Last updated: April 2026
Privacy Policy.
This document is being finalized with our counsel. Meanwhile, here's a straight summary of how we handle your data today. Specific questions: [email protected].
What we collect.
Name, email, organization and password (bcrypt cost 12). Locale preference. Dashboard usage metadata (which page, when, which scan). Nothing beyond what's needed to run the product.
Cloud credentials.
AWS: we store only the Role ARN and External ID. Both are public references, never a private key. GCP: the Service Account key is encrypted at rest with Fernet + PBKDF2-SHA256 (600,000 iterations and a per-credential salt). It's only decrypted in memory during a scan. We don't store the decryption password alongside the data.
What we don't do.
100% read-only: we never create, modify or delete resources in your cloud. We don't sell data to third parties. We don't use your findings to train models. We don't send information outside the infra providers we use to operate the product.
Cookies and analytics.
We use httpOnly cookies for session (required) and aggregated, anonymous Vercel Analytics to understand site traffic. No ad trackers, no fingerprinting.
Contact.
Privacy questions, data access or deletion requests: [email protected]. Answered within 5 business days.