Privacy Policy

1. Information We Collect

We collect information in the following categories:

1.1 Account Information

• Email address (required for account creation)
• Name (if provided)
• Company name (if provided)
• Password (stored securely using industry-standard hashing)

1.2 Scan Data

• URLs of websites you submit for scanning
• Scan results and security findings
• Timestamps of scans performed

Note: We only scan publicly accessible content. We do not store any sensitive data discovered during scans (such as exposed API keys). Findings are presented in reports only, and users are responsible for remediation.

1.3 Usage Data

• IP address
• Browser type and version
• Pages visited and features used
• Date and time of access
• Referring website
• Device information (operating system, screen resolution)

1.4 Cookies and Tracking

We use cookies and similar technologies for:

• Essential cookies: Required for the service to function (authentication, session management)
• Analytics cookies: Help us understand how users interact with our service
• Preference cookies: Remember your settings and preferences

You can control cookie settings through your browser. Disabling essential cookies may affect service functionality.

2. How We Use Your Information

We use collected information for the following purposes:

• Provide the Service: Perform security scans, generate reports, and deliver results
• Account Management: Create and manage your account, authenticate your identity
• Communications: Send service-related notifications, security alerts, and updates
• Improve the Service: Analyze usage patterns to enhance features and fix bugs
• Security: Detect and prevent fraud, abuse, and security threats
• Legal Compliance: Comply with applicable laws and regulations

We do NOT:

• Sell your personal data to third parties
• Use your data for targeted advertising
• Share scan results with anyone other than you
• Store sensitive data discovered during scans

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your data under the following legal bases:

• Contract Performance: Processing necessary to provide the services you requested
• Legitimate Interests: Processing for our legitimate business interests (security, fraud prevention, service improvement)
• Consent: Where you have given explicit consent (e.g., marketing communications)
• Legal Obligation: Processing required to comply with applicable laws

4. Data Sharing and Third Parties

We may share your data with the following categories of third parties:

• Service Providers: Cloud hosting (Supabase, Vercel), payment processors, email delivery services
• Analytics Providers: To help us understand service usage
• Legal Authorities: When required by law, court order, or government request
• Business Transfers: In connection with a merger, acquisition, or sale of assets

All third-party service providers are contractually obligated to protect your data and use it only for the purposes we specify.

5. Data Retention

We retain your data for the following periods:

• Account Data: Retained while your account is active, plus 30 days after deletion request
• Scan Results: Retained for 90 days, or until you delete them
• Usage Logs: Retained for 12 months for security and analytics purposes
• Payment Records: Retained for 7 years as required by tax and financial regulations

After the retention period, data is securely deleted or anonymized.

6. Data Security

We implement industry-standard security measures to protect your data:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Secure password hashing using bcrypt
• Regular security audits and vulnerability assessments
• Access controls and authentication for all systems
• Automated threat detection and monitoring
• Regular backups with encrypted storage

While we implement robust security measures, no system is 100% secure. We cannot guarantee absolute security of your data.

7. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States. When we transfer data internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission for transfers from the EEA.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

To exercise any of these rights, contact us at @lukefrostdev on X (Twitter). We will respond to requests within 30 days.

9. Children's Privacy

PlenoScan is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will promptly delete it. If you believe we have collected information from a child, please contact us immediately.

10. Third-Party Links

Our Service may contain links to third-party websites or services that are not operated by us. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policy of every site you visit.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. For significant changes, we will provide additional notice (such as email notification). Your continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

• Twitter/X: @lukefrostdev

For GDPR-related inquiries, you also have the right to lodge a complaint with your local data protection authority.