Privacy Policy

SecurityOwl ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the SecurityOwl web security scanning platform, including our website, APIs, and all related services (collectively, the "Service").

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with the practices described herein, please do not use the Service.

1. Information We Collect

We collect the following categories of information:

1.1 Account Information

When you create an account, we collect your name, email address, and profile information provided through your authentication provider (GitHub OAuth). We do not store passwords directly, as authentication is handled through third-party OAuth providers.

1.2 Scan Data

When you initiate a scan, we collect the target URL you submit and the scan results generated by our scanning engine. This includes identified vulnerabilities, misconfigurations, security findings, risk scores, and AI-generated analysis. Scan data is associated with your account and stored for your access through the dashboard.

1.3 Payment Information

If you subscribe to a paid plan, payment processing is handled entirely by Stripe. We do not directly collect, store, or process your credit card numbers, bank account details, or other sensitive financial information. We receive limited information from Stripe, including your subscription status, plan type, and transaction identifiers, to manage your account and provide the appropriate level of service.

1.4 Usage Data

We automatically collect certain information about your use of the Service, including your IP address, browser type and version, operating system, referring URLs, pages visited, timestamps of access, scan frequency, and feature usage patterns. This data helps us understand how the Service is used and improve its performance and functionality.

1.5 Device and Technical Data

We may collect device identifiers, screen resolution, language preferences, and other technical data necessary for providing and optimizing the Service.

2. How We Use Your Information

We use the information we collect for the following purposes:

• To provide, operate, and maintain the Service, including executing security scans and generating reports;
• To process your subscription payments and manage your account;
• To provide AI-powered analysis of scan results using third-party AI services;
• To communicate with you regarding your account, scan results, service updates, and support requests;
• To monitor and analyze usage patterns to improve the Service, fix bugs, and develop new features;
• To detect, prevent, and address fraud, abuse, security incidents, and technical issues;
• To enforce our Terms of Service and Acceptable Use Policy;
• To comply with legal obligations and respond to lawful requests from public authorities.

3. Third-Party Services

We share information with the following third-party service providers to operate the Service. Each provider processes data only for the purposes described below and in accordance with their own privacy policies:

3.1 Stripe (Payment Processing)

We use Stripe to process subscription payments. When you subscribe to a paid plan, your payment information is collected and processed directly by Stripe. We do not have access to your full payment card details. Stripe's handling of your data is governed by the Stripe Privacy Policy.

3.2 Anthropic AI (AI-Powered Analysis)

We use Anthropic's AI models to provide AI-powered analysis and risk correlation of your scan results. When AI analysis is enabled, scan finding data (including target URLs, identified vulnerabilities, and technical details) may be sent to Anthropic's API for processing. AI-generated insights are returned to our Service and presented to you as part of your scan results. Anthropic processes this data in accordance with their privacy and data usage policies.

3.3 GitHub (Authentication)

We use GitHub OAuth for user authentication. When you sign in with GitHub, we receive your GitHub profile information, including your username, email address, and profile picture. We do not access your GitHub repositories, code, or other GitHub data beyond what is necessary for authentication. GitHub's handling of your data is governed by the GitHub Privacy Statement.

4. Data Retention and Deletion

We retain your account information and scan data for as long as your account is active or as needed to provide the Service. Specific retention periods are as follows:

• Account information: Retained for the duration of your account and for up to 30 days following account deletion to allow for account recovery;
• Scan results and history: Retained for the duration of your account. Free-tier users' scan data may be automatically purged after 90 days of account inactivity;
• Payment records: Retained as required by applicable tax and financial regulations, typically for a period of seven (7) years;
• Usage and analytics data: Retained in aggregated, anonymized form indefinitely for statistical and analytical purposes;
• Server logs: Retained for up to 90 days for security monitoring and troubleshooting purposes.

You may request deletion of your account and associated data at any time by contacting us at privacy@securityowl.io. Upon receiving a valid deletion request, we will delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes as described above.

5. Your Rights

Depending on your location, you may have certain rights regarding your personal data under applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA):

5.1 Rights Under GDPR (EEA Residents)

• Right of access: You have the right to request a copy of the personal data we hold about you;
• Right to rectification: You have the right to request correction of inaccurate or incomplete personal data;
• Right to erasure: You have the right to request deletion of your personal data, subject to certain exceptions;
• Right to restrict processing: You have the right to request that we restrict the processing of your personal data in certain circumstances;
• Right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format;
• Right to object: You have the right to object to the processing of your personal data for certain purposes;
• Right to withdraw consent: Where processing is based on consent, you have the right to withdraw your consent at any time.

5.2 Rights Under CCPA (California Residents)

• Right to know: You have the right to know what personal information we collect, use, disclose, and sell;
• Right to delete: You have the right to request deletion of your personal information;
• Right to opt-out: You have the right to opt out of the sale of your personal information. We do not sell your personal information;
• Right to non-discrimination: You have the right not to be discriminated against for exercising your CCPA rights.

To exercise any of these rights, please contact us at privacy@securityowl.io. We will respond to your request within 30 days (or such shorter period as required by applicable law). We may require you to verify your identity before processing your request.

6. Cookie Policy

We use a minimal set of cookies that are strictly necessary for the operation of the Service. We do not use third-party tracking cookies, advertising cookies, or analytics cookies that track your behavior across other websites.

The cookies we use include:

• Authentication cookies: Essential cookies used to maintain your login session and authenticate your requests. These cookies are set when you sign in and expire when you sign out or after a period of inactivity;
• Session cookies: Temporary cookies used to maintain state during your use of the Service, such as CSRF protection tokens. These cookies are deleted when you close your browser;
• Preference cookies: Cookies that store your preferences and settings within the Service, such as display preferences.

Because we only use strictly necessary cookies, we do not require a cookie consent banner under most applicable regulations. You can configure your browser to block or delete cookies, but doing so may prevent you from using certain features of the Service.

7. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS/SSL protocols;
• Encryption of sensitive data at rest;
• Access controls and authentication requirements for all internal systems;
• Regular security assessments and vulnerability testing of our own infrastructure;
• Secure software development practices;
• Employee security awareness training and access restrictions based on role and necessity.

While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of your data.

8. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe we have inadvertently collected information from a child under 18, please contact us at privacy@securityowl.io.

9. International Data Transfers

Your information may be transferred to and processed in countries other than the country in which you reside. These countries may have data protection laws that differ from the laws of your country. By using the Service, you consent to the transfer of your information to the United States and other jurisdictions where we or our service providers operate.

Where we transfer personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we rely on appropriate safeguards such as Standard Contractual Clauses approved by the European Commission to ensure your data is protected in accordance with applicable law.

10. Data Breach Notification

In the event of a data breach that affects your personal data, we will notify you and any applicable regulatory authorities as required by applicable law. We will provide notification without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with GDPR requirements.

Our breach notification will include a description of the nature of the breach, the categories and approximate number of individuals affected, the likely consequences of the breach, and the measures taken or proposed to address the breach and mitigate any adverse effects.

11. Do Not Track Signals

Some browsers include a "Do Not Track" (DNT) feature that signals to websites that you do not want your online activity tracked. Because we do not engage in cross-site tracking and use only strictly necessary cookies, our Service effectively honors DNT signals by default.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. If we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where appropriate, by sending you an email notification or displaying a prominent notice within the Service.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

13. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

If you are located in the EEA and believe that we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection supervisory authority.