Privacy Policy

What we collect

• The domain you submit to be scanned, plus the IP address making the request and a timestamp.
• For accounts: email address, magic-link tokens (hashed), Stripe customer ID.
• Findings produced by scans (treated as sensitive — see below).
• Privacy-respecting analytics via Umami: page, referrer, country. No third-party trackers, no Google Analytics.

How findings are handled

• Encrypted at rest in Postgres via column-level encryption.
• Free-scan findings are auto-deleted after 7 days.
• Paid one-shot findings are auto-deleted after 90 days unless you're on a monitoring subscription.
• We never email full credential values. Reports show last-4 + length only — re-scan from your dashboard if you need the raw value.

Who we share with

• Stripe — payment processing.
• Brevo — transactional email delivery.
• Cloudflare — DNS, CDN, DDoS protection. Cloudflare sees request metadata.
• Nobody else. We do not sell, rent, or trade customer data.

Disclosure pipeline

If we identify a finding on a domain you control via our certificate-transparency monitoring pipeline (i.e. you did not initiate the scan), we may contact you at a standard administrative address (security@, abuse@, or WHOIS contact). You may opt out at any time by replying STOP — we maintain a permanent do-not-contact list keyed by apex domain.

Your rights

You can export or delete your data anytime via your dashboard, or by emailing [email protected]. We respond within 30 days.