Privacy Policy

We collect information that you voluntarily provide to us when you:

• Register for an account (email address, name)
• Subscribe to a paid plan (billing information processed by our payment provider, Lemon Squeezy)
• Submit a contact form (name, email, message content)
• Use the Service to scan websites (domain names, scan results)
• Generate API keys for the Evidence API

We automatically collect certain technical information when you access the Service, including your IP address, browser type, operating system, and pages visited. We use this information solely for security monitoring and service improvement.

We use the information we collect to:

• Provide, operate, and maintain the Service
• Process your scan requests and deliver results
• Manage your account and subscription
• Communicate with you about your account or our Service
• Respond to your inquiries and support requests
• Monitor and analyze usage patterns to improve the Service
• Detect, prevent, and address technical issues and abuse
• Comply with legal obligations

When you scan a website using PreConsent, we collect and store information about third-party requests, cookies, and fingerprinting techniques detected on the target website. This data is:

• Associated with your account and accessible only to you (and administrators for support purposes)
• Retained for as long as your account is active, unless you request deletion
• Shared publicly only if you explicitly enable a public share link for a specific scan

Scan data describes the behavior of third-party scripts on the scanned website. It does not contain personal data of the website's visitors.

If you are located in the European Economic Area (EEA) or the United Kingdom, our legal basis for processing your personal data includes:

• Contract performance: Processing necessary to provide the Service you have subscribed to
• Legitimate interests: Processing for security, fraud prevention, and service improvement
• Consent: Where you have given explicit consent, such as for marketing communications
• Legal obligation: Processing required to comply with applicable laws

We do not sell your personal data. We share information with third parties only in the following circumstances:

• Service providers: We use Supabase for data storage and authentication, and Lemon Squeezy for payment processing. These providers process data on our behalf under data processing agreements.
• Legal requirements: We may disclose information if required by law, regulation, or legal process.
• Business transfers: In connection with a merger, acquisition, or sale of assets.

We retain your personal data for as long as your account is active or as needed to provide the Service. Scan data is retained indefinitely unless you delete individual scans or request account deletion.

Contact form submissions are retained for up to 12 months. After account deletion, we may retain certain anonymized data for analytics purposes.

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate personal data
• Erasure: Request deletion of your personal data
• Portability: Request a machine-readable copy of your data
• Objection: Object to processing based on legitimate interests
• Restriction: Request restriction of processing in certain circumstances

To exercise any of these rights, please contact us at our contact page. We will respond to your request within 30 days.

If you are a California resident, you have additional rights under the California Privacy Rights Act (CPRA), including:

• The right to know what personal information is collected, used, shared, or sold
• The right to delete personal information held by businesses
• The right to opt out of the sale or sharing of personal information
• The right to non-discrimination for exercising your privacy rights
• The right to correct inaccurate personal information

We do not sell or share personal information as defined under the CPRA.

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption of data in transit (TLS) and at rest
• Row Level Security (RLS) policies on all database tables
• API key hashing using SHA-256 (plaintext keys are never stored)
• Regular security reviews and access control audits

While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure.

Your information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required by GDPR or UK GDPR.

The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us and we will take steps to delete such information.

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. Continued use of the Service after changes constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us through our contact page.