Legal

Privacy Policy

Last updated: June 3, 2026

Short version: we collect what we need to run the service and nothing more. We don't sell your data. Ever.

1. What we collect

Account information: If you create an account, we store your email address and the date you signed up. We use Supabase for authentication.

Scan data: We store the domain you scanned, the scan timestamp, and the scan results. Scan results include findings from our 7 checks (headers, DNS, SSL, exposure, secrets, subdomains, fingerprint).

IP addresses: For anonymous users (no account), we record your IP address to enforce the daily scan limit. We don't use IP data for any other purpose and we don't store it longer than 30 days.

Payment information: Payments are processed by Stripe. We don't store your credit card number. Stripe gives us a confirmation that payment completed and the amount — that's it.

2. What we don't collect

  • We don't track you across other websites
  • We don't use advertising trackers or third-party analytics
  • We don't store real credentials found during scans — if a scan finds an exposed API key, we redact it before saving anything
  • We don't read or store the content of the stores you scan beyond what the scanner checks

3. How we use your data

We use your data to:

  • Run and store your scans
  • Enforce rate limits (free tier limits)
  • Send transactional emails (report delivery, account notifications)
  • Improve the accuracy of the scanner

We don't use your scan data to build advertising profiles or sell insights to third parties.

4. Who we share data with

Supabase: Hosts our database and handles authentication. See supabase.com/privacy.

Stripe: Processes payments. We share only what Stripe needs (email, amount, scan ID). See stripe.com/privacy.

We don't share your data with any other third parties.

5. Data retention

Scan results are kept for as long as your account is active. If you delete your account, we delete your scans within 30 days.

Anonymous scan data (IP + timestamp) is deleted after 30 days.

Paid reports are retained for 12 months so you can re-download them.

6. Your rights

You can:

  • Request a copy of all data we hold about you
  • Ask us to delete your account and all associated data
  • Correct any inaccurate information we hold

To exercise any of these rights, email hello@sekura.app with the subject line "Data request".

7. Cookies

We use a single session cookie to keep you logged in. We don't use tracking cookies or third-party advertising cookies.

8. Security

All data is transmitted over HTTPS. Passwords are never stored — Supabase handles authentication using industry-standard practices. Credentials found during scans are redacted before storage.

9. Changes to this policy

If we make a material change to this policy, we'll notify you by email (if you have an account) at least 7 days before it takes effect.

10. Contact

Questions about privacy? Email us at hello@sekura.app.