Privacy Policy

Effective Date: March 30, 2026

1. Introduction

Cipherline LLC (“Company”, “we”, “us”, “our”) operates the XploitScan platform. We believe privacy is a right, not a feature. This Privacy Policy explains what data we collect, what we do with it, and what we don’t do with it. We’ve written this in plain language because we think you should actually be able to understand your privacy policy. This Privacy Policy works together with our Terms of Service, which governs your use of the Service.

2. What We Collect

We collect the following types of data:

  • Account Information: When you sign up, we receive your name, email address, and profile information through Clerk, our authentication provider.
  • Scan Metadata: We store information about your scans including the date, time, number of findings, severity levels, file paths, line numbers, fix suggestions, compliance control mappings, and the types of vulnerabilities detected. This helps us show you your scan history, compliance coverage, and track trends.
  • Usage Statistics: We collect general usage data such as how often you use the Service, which features you use, and how you interact with scan results. This helps us improve XploitScan.
  • Billing Information: If you subscribe to a paid plan, Stripe processes your payment information. We store your subscription plan type, billing interval (monthly or annual), and subscription status in our database. We do not store your credit card number or full payment details on our servers.
  • Team Data: If you are a Team plan owner or member, we store team membership information including email addresses of invited members, assigned roles, invitation status, and team association.
  • Audit Logs: We log account-related actions (such as subscription changes, team invitations, and role modifications) for security and accountability purposes. Audit logs include the user ID, action type, timestamp, and relevant details.
  • Referral Data: The referral program is available to users with active Pro or Team subscriptions who hold owner or admin roles. If you participate, we store your unique referral code, the user IDs of users you referred, and whether those referrals resulted in paid subscriptions. Referral rewards are applied as Stripe balance credits to your account based on conversions.
  • Webhook Configuration: If you configure webhook integrations, we store your Slack and/or Discord webhook URLs. Webhook URLs must be valid HTTPS URLs from approved domains (Slack and Discord only).
  • Notification Preferences: We store your email notification preferences (such as scan completion alerts, trial reminders, and weekly digests) so we can respect your communication choices.
  • Error Data: We collect application error reports through Sentry to identify and fix bugs. This may include browser type, operating system, IP address, and the page URL where an error occurred. It does not include your source code or scan content.

3. What We Do NOT Collect

This is just as important as what we do collect:

  • We do not store your source code. When you submit code for scanning, it is processed in memory and immediately deleted. Your code is never written to disk, saved in a database, or retained in any form.
  • We do not sell your personal information. We do not sell, rent, or share your personal information with third parties for marketing or advertising purposes. This applies to all users, regardless of location.
  • We do not use your data to train AI models. XploitScan uses AI to analyze code for vulnerabilities and map compliance controls. We do not use your source code, scan results, or any personal data to train machine learning models or large language models (LLMs).
  • We do not track you across other websites.

4. How We Use Your Data

We use the data we collect to:

  • Provide and operate the XploitScan scanning service
  • Display your scan history, vulnerability trends, and compliance coverage
  • Process payments and manage your subscription (including plan changes and proration)
  • Send you important service updates, security notifications, and transactional emails in accordance with your notification preferences
  • Manage team membership, invitations, and role-based access
  • Improve the accuracy and performance of our scanning engine
  • Monitor and fix errors in the Service
  • Maintain audit logs for security and accountability
  • Respond to your support requests
  • Comply with legal obligations

5. Team Data Sharing

If you are part of a team on XploitScan, your scan results (including project names, grades, scores, and finding summaries) may be visible to other members of your team. The team owner controls team membership and can add or remove members. By accepting a team invitation, you consent to sharing your scan data with other team members. If you leave or are removed from a team, your historical scan data will no longer be accessible to that team. If a team owner downgrades from Team to Pro, all team members are deactivated and lose access to shared team data.

6. Email Communications

We send the following types of emails:

  • Transactional (required): Welcome emails, billing confirmations, team invitations, security breach notifications, and Terms/Privacy updates. You cannot opt out of these.
  • Notifications (optional): Scan completion alerts, trial ending reminders, and weekly digests. You can manage these through your notification preferences in Settings.

We use a third-party email delivery service to send emails. Unsubscribe options are available in your account settings for all optional email types.

