Privacy Policy

1. Data We Collect

• Account data: email address, display name, Firebase UID
• Scan data: URLs you submit, scan results, security findings, scores
• Billing data: Stripe customer ID, subscription status (we do not store card numbers)
• Usage data: scan counts, feature usage, timestamps
• Technical data: IP address, browser type (for security and fraud prevention)

2. How We Use Your Data

• Provide and improve the scanning service
• Send scan completion notifications and weekly security digests (opt-out available)
• Process payments via Stripe
• Detect abuse and enforce our Terms of Service
• Aggregate, anonymised analytics to improve scan accuracy

3. Data Retention

Scan results are retained for 12 months on free plans and indefinitely on paid plans. You can delete individual scans or your entire account at any time from Settings.

4. Third-Party Services

• Firebase Auth — authentication
• Stripe — payment processing
• Sentry — error monitoring (anonymised)
• PostHog — product analytics (anonymised, no PII)

5. Your Rights (GDPR / CCPA)

You have the right to access, correct, or delete your personal data. You can exercise these rights from the Settings page (Danger Zone) or by emailing privacy@hexalian.com.

6. Cookies

We use two categories of cookies:

• Essential cookies — Required for the service to function (session management, authentication). These are always active and cannot be disabled.
• Analytics cookies — Anonymous usage data collected via PostHog to improve the product. No personally identifiable information is stored. These are only activated with your consent.

You can change your cookie preferences at any time by clicking the cookie icon at the bottom of any page.

7. Security

All data is encrypted in transit (TLS 1.3) and at rest. We follow industry best practices including regular security audits — we literally scan ourselves.

8. Contact

Privacy questions or GDPR/CCPA rights requests? Email privacy@hexalian.com or visit our contact page.