Privacy Policy

What we collect

When you sign up, we collect your email address, name, and (for email accounts) a bcrypt-hashed password. If you sign in with Google, we additionally store your Google profile picture URL.

When you use the scanner, we store the URLs/IPs you submit as scan targets, the scan results (findings, open ports, exposed endpoints, etc.), and the timestamps of scans.

If you subscribe to a paid plan, we use Stripe as our payment processor. We store your Stripe customer ID but never your card details — those are handled entirely by Stripe.

What we do NOT collect

• We do not track you across the web with cookies or analytics scripts
• We do not sell or share your scan data with third parties
• We do not store the content of your target websites — only the metadata of what we found

How we use your data

• To run security scans you request and show results back to you
• To send transactional emails (verification, weekly summaries for subscribers)
• To bill you if you're on a paid plan (via Stripe)
• To send your scan data to Anthropic's Claude API for AI-powered analysis when you request it (scan findings are sent; no other user data)

Data retention

• Scan data is retained for 1 year after the last scan. Older scan runs and findings are automatically purged.
• User accounts can be deleted at any time via the dashboard settings or the /api/me/delete-account endpoint. All associated data is removed immediately.
• Outreach email records are retained for 6 months, then automatically deleted.
• Newsletter subscriptions can be cancelled at any time via the unsubscribe link in each email.

Third parties

• Stripe — payment processing
• Resend — transactional email delivery
• Anthropic (Claude) — AI analysis of scan findings (only when you request it)
• Google — OAuth sign-in (only if you choose Google login)
• AWS — where our scanner infrastructure runs
• Cloudflare — our DNS provider and TLS termination

Your rights (GDPR)

Under GDPR and similar privacy regulations, you have the right to:

• Access — Export all your data via GET /api/me/data-export
• Erasure — Delete your account and all associated data via POST /api/me/delete-account
• Portability — Your data export is provided as standard JSON
• Rectification — Update your profile in the dashboard settings
• Objection — Unsubscribe from emails via one-click links, or contact us

For any privacy request, email [email protected].

Scanning ethics

You must only scan targets you own or have explicit permission to test. Unauthorized scanning violates our terms and may be illegal in your jurisdiction. We log all scans against the authenticated user.

Contact

Security Scanner is operated by Stefan Lederer. Questions? [email protected]