 to understand, in aggregate, how our website is used. These are non-essential cookies and are only set after you give consent through our cookie banner. We operate Google Consent Mode, so analytics storage is denied by default until you accept, and declining has no effect on your use of the site.

You can withdraw or change your consent at any time using the "Cookie settings" link in the footer, or by clearing your browser site data for disasm.dev. We do not use advertising or cross-site tracking cookies.

22. Third-party links

The disasm.dev website and our Discord server may contain links to third-party websites and services. Those third parties have their own privacy practices governed by their own policies. We are not responsible for the content or privacy practices of any third-party site or service, and we encourage you to review their policies.

23. Controller and processor roles — B2B responsibilities

YOGHURT DIGITAL LTD is the controller of the account, Discord sign-in, service usage, billing, partner programme, waitlist and support data described in this policy.

As this is a B2B service, the customer is the controller, and is responsible, for:

  • The lawfulness of the challenge context they submit to the API (the target page URL, protection script and intended user-agent), including any personal data it may contain.
  • How the returned tokens are used, together with the customer's own proxies, cookies and sessions, and any resulting data they collect.

For the challenge-context content described in section 6, DISASM acts as a processor on the customer's behalf under Article 28 UK GDPR, processing it only on the customer's documented instructions to return the solved token. A Data Processing Agreement (DPA) governing that processing is available to customers on request. The contracting relationship is governed by our Terms of Service, under which YOGHURT DIGITAL LTD is the contracting party.

24. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the Effective date at the top of the policy. Where changes are material, we will provide additional notice, for example by email or by a notice on disasm.dev.

This policy is a transparency notice rather than a contract, and our processing does not depend on you "accepting" it. Where a change relies on your consent — for example introducing new non-essential cookies — we will seek that consent separately, and continued use of the service will not be treated as consent. We encourage you to review this policy periodically.

25. Contact for privacy queries

For any privacy question, to exercise a data-rights request, or to obtain copies of our international transfer safeguards or a summary of our legitimate interests assessments, please contact us at contact@disasm.dev.

This Privacy Policy should be read alongside our Terms of Service. The data controller is YOGHURT DIGITAL LTD, company number 13295779, registered office 86-90 Paul Street, London, England, EC2A 4NE.