Docs · policy

Policy &
Terms

One long document covering everything: terms of service, acceptable use policy, data-handling policy, retention, your rights, and contacts for complaints.

§1

Terms of service

By registering an account or using anycast.ac (the "Service"), you enter into an agreement with the project's operator (the "We") on the terms below. If any point doesn't suit you - don't use the Service.

1.1 Who may use

  • Natural persons of age to enter contracts in their jurisdiction (18 in most countries; 16 with guardian consent in some).
  • Legal entities and sole proprietors acting through an authorized representative.
  • Persons not on the sanctions lists of the country hosting our nodes (England), nor EU/UN/OFAC.

1.2 Account and security

  • One account, one owner. Sharing access without notifying support is forbidden.
  • You must use a strong password and notify us immediately on suspected compromise. Passwords are stored only as bcrypt hashes (cost=12); we cannot recover them, only reset.
  • We reserve the right to request proof of domain or email ownership when investigating violations.

1.3 Billing and subscriptions

  • Free tier is available without payment within the limits shown at /#pricing.
  • Paid plans (Solo / Pack / Heavy / Lifetime) run for the term purchased. Lifetime does not expire until the Service itself shuts down.
  • Refunds are possible within 14 days of payment if the Service has not been used for live traffic. Disputes - support@anycast.ac.

1.4 Changes to terms

We may change these Terms. Material changes are announced at least 14 days in advance via the registered email and on this page. Continued use after changes take effect means acceptance of the new version.

1.5 Termination

You can delete your account anytime from settings or by emailing support@anycast.ac. We may suspend or terminate service in the cases described in §3 (Penalties).

§2

What's forbidden

Main categories of forbidden content and actions. Not exhaustive - common sense is part of the ruleset too.

2.1 Flatly forbidden (instant ban + law-enforcement referral)

  • CSAM. Any material exploiting minors. Account is locked immediately on detection, data is reported to NCMEC / national law enforcement.
  • Terrorist propaganda. Content inciting or glorifying terrorism under EU / Swiss / Swedish law.
  • Content infringing adult-consent laws without explicit, verifiable consent (revenge porn, deepfake-nude, hidden recording).
  • Botnet C&C and malware distribution. Sites controlling compromised hosts or spreading malicious code.
  • Mass phishing. Sites impersonating banks, crypto exchanges, government portals, or other trusted resources.
  • Attack retransmission. Using the Service as a proxy layer fronting stresser / booter / DDoS-as-a-service.

2.2 Forbidden (warning → block)

  • Attacking third-party systems. Exploiting vulnerabilities of sites without owner permission, bruteforcing third-party logins through our proxy.
  • Mass spam. Email, SMS, social spam; mass-mailing systems bypassing anti-abuse.
  • Copyright infringement. Hosting content subject to a valid DMCA or equivalent claim without response in the stated window (§7).
  • Deceiving end users. Scam landings, fake shops, fake giveaways, sites promising money for a crypto wallet.
  • Unauthorized scraping. Using the Service to proxy scrapers violating the target's robots.txt and Terms of Service.
  • Anonymization for wrongdoing. Intentionally using our edges to hide the source when committing criminal offenses.
  • Protection resale. Reselling or sublicensing your account and/or proxied traffic to third parties without separate written permission.

2.3 Resource abuse

  • Using edges as a CDN for massive files. The Service is an L7 proxy shield, not a file host. Use S3/R2/BunnyCDN for static assets.
  • Infinite WebSocket sessions without real useful payload (keep-alive floods, 'parked' sockets to fake concurrent users).
  • Circumventing plan limits (many small accounts under one owner, automatic Host swapping, counter manipulation).

2.4 What is allowed

  • Forums, blogs, biolinks, portfolios, community sites.
  • Commercial sites: shops, SaaS, APIs, media, gaming lobbies, Discord panels - anything legal in the owner's jurisdiction.
  • NSFW content between adults with explicit consent and within local law.
  • Hobby projects, experimental APIs, Telegram bots behind a proxy.
§3

Penalties & blocks

What happens when a violation is logged. Every step is documented - the history is available on request via support@.

3.1 Response procedure

  1. Signal received. Automated detector, third-party complaint, or law-enforcement request.
  2. Initial check. Within 24 hours we verify the facts: logs, traffic samples (no payload), CNAME, domain.
  3. Contact with the account owner. Email to the registered address. Response deadline: 24 to 72 hours depending on severity.
  4. Measures applied. From warning to full permanent ban, depending on severity and repetition.

3.2 Penalty levels

⚠ WarnWarning in-panel + email. Violation is logged, account continues to work.
❄ 24h freezeSite is moved to suspended for 24 hours. Traffic is cut at the edge. Usually applied to a second warning or a light breach.
⛔ Site suspensionSite is blocked indefinitely until the violation is resolved. Other sites on the account keep working.
🔒 Account lockAccount is frozen: all sites off, login disabled. Requires contact with support and remediation to unlock.
🚨 Permanent banIrrevocable ban of the account and any associated payment data. Applied to repeated serious violations.
☠ LEA referralAll of the above + transfer of data to law enforcement. Applied for CSAM, terror propaganda, botnet C&C.

3.3 Refunds on block

If the block is the user's fault (breach of §2) - the unused subscription portion is not refunded. If it was our mistake - we restore access and compensate downtime with proportional subscription extension.

