Privacy Policy

How UnveilScan handles your data — GDPR by design.

← Back to homepage

1. Introduction

Unveil Technology ("we," "our," "us") operates UnveilScan, a passive web security audit platform. This Privacy Policy explains what data we collect, how we use it, and the rights you have under the European Union General Data Protection Regulation (GDPR / 2016/679) and the French Loi Informatique et Libertés.

Last updated: June 2026.

2. Data Controller

The data controller is Unveil Technology, France. Contact for any data-protection inquiry: [email protected].

3. Information We Collect

We collect only what is strictly necessary to operate the Services:

  • Account data: email address, password hash (Argon2id), display name, optional 2FA TOTP secret.
  • Domain ownership records: domains you have verified, the verification token, the verification method (DNS TXT or /.well-known/).
  • Scan data: target domain or IP, scan profile, results (findings, score, raw_data per checker), scheduling configuration, alert rules.
  • Audit log: a forensic, append-only record of sensitive actions you perform (scan start, schedule change, alert rule change, TOTP enroll/disable, suppression upsert) — captures action name, IP address, user-agent, timestamp.
  • Visit tracking: page path, IP address (used to derive country & city via local MaxMind GeoLite2, never sent to a third party), user-agent, timestamp.
  • Cookies: a session cookie __Host-unveilscan_session (HttpOnly, Secure, SameSite=Lax) and a CSRF cookie __Host-unveilscan_csrf. No third-party tracking pixels, no advertising cookies.

4. What We Do NOT Collect or Store

  • Raw secrets discovered during Recon scans — AWS keys, GitHub tokens, Stripe keys, PEM private keys, database connection strings and the 35+ other patterns we detect are immutably redacted server-side at the moment of detection (format <4 first>****<4 last>, or **** for short tokens, or only the PEM header line for private keys). The raw secret is never written to our database, never logged, never transmitted in alerts, never exported. We notify you that a leak exists; the original value lives only at its public source (typically a GitHub repo).
  • Browser fingerprints, advertising identifiers, third-party trackers.
  • Payment-card numbers — payments (when activated) will be processed by Stripe; we never see your card details.

5. Legal Basis for Processing

  • Performance of contract (GDPR art. 6(1)(b)): account, scan execution, scheduling, alerting.
  • Legitimate interest (art. 6(1)(f)): rate limiting, fraud prevention, audit log retention, ownership re-verification, anonymous visit tracking for service improvement.
  • Legal obligation (art. 6(1)(c)): retention of billing records once Stripe is activated.

6. Data Retention

  • Active accounts: data retained for the duration of the account.
  • Scan history: per plan (30 days on Free / Starter, 12 months on Pro, 3 years on Business).
  • Audit log: 3 years (Business plan) or duration of the account on lower tiers.
  • Visit logs: 90 days rolling.
  • Account deletion: data is permanently removed within 30 days of your request, except minimal records required by accounting law (invoices, kept 10 years per French Code de commerce art. L123-22).

7. Hosting and Sub-processors

UnveilScan does not use Shodan, SecurityTrails, Censys, or any opaque US-based attack-surface vendor in the data path. Public sources we query are: crt.sh (Certificate Transparency, DigiCert/Sectigo), OSV.dev (Google), RIPEstat (RIPE NCC), hstspreload.org (Google), AbuseIPDB feed (mirrored locally), MaxMind GeoLite2 (local files, no live calls), Spamhaus / Barracuda DNSBLs (DNS lookups via Quad9). The GitHub Code Search API is queried with a server-side PAT for the Recon profile.

8. Security

Passwords are hashed with Argon2id (RFC 9106 parameters: t=3, m=64 MiB, p=4). Sessions and CSRF tokens are stored in __Host-prefixed cookies. 2FA via TOTP (RFC 6238) is available with recovery codes. Webhooks emitted by alerting are HMAC-SHA256 signed. The audit log is append-only.

9. Your Rights (GDPR Articles 15–22)

You have the right to:

  • Access the personal information we hold about you (art. 15) — contact [email protected].
  • Rectify inaccurate data (art. 16).
  • Request erasure (art. 17, "right to be forgotten") — account deletion is self-service from the security page of the console.
  • Restrict processing (art. 18) or object (art. 21).
  • Data portability (art. 20) — the JSON / CSV exports of your scan history fulfil this right.
  • Lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL, France) or your national data-protection authority.

10. Cookies

We use only first-party cookies that are strictly necessary for the service to function:

  • __Host-unveilscan_session — authentication, expires with session.
  • __Host-unveilscan_csrf — CSRF protection, paired with the session.

No analytics cookies, no marketing cookies, no consent banner required (ePrivacy art. 5(3) "strictly necessary" exemption).

11. Changes to This Policy

We may update this policy as the product evolves. The "Last updated" date at the top of section 1 reflects the most recent change. Significant changes will be communicated to active users by email.

12. Contact

Questions about this Privacy Policy or about your personal data: [email protected].