Legal
Privacy Policy
Effective 2026-04-29
What we collect
- Account data: email address, full name (optional).
- Scan target URLs: the URLs you submit are stored to associate scans with your account.
- Scan results: findings, screenshots, rendered page-content snippets.
- Billing data: Stripe customer ID and subscription state. Card data is handled exclusively by Stripe; we never see it.
- IP addresses: for free-scan rate limiting (24-hour TTL) and abuse detection.
How long we keep it
Scan data is retained for 90 days by default on the Scanner tier; the Defense and Agency tiers retain scan data for the duration of the subscription plus 90 days. You can request earlier deletion at any time. Deleted accounts have all scan data and reports erased within 7 days.
PII handling
Customer URLs are treated as PII. They are not logged at INFO level in our observability stack and are not shared with third parties for marketing purposes.
Sub-processors
- Stripe — payment processing
- Google Cloud Run + Cloud Storage — application hosting and PDF storage
- Google Cloud SQL — managed Postgres
- Cloudflare — DNS and edge caching for the marketing site
- Resend — transactional email (sign-in links, scan-complete notifications)
- Sentry — application error monitoring (PII-scrubbed)
- BetterStack — uptime monitoring
Your rights (GDPR / CCPA)
- Access: view all data we hold about you in the dashboard.
- Portability (GDPR Art. 20): export your scans + findings as JSON via /api/v1/users/me/export (Defense+ tiers).
- Erasure: delete your account in /settings; we erase within 7 days.
- Rectification: update your profile data in /settings.
- Restriction / objection: contact privacy@scan-access.com.
Contact
Privacy enquiries: privacy@scan-access.com