3.4 Appeals

Any decision can be appealed by writing to support@anycast.ac within 30 days of the sanction. We commit to review within 14 business days and give a written answer.

§4

Data & privacy

What we collect, why, and what we DON'T collect. Short answer: the minimum needed for attack protection.

4.1 What we collect about the account

  • Email - for login, password reset, service notifications.
  • Handle (nickname) - publicly visible in the panel and audit log.
  • bcrypt password hash. The plaintext password is not stored. Cost factor is 12.
  • Last-login IP and browser user-agent - for session theft detection.
  • Session cookies (name fg_session) - HttpOnly, Secure, SameSite=Lax, domain .anycast.ac. TTL 30 days, extended on activity.

4.2 What's collected from proxied traffic

  • Client IP - for rate-limit, bans, analytics.
  • Host and path of the first request line - for routing and the 'top URL under attack' report.
  • User-Agent - for bot and empty-UA detection.
  • Method, status code, response size, duration - aggregated counters.
  • Cause-of-block - reason the request was dropped (rate, protocol violation, UAM-challenge fail etc.), if applicable.

4.3 What we DON'T collect

  • Request/response body. We don't log or read POST payloads, JSON bodies, uploaded files, form contents.
  • Passwords from protected sites. Your users' login forms are your business; we don't peek.
  • Third-party TLS keys. In ACME mode, keys are generated on our edges and stay there; we do not export private keys to your subscribers.
  • Third-party personal data from user databases - we are not the processor of your customers' data, we just pass the traffic.

4.4 Cookies and analytics

The marketing site (anycast.ac, /network) has no third-party trackers - no Google Analytics, no Meta Pixel, no Yandex.Metrika. dash.anycast.ac uses only one cookie, fg_session, for authorization.

4.5 Where data physically lives

  • Panel + Postgres - hosted in England.
  • Edges - London, England.
  • DB backups - encrypted (AES-256-GCM), replicated inside England.

4.6 Third-party transfer

We do not sell or share data with advertisers or data brokers. Third-party data transfer happens only in the following cases:

  • Court order or lawful law-enforcement request from the jurisdiction hosting our servers (England). Requests from other jurisdictions are ignored unless an MLAT is produced.
  • Payment providers - transaction data only (amount, currency, email), no traffic metadata.
  • Infrastructure providers (OVH, Hetzner, …) - they see only what any hosting provider sees (network in/out, hardware), no application-layer data.
§5

Retention

What we keep, for how long. Anything not listed - kept until the purpose of collection no longer applies.

Accountuntil deletion

Email, handle, password hash, is_admin, plan, plan_expires_at. Deleted immediately on request via support@ or self-service.

Sessions30 days

fg_session rows in Postgres. Extended on activity. Session revocation - instant via 'Logout all'.

Events log30 days

Block decisions, ban reasons, WAF triggers. After 30 days auto-deleted by DB rotation.

Site samples30 days

Per-site request/block counters (scraped every 10 seconds). Used for dashboard charts.

Metric aggregates365 days

Daily per-site summaries (no IP, no User-Agent). Used for capacity planning and customer history.

Billing records7 years

For accounting. Mandatory under SE/CH/NL tax law.

§6

Your rights

UK Data Protection Act 2018 and GDPR-equivalent rights apply to us, and we honour user requests even if you're not in England.

6.1 Access to your data

Email support@anycast.ac from the account address. Within 30 days you'll get a JSON export: profile, sites list, active sessions, billing history, last 30 days of block logs.

6.2 Correction

Email and handle are editable via account settings. Other fields - request at support@anycast.ac.

6.3 Deletion ('right to be forgotten')

Self-service deletion is in the panel. Removed: account, all sites, all sessions, all sample rows. Only anonymized aggregates (per-day request counts with no IP/handle link) and billing records (we are required to keep those 7 years under tax law) remain.

6.4 Objection

You can opt out of marketing email with one click in any email. Objection to processing required for attack protection (request logs) is only possible by ceasing to use the Service - without metadata, we cannot protect your site.

§7

Security & incidents

What we do to not leak the database, and what we do if it leaks anyway.

  • TLS 1.2+ on all external endpoints, HTTP/2 and HTTP/3 on the edges, automatic HTTP → HTTPS redirect.
  • Private ACME keys live only on the edges and never leave their filesystem.
  • Two-factor auth for admin accounts (coming soon - email + TOTP).
  • DB backups are AES-256-GCM encrypted, key stored separately from the backup.
  • On confirmed data breach affecting personal data, we notify affected users and regulators (in the EU - within 72 hours per GDPR Art. 33).
§8

DMCA and abuse complaints

How to file a complaint about content hosted behind our proxy.

8.1 What to include

  • URL or domain where the infringing content is hosted.
  • Description of the violation (copyright, phishing, CSAM, etc.).
  • Evidence (link to the original, rights-holder paperwork, screenshots).
  • Claimant's contact data and a declaration that the provided information is accurate.

8.2 Address and timeline

Send to abuse@anycast.ac. Response: within 48 hours for regular claims, immediate for CSAM / national-security.

8.3 Counter-notice

If your content was removed by mistake, you can file a counter-notice at support@anycast.ac. We'll notify the claimant and, if no court action arrives within 10 business days, restore access.

§9

Contacts

Where to write for each category.

Supportsupport@anycast.ac

General questions, tech issues, billing, GDPR / data requests, appeals.

Abuse / DMCAabuse@anycast.ac

Complaints about content hosted behind our proxy.