ET Ducky ET Ducky
Home Blog Documentation Pricing Downloads Agents Reports Systems Integrations Team
Blog Documentation Pricing Downloads
Team Settings
Sign Out

Privacy Policy

Last Updated: June 19, 2026

June 2026 update. To strengthen fraud and abuse prevention, we added a small number of security-focused data categories: limited payment metadata (a non-reversible card fingerprint and billing country — never full card details), account registration context (sign-up IP and device characteristics), and stable device identifiers from managed endpoints (machine/MAC/disk identifiers). We use these solely for security, fraud prevention, and incident investigation, retain them under the windows described below, and never sell them.

Overview

Purpose of This Policy

ET Ducky is a cross-platform endpoint monitoring, diagnostics, and behavioral-security platform for Windows and Linux systems. It uses kernel-level event tracing (Event Tracing for Windows on Windows, eBPF on Linux) and system health metrics to help IT teams troubleshoot issues and detect threats. This policy explains what data the platform collects, how it is used, and the controls you have over your data.

Key Commitments

  • System telemetry and connection metadata — We collect system performance data, kernel diagnostic events, security posture information, and the source IP an agent connects from (for security and abuse prevention). We do not collect end-user personal content, browsing history, keystrokes, file contents, or employee activity.
  • We do not sell your data — Your organization's data is never sold, rented, or shared for advertising purposes.
  • AI analysis is user-initiated — No data is sent to AI providers unless a user explicitly triggers an analysis from the dashboard.
  • Organization isolation — Each organization's data is completely isolated. No other organization can access your agents, events, or metrics.
  • You control retention — Choose how long cloud data is retained (14 days free, up to 730 days with paid tiers). Data beyond your retention window is permanently purged.

What We Collect

Account Data

Managed by our identity provider (Clerk). We do not store passwords directly.

  • Email address
  • Name (if provided)
  • Organization membership and role (Admin or Member)
  • Subscription status and plan tier
  • Payment and billing metadata — For paid accounts, our payment processor (Stripe) handles your card details. We additionally store limited, non-sensitive payment metadata — a non-reversible card fingerprint, the card issuer/BIN, and the billing name and country — for fraud prevention, abuse detection, and chargeback handling. We never store full card numbers, CVV, or expiry dates.
  • Registration context — When you create an account, we record the IP address and approximate location of the sign-up, basic browser/device characteristics, the sign-in method used, and your email verification status. We use this to prevent fraud and detect coordinated or automated account abuse.
  • Automated abuse detection — We use automated analysis of the signals described in this policy (such as network address, device identifiers, and payment metadata) to detect and prevent fraudulent or abusive use. A match flags the account for our review and may cause us to preserve associated data for security and legal purposes. This scoring does not, by itself, restrict or suspend your account.

Agent System Data

Collected from endpoints running the ET Ducky agent:

