Privacy Policy

Last updated: February 26, 2026

1. Who We Are

unpwned (“we”, “us”, “our”) operates the security scanning platform at unpwned.io. This Privacy Policy explains what data we collect, how we use it, how long we keep it, and your rights over it. It applies to all users worldwide, including those in the European Economic Area (EEA) covered by the GDPR.

For privacy inquiries, contact us at support@unpwned.io.

2. Data We Collect

2.1 Account Data

  • Email address (required to create an account)
  • Name or display name (optional, if provided)
  • Authentication provider (email/password, Google OAuth)
  • Subscription tier and billing history via PayPal

2.2 Scan Data

  • Domain names you submit for scanning
  • Raw scan results returned by third-party security APIs
  • AI-generated reports and vulnerability summaries
  • Monitor configurations (frequency, alert thresholds)

2.3 Usage Data

  • Pages visited, features used, and time spent in the app
  • IP address and approximate geographic location
  • Browser type, device type, and operating system
  • Referral source (how you found unpwned)

2.4 Communications

  • Emails you send to our support address
  • Alert and notification preferences

3. How We Use Your Data

We use the data we collect to:

  • Provide and operate the scanning and monitoring service.
  • Send security alerts, scan completion notifications, and product updates.
  • Process subscription payments and manage billing via PayPal.
  • Improve the accuracy of AI-generated reports and platform performance.
  • Detect and prevent fraud, abuse, and security threats to the platform.
  • Respond to support requests and communicate with you.
  • Comply with legal obligations.

We do not sell your personal data or scan results to third parties. We do not use your data for advertising purposes.

4. Third-Party Services

To provide the service, we share limited data with the following categories of third parties:

  • Security data APIs — we send domain names to external security APIs (e.g., VirusTotal, SSL Labs, HaveIBeenPwned) to retrieve scan data. Those providers have their own privacy policies.
  • Supabase — our primary database and authentication provider. Data is stored in EU-region infrastructure.
  • PayPal — payment processing. We do not store full card or bank details.
  • Vercel — application hosting and edge delivery.
  • OpenAI / AI providers — scan data may be sent to AI APIs to generate plain-English reports. We do not use your data to train third-party AI models where opt-out controls exist.

5. Data Retention

  • Account data — retained for the duration of your account and deleted within 30 days of account deletion.
  • Scan results & reports — retained while your account is active. After account deletion, scan data is purged within 90 days.
  • Usage / analytics data — retained in aggregated, anonymized form for up to 24 months.
  • Billing records — retained for 7 years to comply with financial regulations.

6. Cookies & Tracking

We use strictly necessary cookies for authentication session management. We may use lightweight analytics (e.g., page-view counts) that do not identify you personally. We do not use advertising cookies or third-party tracking pixels.

7. Your Rights (GDPR & Beyond)

If you are located in the EEA, UK, or another jurisdiction with data protection rights, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Correction — request correction of inaccurate data.
  • Deletion — request erasure of your personal data (“right to be forgotten”).
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Restriction — request that we restrict processing in certain circumstances.

To exercise any of these rights, email us at support@unpwned.io. We will respond within 30 days. Account deletion can also be initiated directly from the account settings page.

8. Data Security

We implement industry-standard security measures including encryption at rest and in transit (TLS 1.2+), row-level security on all database tables, and access controls limited to authorized personnel. However, no system is 100% secure. In the event of a data breach that affects your personal data, we will notify you as required by applicable law.

9. Children’s Privacy

unpwned is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via an in-app notice at least 14 days before the change takes effect. The “last updated” date at the top reflects the most recent revision.

11. Contact

For privacy concerns, data requests, or questions about this policy, contact us at: support@unpwned.io