Privacy Policy

Last updated: February 19, 2026

1. What We Collect

Account Information

When you create an account, we collect:

  • Email address
  • Name (if provided)
  • Authentication data (managed by Supabase Auth)

Scan Data

When you run a scan, we collect and store:

  • The URL you submitted
  • Scan results (security findings, scores, grades)
  • Timestamps of when scans were initiated and completed

Payment Information

Payment processing is handled entirely by Stripe. We do not store credit card numbers, CVVs, or full payment details. We store your Stripe customer ID and subscription status to manage your plan.

Usage Data

We collect standard web analytics data including:

  • IP address (used for rate limiting, not stored long-term)
  • Browser type and version
  • Pages visited and features used

2. How We Use Your Data

  • Delivering the Service: Running scans, generating reports, managing your account
  • Billing: Processing payments and managing subscriptions via Stripe
  • Communication: Sending scan result notifications, welcome emails, and critical service updates
  • Rate limiting: Preventing abuse of the free tier
  • Improving the Service: Aggregated, anonymised scan statistics to improve our detection accuracy

3. What We Do NOT Do

  • We do not sell your data to third parties
  • We do not share individual scan results with anyone except you (unless you create a share link)
  • We do not store full secret values found during scans — only masked versions (first 6 + last 4 characters)
  • We do not use your data for advertising
  • We do not send marketing emails without your consent

4. Data Storage and Security

Your data is stored in Supabase (PostgreSQL) with Row Level Security enabled. All data is encrypted in transit (TLS) and at rest. Our database is hosted in the United States.

5. Data Retention

  • Free scan results: Retained for 30 days, then automatically deleted
  • Paid scan results: Retained for the duration of your subscription plus 90 days
  • Account data: Retained until you delete your account
  • IP addresses: Used for rate limiting only, not stored persistently

6. Third-Party Services

We use the following third-party services that may process your data:

  • Supabase — Database, authentication, and realtime updates
  • Stripe — Payment processing
  • Vercel — Application hosting
  • Railway — Scanner service hosting
  • Resend — Transactional email delivery

Each of these services has their own privacy policy governing their handling of your data.

7. Your Rights

You have the right to:

  • Access your data — view your scan history and account information in your dashboard
  • Delete your data — request account deletion by contacting support
  • Export your data — download your scan reports as PDF
  • Correct your data — update your profile information in your dashboard

For EU/EEA residents: you have additional rights under GDPR including the right to data portability and the right to restrict processing. Contact us to exercise these rights.

8. Cookies

We use essential cookies for authentication (Supabase session tokens). We do not use tracking cookies or third-party advertising cookies.

9. Children

The Service is not intended for use by anyone under the age of 16. We do not knowingly collect data from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email.

11. Contact

Questions about this Privacy Policy? Email us at privacy@securitychecker.dev.