Terms of Service

1. Definitions

• "Service" — the Leakwarden website, API, scanning engines, dashboards, reports, and disclosure pipeline, taken together.
• "Operator", "we", "us" — the sole proprietor based in Illinois, USA, who operates Leakwarden. Contact: [email protected].
• "You", "Customer" — the person or organization using the Service. If you're acting for an employer, you represent that you have authority to bind them.
• "AUP" — our Acceptable Use Policy, incorporated into these Terms by reference.
• "Findings" — security observations produced by a scan, including severity, evidence, and remediation hints.

2. The Service

Leakwarden runs automated security checks against web hosts you submit and reports what we find. Tiers:

• Free — surface checks (a fixed pre-known path list), 1 scan / 10 minutes per IP, 7-day finding retention.
• Deep scan ($9 one-shot) — extended check set including subdomain enumeration, JS-bundle secret extraction, and additional rule families. 90-day retention.
• Indie monitor ($29/mo) — scheduled deep scans of verified domains with diff-from-last-scan alerting.
• Pro monitor ($99/mo) — higher domain caps + priority queue.

Tier composition, prices, and rate limits may change with notice as described in §17.

3. Eligibility & accounts

You must be at least 18 years old and legally able to enter contracts in your jurisdiction. One person or organization per account. Magic-link sign-in: keep the email address on your account secure — anyone with access to it can sign in. Account sharing across organizations is not permitted.

4. Authorization to scan

Before submitting a domain, you affirm that at least one of the following is true:

• You own the domain.
• You have written permission from the owner to test it.
• The target is listed on a public bug-bounty program whose rules permit unsolicited testing.

Paid scans require an explicit attestation checkbox each time. Continuous-monitoring subscriptions require DNS-based ownership proof (TXT record or /.well-known/<random>.txt) before the first scan runs. You are solely responsible for ensuring your use is lawful and authorized; we rely on your attestation.

5. Acceptable use

You agree to the Acceptable Use Policy, which forms part of these Terms. Material breaches of the AUP are grounds for immediate suspension or termination under §13.

6. Payments & billing

Paid tiers are processed through Stripe Checkout. We are the merchant of record; Stripe is our payment processor. Prices are in US Dollars and exclude any taxes which may apply where you are located. Subscriptions renew automatically each billing period until canceled.

You authorize us to charge the payment method on file for all amounts due. If a charge fails, we may suspend the service until payment is restored.

7. Refunds & cancellation

• $9 deep scan: refundable within 24 hours of purchase if the scan failed to complete or returned a service-side error. Refundable in our discretion if you purchased in error and have not yet downloaded the report.
• Monthly subscriptions ($29 / $99): cancel anytime through the Stripe Customer Portal accessible from your dashboard. No prorated refund for the current period; the subscription remains active through the end of the paid period and then stops.
• Annual prepays (if offered in the future): prorated refund of unused months in our discretion, less a 10% administrative fee, on cancellation for reasons other than our material breach.
• Chargebacks: if you dispute a charge with your card issuer instead of contacting us first, we may terminate your account.

8. Disclosure pipeline

Independent of customer-initiated scans, we operate a proactive disclosure pipeline (described in AUP §4) that notifies operators of certain leaks discovered via certificate-transparency monitoring. This service is always free. Payment is never a condition of the disclosure. We never publish findings in less than 30 days from first notification. Reply STOP to opt out permanently.

9. Your data; our data

• Your data. You retain all rights to data you submit (including domains, scan targets) and to the Findings produced from your scans. We process this data on your behalf solely to provide the Service. See the Privacy Policy.
• Our content. The Service software, scanning rules, brand, and documentation are our intellectual property. You receive a non-exclusive, non-transferable, revocable license to use them to operate the Service. No reverse-engineering, scraping, or competitive replication of the rule set.
• Aggregated insights. We may compile non-identifying aggregate statistics across scans (e.g. "X% of scanned hosts had a .git exposure last month") for research, marketing, or product improvement. No individual customer or target is identifiable in this output.

10. Service availability

The Service is provided on a best-effort basis. We do not offer a contractual SLA at any current tier. We perform scheduled maintenance from time to time, generally announced via email or the dashboard. We are not liable for downtime caused by upstream providers, DDoS events, force-majeure conditions, or your own infrastructure.

