Privacy Policy - Cerberus Anti-Cheat

Last updated: May 2026

Overview

Cerberus Anti-Cheat is a beta product developed by the Cerberus Team ("we", "us"). This policy explains what data the Cerberus SDK and backend services collect, how it's processed, and what rights you have over it.

The short version: we process almost everything locally on the player's machine. Only detection events with anonymized metadata leave the device. We collect zero personally identifiable information (PII).

What data Cerberus processes

The Cerberus SDK runs on the player's machine during active game sessions. It processes the following data locally:

Hardware identifiers -- CPU, GPU, motherboard, and peripheral IDs used for device fingerprinting. These are one-way hashed before any transmission.
Input patterns -- Mouse movement, click timing, and keyboard input analyzed by the behavioral AI engine. Raw input data never leaves the device.
Memory state -- Kernel-mode scanning of memory permissions, loaded drivers, and module integrity. No memory contents are captured or transmitted.
PCIe device enumeration -- List of connected hardware devices checked against known DMA attack signatures. Processed locally.

All of the above is processed entirely on the player's machine. The SDK performs analysis locally and only transmits structured detection results -- never raw data.

What gets sent to the Cerberus API

When the SDK detects a potential cheat, the following is transmitted to our backend over TLS 1.3:

Detection events -- The type of detection (e.g., aimbot, injection, DMA), confidence score, and which detection layer triggered.
Anonymized session metadata -- Game ID, session duration, SDK version, region, and an anonymized session identifier. No player names, emails, IPs, or account details.
Hashed hardware fingerprint -- A one-way hash used solely for ban evasion tracking. Cannot be reversed to identify specific hardware.

We do not transmit: game memory contents, screenshots, keystrokes, browsing data, file system contents, running process lists (beyond game-relevant modules), or any telemetry about player behavior outside of cheat detection.

Zero PII collection

Cerberus does not collect, store, or process any personally identifiable information. We don't know who players are. We work with anonymized session tokens and hashed hardware IDs. Player identity mapping (e.g., Steam ID to a ban record) is handled entirely by the game studio's integration -- we provide the detection, they manage the identity layer.

Data retention

Detection events -- Retained for 90 days to support ban appeals and accuracy analysis. Configurable per partner (shorter periods available).
Session metadata -- Retained for 30 days, then permanently deleted.
Hashed hardware fingerprints -- Retained for the duration of an active ban. Deleted when a ban expires or is overturned.

After retention periods expire, data is permanently deleted from all systems including backups. We do not archive detection data indefinitely.

Your rights (GDPR and similar frameworks)

Even though we don't collect PII, we respect data subject rights under GDPR, CCPA, and similar frameworks. If you believe Cerberus has processed data related to you, you can request:

Access -- Request a copy of any data associated with your hashed hardware fingerprint or session tokens.
Deletion -- Request deletion of all detection records and metadata tied to your identifiers.
Portability -- Receive your data in a structured, machine-readable format (JSON).
Rectification -- If you believe a detection was incorrect, you can request review through the ban appeal process or directly via a data request.

To exercise any of these rights, contact privacy@arsenalrx.dev. We respond to all requests within 30 days.

Data processor information

Cerberus acts as a data processor on behalf of game studios (the data controllers) who integrate our SDK. Studios determine how detection results are used (e.g., banning, flagging for review). We process data strictly according to our partner agreements and do not use detection data for any purpose beyond anti-cheat services.

Our backend infrastructure runs on dedicated servers in the EU (Frankfurt) and US (Virginia). Detection data is encrypted at rest (AES-256) and in transit (TLS 1.3).

International transfers

Detection data may be processed in either our EU or US data centers depending on the game session's region. For transfers from the EU to the US, we rely on Standard Contractual Clauses (SCCs) as our legal basis. All cross-region transfers use encrypted channels and are subject to the same retention and deletion policies.

Cookies

The Cerberus SDK does not use cookies. Our website (accerberus.github.io) uses only essential cookies:

Session cookie -- Maintains your session on the partner dashboard if you're logged in. Expires when the browser closes.
Preferences cookie -- Stores dashboard display preferences (theme, timezone). Expires after 30 days.

We do not use analytics cookies, advertising cookies, or any third-party tracking. No cookie consent banner needed because we only use strictly necessary cookies.

Changes to this policy

We'll update this policy as Cerberus evolves from beta to general availability. Material changes will be announced on our changelog and communicated to partner studios. The "last updated" date at the top of this page always reflects the most recent revision.

Contact

For privacy questions, data requests, or concerns:

Email: privacy@arsenalrx.dev

We aim to respond to all inquiries within 5 business days.