Privacy Policy

1. Introduction

Cipherline LLC (“Company”, “we”, “us”, “our”) operates the XploitScan platform. We believe privacy is a right, not a feature. This Privacy Policy explains what data we collect, what we do with it, and what we don’t do with it. We’ve written this in plain language because we think you should actually be able to understand your privacy policy. This Privacy Policy works together with our Terms of Service, which governs your use of the Service.

2. What We Collect

We collect the following types of data:

• Account Information: When you sign up, we receive your name, email address, and profile information through Clerk, our authentication provider.
• Scan Metadata: We store information about your scans including the date, time, number of findings, severity levels, file paths, line numbers, fix suggestions, compliance control mappings, and the types of vulnerabilities detected. This helps us show you your scan history, compliance coverage, and track trends.
• Usage Statistics: We collect general usage data such as how often you use the Service, which features you use, and how you interact with scan results. This helps us improve XploitScan.
• Billing Information: If you subscribe to a paid plan, Stripe processes your payment information. We store your subscription plan type, billing interval (monthly or annual), and subscription status in our database. We do not store your credit card number or full payment details on our servers.
• Team Data: If you are a Team plan owner or member, we store team membership information including email addresses of invited members, assigned roles, invitation status, and team association.
• Audit Logs: We log account-related actions (such as subscription changes, team invitations, and role modifications) for security and accountability purposes. Audit logs include the user ID, action type, timestamp, and relevant details.
• Referral Data: The referral program is available to users with active Pro or Team subscriptions who hold owner or admin roles. If you participate, we store your unique referral code, the user IDs of users you referred, and whether those referrals resulted in paid subscriptions. Referral rewards are applied as Stripe balance credits to your account based on conversions.
• Webhook Configuration: If you configure webhook integrations, we store your Slack and/or Discord webhook URLs. Webhook URLs must be valid HTTPS URLs from approved domains (Slack and Discord only).
• Notification Preferences: We store your email notification preferences (such as scan completion alerts, trial reminders, and weekly digests) so we can respect your communication choices.
• Error Data: We collect application error reports through Sentry to identify and fix bugs. This may include browser type, operating system, IP address, and the page URL where an error occurred. It does not include your source code or scan content.
• Free Trust Page Data: If you create a Free Trust Page at xploitscan.com/free-trust-page (no account required), we store the company name, optional website URL, optional self-attested policy fields (privacy policy URL, security contact email, data retention text, incident response text, subprocessors list), and self-attested compliance flags you choose to publish. We also store the email address you provide so we can send you the confirmation email containing your edit and claim links. Free Trust Page content is user-generated; we do not verify the accuracy of any field you enter, including company affiliation.
• Rate-Limit Fingerprint: When you create a Free Trust Page anonymously we compute a SHA-256 hash of your IP address combined with your browser’s User-Agent string. We store the truncated hash (not the raw IP or User-Agent) only to enforce the daily creation cap and discourage abuse. The hash is not linked to your identity and cannot be reversed back to your IP address. Signed-in users bypass this hashing entirely.
• Claim Session Cookie: When you click a “claim this page” link, we set a short-lived (30-minute) HTTP-only cookie named xs_pending_claim containing the slug and claim token of the page being claimed. The cookie is removed automatically when the claim completes or expires. It is never used for analytics, tracking, or any purpose other than binding the page to your new account.

3. What We Do NOT Collect

This is just as important as what we do collect:

• We do not store your source code. When you submit code for scanning, it is processed in memory and immediately deleted. Your code is never written to disk, saved in a database, or retained in any form by XploitScan. Note: when AI-powered analysis is enabled, small excerpts (10-20 lines around each finding) are sent to our AI provider (Anthropic) for contextual review and false positive filtering. See Section 7 for details on third-party processing.
• We do not sell your personal information. We do not sell, rent, or share your personal information with third parties for marketing or advertising purposes. This applies to all users, regardless of location.
• We do not use your data to train AI models. XploitScan uses AI to analyze code for vulnerabilities and map compliance controls. We do not use your source code, scan results, or any personal data to train machine learning models or large language models (LLMs).
• We do not track you across other websites.
• The XploitScan MCP server does not phone home. Our published Model Context Protocol server (xploitscan-mcp on NPM) runs entirely locally over stdio inside your MCP client (Claude Desktop, Cursor, Windsurf, Continue, Cline, Zed). It makes zero network calls during scanning, sends no telemetry, and never transmits your code outside your machine. The NPM package itself is downloaded once from the public NPM registry the first time you invoke it, then cached locally.