11. Acceptable findings limitations

Findings are best-effort detections. Absence of a finding is not a guarantee that a host is secure. No scanner detects every class of vulnerability and detection rules drift over time. You should not treat a clean scan as certification of security, and we do not represent or warrant that you will discover all vulnerabilities through use of the Service.

12. Disclaimer of warranties

THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE". TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, WE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ACCURACY OF FINDINGS. SOME JURISDICTIONS DO NOT ALLOW EXCLUSION OF CERTAIN WARRANTIES, IN WHICH CASE THIS DISCLAIMER APPLIES TO THE FULLEST EXTENT PERMITTED.

13. Limitation of liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL OUR AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO YOUR USE OF THE SERVICE EXCEED THE GREATER OF (a) USD $100 OR (b) THE AMOUNTS YOU PAID US IN THE 12 MONTHS IMMEDIATELY PRECEDING THE CLAIM. IN NO EVENT WILL WE BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR FOR LOST PROFITS, REVENUE, DATA, OR GOODWILL, REGARDLESS OF THE THEORY OF LIABILITY (CONTRACT, TORT, STATUTE, OR OTHERWISE) AND EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

SOME JURISDICTIONS DO NOT ALLOW LIMITATION OF LIABILITY FOR CERTAIN CATEGORIES OF DAMAGES (E.G. GROSS NEGLIGENCE, WILLFUL MISCONDUCT). NOTHING IN THESE TERMS LIMITS LIABILITY THAT CANNOT BE LAWFULLY LIMITED.

14. Indemnification

You agree to indemnify and hold harmless the Operator from any claim, loss, damage, or expense (including reasonable attorneys' fees) arising out of (a) your breach of these Terms or the AUP, (b) your scanning of a domain you were not authorized to scan, (c) your violation of any law or third-party right, or (d) any content or data you submit to the Service.

15. Termination

You may terminate at any time by canceling your subscription and deleting your account from the dashboard.

We may suspend or terminate your access immediately, without notice, if (a) you materially breach these Terms or the AUP, (b) we reasonably believe your use is causing harm to a third party or to the Service, (c) payment is overdue, or (d) we are required to do so by law. Upon termination, your right to use the Service ends; provisions intended to survive (warranties, liability, indemnification, governing law, miscellaneous) do.

16. DMCA / copyright

If you believe content accessible via the Service infringes your copyright, send a notice to [email protected] with: (a) your physical or electronic signature, (b) identification of the copyrighted work, (c) identification of the material claimed to be infringing and its location, (d) your contact information, (e) a statement of good-faith belief that the use is unauthorized, and (f) a statement that the information in the notice is accurate and that you are authorized to act on behalf of the rights holder. We will respond consistent with 17 U.S.C. §512.

17. Changes to these Terms

Material changes — anything affecting your fees, your rights, or our liability — will be emailed to active customers at least 30 days before taking effect. Non-material changes (typo fixes, contact-address updates) take effect on publication; the effective date at the top of this page reflects the most recent change. Continued use of the Service after a change becomes effective constitutes acceptance.

18. Governing law & venue

These Terms are governed by the laws of the State of Illinois, USA, without regard to its conflict-of-laws principles. The UN Convention on Contracts for the International Sale of Goods does not apply. Any dispute arising out of or related to these Terms or the Service that is not resolved informally ([email protected] — please try first) will be brought exclusively in the state or federal courts located in the State of Illinois, and you consent to personal jurisdiction and venue there.

For EU/UK consumers: nothing in this section deprives you of the protection of mandatory consumer-protection provisions of the law of the country in which you reside.

19. Miscellaneous

• Entire agreement. These Terms (plus the AUP and Privacy Policy) are the entire agreement between you and us regarding the Service.
• Severability. If a provision is unenforceable, the rest of these Terms remain in effect.
• No waiver. Failure to enforce a provision is not a waiver of future enforcement.
• Assignment. You may not assign these Terms without our prior written consent. We may assign these Terms to a successor in a sale of substantially all of the business.
• Force majeure. Neither party is liable for failure or delay caused by events outside its reasonable control (natural disaster, war, civil unrest, internet-backbone outages, governmental action, pandemic, labor strikes affecting a sole proprietor's ability to operate, etc.).
• Notices. We may send notices to the email on your account. You may send notices to [email protected].
• No agency. Nothing here creates a partnership, joint venture, agency, or employment relationship.

20. Contact

General: [email protected]. Privacy: [email protected]. Abuse: [email protected]. Security disclosure for our own infrastructure: [email protected].