Privacy Policy
Last updated: June 2026
1. Who We Are
ScanSentinel ("we", "us", "our") provides a website cyber hygiene scanning platform. This policy explains how we handle personal data when you use our service.
2. Data We Collect
Account Data
When you create an account, we collect your email address, name, and profile picture via our authentication provider (Clerk). This data is necessary to provide you with an account.
Scan Data
When you submit a domain for scanning, we collect the domain name and the results of automated security checks (SSL certificates, DNS records, HTTP headers, open ports, TLS configuration). You warrant that you own or have permission to scan each domain you submit.
Usage Data
We maintain audit logs of actions taken within the platform. These logs include your user ID, the action performed, and a timestamp. IP addresses are retained for a maximum of 90 days.
Billing Data
Payment processing is handled by Stripe. We store your subscription plan and status. We do not store full payment card details.
3. How We Use Your Data
- Service delivery: To perform security scans, store results, and display dashboards (contractual necessity, Art 6(1)(b) UK GDPR).
- Account management: To authenticate you, manage your subscription, and communicate service updates (contractual necessity).
- Security and abuse prevention: Audit logs and rate limiting protect the platform and our users (legitimate interest, Art 6(1)(f) UK GDPR).
4. Data Sharing
We share data with the following sub-processors:
- Clerk, Inc. — Authentication (USA). DPA available.
- Stripe, Inc. — Payment processing (USA/Global). DPA available.
- Resend, Inc. — Transactional email (USA). DPA available.
We do not sell personal data. We do not use your data for advertising.
5. Data Retention
- Account data: Retained until you delete your account.
- Scan data: Retained while your account is active and for 30 days after account deletion.
- Audit logs: Retained for 90 days, then automatically deleted.
- Backups: Encrypted database backups are retained for 30 days.
6. Your Rights
Under UK GDPR and EU GDPR, you have the right to:
- Access: Request a copy of your personal data.
- Rectification: Correct inaccurate data.
- Erasure: Delete your account and associated data from your Profile page.
- Portability: Receive your data in a machine-readable format.
- Objection: Object to processing based on legitimate interests.
7. International Transfers
Our sub-processors are based in the United States. Data transfers are safeguarded by Standard Contractual Clauses (SCCs) as approved by the European Commission and the UK ICO.
8. Security
We implement encryption at rest (AES-256), encryption in transit (TLS), tenant data isolation, role-based access control, and audit logging.
9. Contact
For privacy-related inquiries: [email protected]