7. Third-Party Services

We use the following third-party services to operate XploitScan. Each has their own privacy policy:

  • Clerk — Authentication and user management. Handles sign-up, sign-in, and session management. Receives your email address and profile information.
  • Stripe — Payment processing. Handles all billing for paid subscriptions, including plan changes and proration. Receives your payment information directly; we never see your full card details.
  • Database hosting provider — Our application data (account info, scan metadata, results, team data) is stored with a trusted database provider. Source code is never stored in the database.
  • Application hosting provider — Our web application is hosted on a cloud platform that may collect standard server logs including IP addresses and request data. We use aggregate analytics for performance monitoring.
  • Email delivery service — We use a third-party service to send transactional emails such as welcome emails, scan notifications, team invitations, and trial reminders. They receive recipient email addresses and email content.
  • Error monitoring service — We use a third-party service to identify and fix bugs. This may include browser information, IP addresses, and error stack traces. It does not include your source code.

8. International Data Transfers

XploitScan is operated from the United States. If you are accessing the Service from outside the United States, please be aware that your data may be transferred to, stored, and processed in the United States where our servers and third-party service providers are located. By using the Service, you consent to the transfer of your data to the United States. We rely on standard contractual clauses and the data processing agreements of our sub-processors to ensure appropriate safeguards for international data transfers.

9. Data Retention

We retain your data as follows:

  • Account data: Retained as long as your account is active. Deleted within 30 days of account closure.
  • Scan metadata and results: For paid plan (Pro/Team) subscribers, retained as long as your account is active. For free plan users, scan data is automatically deleted after 90 days. You can delete individual scans at any time.
  • Source code: Never retained. Processed in memory and immediately deleted after scanning.
  • Team data: Team membership records are retained as long as the team is active. When a member is removed or the team is dissolved, membership records are deleted within 30 days.
  • Audit logs: Retained for 180 days for security and accountability purposes, then automatically deleted.
  • Shared checklists: Shared checklist links and their associated data expire and are automatically deleted after 30 days.
  • Referral data: Referral codes and referral tracking records are retained as long as your account is active.
  • Payment records: Retained as required by tax and financial regulations, typically 7 years.
  • Error logs: Retained for a limited period for debugging purposes, then automatically deleted.

10. Cookies and Tracking

We use the following cookies and tracking technologies:

  • Authentication cookies: Required for sign-in and session management. These are strictly necessary for the Service to function.
  • Analytics: Collects aggregate, anonymous page view and performance data. Does not use cookies for cross-site tracking.
  • Error monitoring: May use a session identifier to group error reports. Does not track you across other sites.

We do not use advertising cookies, retargeting pixels, or share cookie data with advertisers.

11. Security Measures

We take security seriously (we are a security company, after all). Our measures include:

  • All data transmitted to and from XploitScan is encrypted using TLS/HTTPS
  • Source code is processed in isolated, ephemeral environments and never persisted
  • Access to production systems is restricted and audited
  • Authentication is handled by Clerk, an industry-leading auth provider
  • Payment data is handled entirely by Stripe, a PCI-compliant processor
  • Application errors are monitored via Sentry for rapid incident response
  • We conduct regular security reviews of our own infrastructure

While we work hard to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify affected users within 72 hours of becoming aware of the breach, as well as any applicable regulatory authorities as required by law.

12. Your Rights

You have the right to:

  • Access your data: Request a copy of all personal data we hold about you.
  • Export your data: Download your scan history and account information in a portable format.
  • Delete your data: Request deletion of your account and all associated data. We will process deletion requests within 30 days.
  • Correct your data: Update or correct any inaccurate personal information.
  • Withdraw consent: Where we rely on your consent for data processing, you can withdraw it at any time.
  • Manage email preferences: Opt out of non-essential email notifications through your account settings at any time.

To exercise any of these rights, contact us at admin@xploitscan.com.

13. California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:

  • Right to Know: You have the right to know what personal information we collect, use, and disclose about you.
  • Right to Delete: You have the right to request deletion of your personal information.
  • Right to Opt Out: You have the right to opt out of the sale of your personal information.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

We do NOT sell personal information. We do not share personal information for cross-context behavioral advertising purposes. To exercise any of these rights, contact us at admin@xploitscan.com.

14. European Users (GDPR)

If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR), including:

  • Data Portability: The right to receive your personal data in a structured, commonly used, and machine-readable format.
  • Right to Restrict Processing: The right to request that we limit the processing of your personal data.
  • Right to Object: The right to object to the processing of your personal data.
  • Right to Erasure: The right to request deletion of your personal data (“right to be forgotten”).

Our legal basis for processing your personal data is contract performance (providing the Service) and legitimate interests (improving the Service and ensuring security). We maintain data processing agreements with our sub-processors to ensure appropriate data protection standards. You can exercise your rights by contacting us at admin@xploitscan.com or lodge a complaint with your local data protection authority.

15. Children’s Privacy

XploitScan is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from individuals under 18. If we learn that we have collected data from a person under 18, we will delete it promptly.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you by email or through the Service and update the effective date at the top of this page. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact Cipherline LLC at admin@xploitscan.com.