Legal and ethics.
Last updated: July 13, 2026
Bayloz is a security research company. The nature of our work means people trust us with sensitive situations, so we hold ourselves to strict legal and ethical boundaries. This page explains them in plain language.
How we work
- We use lawful methods only. Our research relies on open-source intelligence: information that is publicly and legitimately accessible.
- Company exposure assessments are performed only with the written authorization of the company being assessed.
- We comply with the laws applicable to each engagement and decline work we cannot perform lawfully.
What we will not do
- We do not gain unauthorized access to accounts, devices, or systems. We do not intercept private communications.
- We do not doxx. We do not publish or leak personal information.
- We do not accept cases whose goal is harassment, intimidation, or retaliation.
- We do not surveil private individuals without a lawful basis. Requests to monitor a partner, family member, or acquaintance are declined.
- We do not buy data from illegitimate sources.
Before accepting an investigation we verify the identity of the client and the legitimacy of the case, and we may ask for supporting documentation. We refuse, and where legally required report, requests that would facilitate harm.
Evidence and referrals
Our findings are documented so they can be used by lawyers, platforms, or law enforcement. We are researchers, not a law firm: nothing we provide is legal advice. Where a case involves imminent danger to a person, we will advise contacting the authorities and may be obligated to do so ourselves.
Privacy
- This website sets no cookies and runs no trackers, analytics, or fingerprinting of any kind.
- The only thing stored on your device is a single flag remembering that you closed the notice banner, kept in your browser's local storage. You can clear it at any time.
- Our hosting provider may keep short-lived technical access logs; we add no tracking of our own on top.
- If you email us, your correspondence is treated as confidential, shared with no third parties, and deleted on request. Ask us for PGP or Signal details if your situation calls for them.
Reporting a vulnerability
If you found a security issue in anything we operate, we want to hear about it. See our security.txt for the reporting channel, or use the contact page. We will not pursue legal action for good-faith research.