  • Health Metrics — CPU utilization, memory usage, disk space, network I/O, system uptime (collected every 60 seconds by default)
  • Security Posture — Antivirus real-time protection status and definition age, firewall state, disk encryption status, UAC configuration, and Secure Boot state, collected with the agent heartbeat
  • System Identity — Hostname, OS version, Linux distribution and kernel identity where applicable, agent version, and the source IP address the agent connects from. We record this IP when the agent first registers and refresh it on each check-in (the agent's most recent connection IP). Where the connection passes through a proxy or CDN, we record the originating client IP from standard forwarding headers rather than the proxy's address. We use this to secure the platform, detect and prevent abuse, and investigate security incidents; it may indicate the approximate network location of the connecting device. To manage your devices reliably and to detect and prevent abuse, we also collect stable device identifiers from each managed endpoint — which may include a machine GUID, network adapter (MAC) address, and disk or operating-system install identifier — together with the device's system timezone and locale. These are tied to the managed device, not to any individual.
  • Kernel Trace Events — Windows ETW and Linux eBPF kernel and user-mode trace events (process creation, file I/O, network connections, registry activity, service state changes), collected only when event collection is enabled for the agent
  • Correlated Event Summaries — Aggregated and filtered event data produced by the agent's local correlation engine before transmission (typically 99%+ reduction from raw events)
  • Behavioral Detections — When the behavioral-security monitor flags a high-confidence threat, the detection and the specific events that triggered it are transmitted as evidence
  • Procedure Recordings — When an administrator runs the documentation recorder, the captured procedure, the generated knowledge base article, and any screenshots taken with the documentation hotkey are stored. This is off unless a recording is started.
  • Privilege Elevation Audit Metadata — For operator-driven privilege elevation on Linux: command summary, operator identity, source IP, and exit code (passwords are never stored or logged)
  • Rejected connection records — When an agent presents an invalid or revoked credential (for example, an agent belonging to a terminated account), we log the agent identifier, the source IP, and the user-agent of the rejected connection. We use this to identify compromised or orphaned endpoints and to investigate abuse.
  • Threat indicators — Network indicators (domains, URLs, and IP addresses) contained in commands evaluated by our security filter may be retained as threat indicators and used to protect all customers on the platform.

What We Do NOT Collect

  • User credentials or passwords
  • File contents or document data
  • Browser history, cookies, or keystrokes
  • Email, chat messages, or personal communications
  • Automatic or covert screenshots and screen recordings (remote desktop frames are relayed in real time and never stored server-side; documentation-recorder screenshots are user-initiated and described above)
  • Employee activity or productivity tracking data

ETW & Telemetry Data

How ETW Data Flows

Diagnostic event collection is disabled by default. When enabled from the dashboard, the agent captures kernel trace events locally (ETW on Windows, eBPF on Linux), runs them through a correlation engine that filters and aggregates the data, and transmits only the summarized results to the cloud API.

  • Local Processing — Raw ETW events are processed on the endpoint. The correlation engine reduces data volume by approximately 99.95% before any data leaves the device.
  • No PII Filtering Required — Because only aggregated summaries (event counts, patterns, timestamps, provider names) are transmitted, personal data is excluded by design.
  • Configurable Providers — Administrators choose which ETW providers are active per agent, controlling exactly what categories of system events are monitored.

Always-On Behavioral Security Monitor

Separately from diagnostic event collection, the agent runs a behavioral-security monitor on its own dedicated kernel-trace session. This monitor is active by default so that threats are caught without operator setup. It analyzes events locally and transmits data only when a behavioral rule reaches a high-confidence threshold, at which point it sends the triggering events as evidence. It does not stream raw event data during normal operation.

Health Metrics

Health metrics (CPU, memory, disk, network) are collected regardless of ETW status. These are system-level performance counters and do not contain personal or user-specific data.

AI Processing

How AI Analysis Works

ET Ducky uses the Anthropic Claude API and OpenAI models for AI-powered root cause analysis, Smart Reports, and alert enrichment. Important safeguards:

  • Primarily user-initiated — Most AI analysis runs only when a user requests it from the dashboard. Automated alerting and anomaly-triggered diagnostics may also generate AI analysis without a manual request, using the same aggregated-telemetry safeguards described below.
  • Aggregated data only — AI prompts contain summarized telemetry: CPU/memory trends, event correlation summaries, error pattern descriptions. No PII, credentials, file contents, or raw user data is included.
  • No AI training — Our AI providers do not use API data for model training, per their commercial terms of service.
  • Minimal retention by AI provider — Our AI providers do not retain prompt and response data beyond their standard request lifecycle and abuse-monitoring policies.
  • Server-side only — All AI requests originate from the ET Ducky cloud API. The agent and browser never communicate directly with AI providers.