4. How We Use Your Data

We use the data we collect to:

• Provide and operate the XploitScan scanning service
• Display your scan history, vulnerability trends, and compliance coverage
• Process payments and manage your subscription (including plan changes and proration)
• Send you important service updates, security notifications, and transactional emails in accordance with your notification preferences
• Manage team membership, invitations, and role-based access
• Improve the accuracy and performance of our scanning engine
• Monitor and fix errors in the Service
• Maintain audit logs for security and accountability
• Respond to your support requests
• Comply with legal obligations

5. Team Data Sharing

If you are part of a team on XploitScan, your scan results (including project names, grades, scores, and finding summaries) may be visible to other members of your team. The team owner controls team membership and can add or remove members. By accepting a team invitation, you consent to sharing your scan data with other team members. If you leave or are removed from a team, your historical scan data will no longer be accessible to that team. If a team owner downgrades from Team to Pro, all team members are deactivated and lose access to shared team data.

6. Email Communications

We send the following types of emails:

• Transactional (required): Welcome emails, billing confirmations, team invitations, security breach notifications, and Terms/Privacy updates. You cannot opt out of these.
• Notifications (optional): Scan completion alerts, trial ending reminders, and weekly digests. You can manage these through your notification preferences in Settings.

We use a third-party email delivery service to send emails. Unsubscribe options are available in your account settings for all optional email types.

7. Third-Party Services

We use the following third-party services to operate XploitScan. Each has their own privacy policy:

• Clerk — Authentication and user management. Handles sign-up, sign-in, and session management. Receives your email address and profile information.
• Stripe — Payment processing. Handles all billing for paid subscriptions, including plan changes and proration. Receives your payment information directly; we never see your full card details.
• Database hosting provider — Our application data (account info, scan metadata, results, team data) is stored with a trusted database provider. Source code is never stored in the database.
• Application hosting provider — Our web application is hosted on a cloud platform that may collect standard server logs including IP addresses and request data. We use aggregate analytics for performance monitoring.
• Email delivery service — We use a third-party service to send transactional emails such as welcome emails, scan notifications, team invitations, and trial reminders. They receive recipient email addresses and email content.
• Error monitoring service — We use a third-party service to identify and fix bugs. This may include browser information, IP addresses, and error stack traces. It does not include your source code.
• Anthropic (AI analysis) — When AI-powered features are enabled (false positive filtering and contextual analysis during scanning), excerpts of your source code relevant to specific scan findings are sent to Anthropic’s API for analysis. Anthropic processes this code as a data processor on our behalf. Per Anthropic’s API terms, submitted content is not used to train their models and is retained only as long as needed to provide the response. Only the specific code regions around each finding (typically 10-20 lines) are sent, not entire files. This processing happens in real time during the scan and is not stored by Anthropic long-term. If you have strict data residency requirements that prohibit sending code to third-party AI providers, contact us about running scans without the AI features enabled.

8. International Data Transfers

XploitScan is operated from the United States. If you are accessing the Service from outside the United States, please be aware that your data may be transferred to, stored, and processed in the United States where our servers and third-party service providers are located. By using the Service, you consent to the transfer of your data to the United States. We rely on standard contractual clauses and the data processing agreements of our sub-processors to ensure appropriate safeguards for international data transfers.

9. Data Retention

We retain your data as follows:

• Account data: Retained as long as your account is active. Deleted within 30 days of account closure.
• Scan metadata and results: For paid plan (Pro/Team) subscribers, retained as long as your account is active. For free plan users, scan data is automatically deleted after 90 days. You can delete individual scans at any time.
• Source code: Never retained. Processed in memory and immediately deleted after scanning.
• Team data: Team membership records are retained as long as the team is active. When a member is removed or the team is dissolved, membership records are deleted within 30 days.
• Audit logs: Retained for 180 days for security and accountability purposes, then automatically deleted.
• Shared checklists: Shared checklist links and their associated data expire and are automatically deleted after 30 days.
• Referral data: Referral codes and referral tracking records are retained as long as your account is active.
• Payment records: Retained as required by tax and financial regulations, typically 7 years.
• Error logs: Retained for a limited period for debugging purposes, then automatically deleted.