Storage & Security

Data Protection

  • Encryption in Transit — All communications between agents, the dashboard, and the cloud API are encrypted with TLS 1.2 or higher
  • Encryption at Rest — Database storage is encrypted with AES-256. Automated backups are also encrypted.
  • Agent Authentication — Each agent authenticates with a unique 256-bit cryptographic bearer token. Only the SHA-256 hash is stored server-side; the plaintext token exists only on the agent.
  • User Authentication — Dashboard access is authenticated via Clerk with support for MFA, SSO, and configurable session policies
  • Organization Isolation — All data is scoped to your organization. Database queries enforce organization-level filtering on every request.

Data Sharing

We do not sell, rent, or share your data for advertising or marketing purposes.

We share data only with the following service providers, strictly as necessary for platform operation:

ProviderPurposeData Shared
ClerkUser authentication & identityEmail, name, organization membership
StripePayment processingBilling email, subscription status
Anthropic, OpenAIAI-powered analysis, reports, and alert enrichmentAggregated telemetry summaries only
SendGridAlert email notificationsRecipient email, alert content
DigitalOceanInfrastructure hostingAll platform data (encrypted at rest)

All third-party providers maintain SOC 2 Type II or PCI DSS certification.

Your Choices

Controls Available to You

  • Diagnostic Event Collection — Enable or disable diagnostic kernel-event collection per agent from the dashboard. Disabled by default. The behavioral-security monitor runs independently and is described under ETW & Telemetry Data.
  • ETW Providers — Choose which categories of Windows events to monitor via remote configuration
  • AI Analysis — AI features are always opt-in. You decide when and whether to send data for AI analysis.
  • Data Retention — Choose your retention tier (14 to 730 days). Data beyond your window is permanently purged.
  • Agent Deactivation — Deactivate or delete agents from the dashboard at any time. Deactivation immediately revokes the agent's API access.
  • Account Deletion — Request deletion of your account and all associated data by contacting [email protected]

Data Retention

Retention Policies

  • Account data — Retained while your account is active. Deleted upon account closure.
  • Agent telemetry & events — Retained according to your chosen retention tier (14 days free, 90/365/730 days with paid add-ons). Purged automatically during the daily maintenance window.
  • AI analysis results — Stored as part of your session data and subject to the same retention policy as other telemetry.
  • Audit logs — Authentication events, agent connection records (including source IP), rejected-connection logs, registration context, and administrative actions are retained for security and abuse-prevention purposes for 12 months, after which they are deleted or anonymized. An agent's current registration IP, last-seen IP, and device identifiers are stored on the agent record for as long as the agent exists in your account and are removed when the agent is deleted.
  • Payment metadata — Card fingerprint and billing metadata are retained for the life of the account and for a limited period after closure for fraud-prevention, accounting, and legal-claim purposes, then deleted or anonymized.
  • Threat indicators & abuse-detection signals — Indicators observed in evaluated commands, and the risk signals supporting automated abuse detection, are retained for security purposes to protect the platform as a whole.
  • Security / legal hold — Data associated with a security incident or a banned account may be retained beyond the normal window under a legal/security hold, so it is preserved as evidence rather than purged, until the hold is released.
  • Legal basis (where applicable) — Where the GDPR or similar laws apply, we process connection IP addresses, device identifiers, and payment metadata on the basis of our legitimate interest in securing the platform and preventing fraud and abuse. For customer-managed endpoints, this processing is governed by our Data Processing Addendum.

Data Deletion

To request deletion of your organization's data, contact [email protected]. We will process deletion requests within 30 days in accordance with applicable privacy regulations (GDPR, CCPA).

ET Ducky

AI-powered kernel-level diagnostics for Windows and Linux

Product

Documentation Pricing Downloads

Support

Documentation System Status Contact

Security

Security Posture Security Whitepaper Security Documentation

Legal

Privacy Policy Terms of Service EULA

© 2026 ET Ducky. All rights reserved.

Contact Us

Email
support@etducky.com
Phone
+1-817-880-1336