10. Cookies and Tracking

We use the following cookies and tracking technologies:

• Authentication cookies: Required for sign-in and session management. These are strictly necessary for the Service to function.
• Analytics: Collects aggregate, anonymous page view and performance data. Does not use cookies for cross-site tracking.
• Error monitoring: May use a session identifier to group error reports. Does not track you across other sites.

We do not use advertising cookies, retargeting pixels, or share cookie data with advertisers.

11. Security Measures

We take security seriously (we are a security company, after all). Our measures include:

• All data transmitted to and from XploitScan is encrypted using TLS/HTTPS
• Source code is processed in isolated, ephemeral environments and never persisted
• Access to production systems is restricted and audited
• Authentication is handled by Clerk, an industry-leading auth provider
• Payment data is handled entirely by Stripe, a PCI-compliant processor
• Application errors are monitored via Sentry for rapid incident response
• We conduct regular security reviews of our own infrastructure

While we work hard to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify affected users within 72 hours of becoming aware of the breach, as well as any applicable regulatory authorities as required by law.

12. Your Rights

You have the right to:

• Access your data: Request a copy of all personal data we hold about you.
• Export your data: Download your scan history and account information in a portable format.
• Delete your data: Request deletion of your account and all associated data. We will process deletion requests within 30 days.
• Correct your data: Update or correct any inaccurate personal information.
• Withdraw consent: Where we rely on your consent for data processing, you can withdraw it at any time.
• Manage email preferences: Opt out of non-essential email notifications through your account settings at any time.

To exercise any of these rights, contact us at admin@xploitscan.com.

13. California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:

• Right to Know: You have the right to know what personal information we collect, use, and disclose about you.
• Right to Delete: You have the right to request deletion of your personal information.
• Right to Opt Out: You have the right to opt out of the sale of your personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

We do NOT sell personal information. We do not share personal information for cross-context behavioral advertising purposes. To exercise any of these rights, contact us at admin@xploitscan.com.

14. European Users (GDPR)

If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR), including:

• Data Portability: The right to receive your personal data in a structured, commonly used, and machine-readable format.
• Right to Restrict Processing: The right to request that we limit the processing of your personal data.
• Right to Object: The right to object to the processing of your personal data.
• Right to Erasure: The right to request deletion of your personal data (“right to be forgotten”).

Our legal basis for processing your personal data is contract performance (providing the Service) and legitimate interests (improving the Service and ensuring security). We maintain data processing agreements with our sub-processors to ensure appropriate data protection standards. You can exercise your rights by contacting us at admin@xploitscan.com or lodge a complaint with your local data protection authority.

15. Connecticut Residents (CTDPA)

If you are a Connecticut resident, the Connecticut Data Privacy Act (CTDPA), effective July 1, 2026, provides you with the following rights regarding your personal data:

• Right to Access: You have the right to confirm whether we are processing your personal data and to obtain a copy of that data.
• Right to Correct: You have the right to correct inaccuracies in your personal data.
• Right to Delete: You have the right to request deletion of personal data you have provided or that we have collected about you.
• Right to Data Portability: You have the right to obtain a copy of your personal data in a portable, readily usable format.
• Right to Opt Out: You have the right to opt out of the processing of your personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you. We do not sell personal data, engage in targeted advertising, or use automated profiling for consequential decisions, so this right is not currently applicable — but we will respect opt-out requests if our practices change.

Automated Processing Disclosure: XploitScan uses automated analysis (including AI/ML techniques) to scan your code for security vulnerabilities and map findings to compliance controls. This processing is performed on code you voluntarily submit for scanning. We do not use automated processing to make decisions that produce legal or similarly significant effects about you as a person.

Response Timeline: We will respond to verified requests within 45 days of receipt. If we require additional time (up to 45 additional days), we will notify you of the extension and the reason within the initial 45-day period.

Appeal Process: If we decline to act on your request, we will notify you within 45 days with the reason for our decision. You may appeal that decision by emailing admin@xploitscan.com with the subject line “CTDPA Appeal” and a description of your original request and why you believe it should be granted. We will respond to appeals within 60 days. If your appeal is denied, you may contact the Connecticut Attorney General’s office at portal.ct.gov/AG.

To submit a data rights request, contact us at admin@xploitscan.com with the subject line “CTDPA Request”. We may need to verify your identity before processing your request.

16. Children’s Privacy

XploitScan is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from individuals under 18. If we learn that we have collected data from a person under 18, we will delete it promptly.

17. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you by email or through the Service and update the effective date at the top of this page. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

18. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact Cipherline LLC at admin@xploitscan.com.