Skip to main content
Back to Dashboard

Privacy Policy

Last updated: May 22, 2026

1. Who We Are

unpwned (“we”, “us”, “our”) operates the security scanning platform at unpwned.io. This Privacy Policy explains what data we collect, how we use it, how long we keep it, and your rights over it. It applies to all users worldwide, including those in the European Economic Area (EEA) covered by the GDPR.

UNPWNED, operated by Raz Azulay as an Israeli sole proprietor (osek patur), is the data controller for personal data collected through this service. Location: Israel. Contact: [email protected]. Third-party service providers listed in Section 4 process data on our behalf or as independent providers according to their role, service terms, and applicable data processing terms.

EU Representative (GDPR Art. 27)

If you are located in the EU/EEA and wish to contact us regarding data protection matters, please email [email protected]. If GDPR Article 27 requires us to designate an EU representative and no exemption applies, representative details will be published here when designated.

2. Data We Collect

2.1 Account Data

  • Email address (required to create an account)
  • Name or display name (optional, if provided)
  • Authentication provider (email/password, Google OAuth)
  • Subscription tier and billing history via Freemius
  • Marketing attribution data: how you found our site (UTM source, medium, campaign), first referrer URL, first landing page

2.2 Scan Data

  • Domain names you submit for scanning
  • Raw scan results returned by third-party security APIs
  • AI-generated reports and vulnerability summaries
  • Monitor configurations (frequency, alert thresholds)

2.3 Usage Data

  • Pages visited, features used, and time spent in the app
  • IP address and approximate geographic location
  • Browser type, device type, and operating system
  • Referral source (how you found unpwned)

2.4 Communications

  • Emails you send to our support address
  • Alert and notification preferences

2.5 GitHub Integration & Source Code Scanning

When you connect a GitHub repository for security scanning, we request the minimum OAuth scopes necessary to read file contents. The following principles govern how your source code is handled:

  • Source code accessed via GitHub is scanned in memory and never stored on our servers.
  • We request repo scope solely to read file contents for security scanning. We never write to, modify, fork, or retain your source code.
  • Your GitHub OAuth token is encrypted at rest using AES-256-GCM and is used exclusively to perform the scan you initiated.
  • No source code or file contents are forwarded to AI providers or any third-party service. Only derived security findings (e.g., vulnerability names, severity levels) may be processed as described in Section 4A.

2.8 Cloudflare Integration

When you connect a limited Cloudflare DNS token, we collect and store the following:

  • Your Cloudflare API token, encrypted at rest using AES-256-GCM with a 256-bit key. The plaintext token is never stored, logged, or exposed in error reports.
  • A log of all DNS modifications made through the integration, including: domain name, record type, record value, action taken (create/update/delete), Cloudflare zone ID, and timestamp. This audit log is retained for your records and legal compliance.

We do not access, store, or process: your Cloudflare account password, billing information, firewall rules, SSL certificates, Workers code, analytics data, or any Cloudflare service beyond DNS record management.

Your Cloudflare API token is used exclusively for the purposes you initiate: domain verification and DNS record fixes. The token is decrypted only in server-side memory at the moment of an API call and is discarded from memory immediately after. You can revoke access at any time by disconnecting in UNPWNED Settings or revoking the token in your Cloudflare dashboard.

2.6 Scan Authorization & Consent Records

Each time a user authorizes a security scan, we record a consent log entry that is separate from the scan results themselves. This log contains:

  • Timestamp of authorization
  • The authorizing user’s internal account identifier (UUID)
  • A SHA-256 hash of the originating IP address
  • A SHA-256 hash of the browser user-agent string
  • The domain name submitted for scanning

For scheduled monitoring, we also store the monitor authorization source and reuse that authorization evidence when recurring monitoring scans are generated.

A separate audit log also records the action, the actor, and the originating IP address in plaintext for fraud prevention and legal defense purposes.

These records do not include scan results. Their sole purpose is to create a verifiable, tamper-evident audit trail that a scan was authorized by the account holder.

2.7 Public Lookup Data

When you use our public domain security lookup feature (which does not require account registration), we collect:

  • The domain name you submit for lookup
  • Your IP address (stored as a SHA-256 hash for anonymization)
  • Browser type and approximate geographic location
  • Timestamp of the lookup request

If you start a fresh public scan without creating an account, we also record an authorization audit entry containing the submitted domain, timestamp, a SHA-256 hash of your IP address, a SHA-256 hash of your browser user-agent string, and an internal source marker identifying the scan as a public check. This is used for abuse prevention, opt-out enforcement, and legal defense if a domain owner disputes authorization.

This data is collected under the legal basis of legitimate interest for the purposes of rate limiting, abuse prevention, and maintaining an audit trail. Public lookup results display only an aggregated security score, letter grade, and finding category titles. No detailed vulnerability descriptions, remediation instructions, or information identifying the domain owner or any previous scanner is shown.

Domain owners may request removal of their domain from public lookup results by contacting [email protected].

2.8 Advanced Security Assessment Data

When you request an Advanced Security Assessment, we collect the following data as part of the assessment lead and authorization process:

  • Email address and domain submitted for assessment
  • Optional message describing your security concerns
  • Full legal name (from the authorization form)
  • IP address and browser user-agent string (stored in plaintext for legal evidentiary purposes)
  • Timestamp of authorization

The legal basis for processing this data is consent (Art. 6(1)(a) GDPR), obtained through the explicit authorization form you sign before assessment begins, and contractual necessity (Art. 6(1)(b) GDPR), as the assessment is a service you have requested. IP addresses and user-agent strings are stored in plaintext (not hashed) because these records may need to serve as evidence of written consent for active security testing, which requires a higher evidentiary standard than passive scanning.

2.9 Security Threat Intelligence

To protect our service and users, we operate automated threat detection systems that collect and process the following data from all visitors:

  • IP addresses and request metadata (headers, paths, user agents)
  • Behavioral patterns indicating automated scanning or attack activity
  • Geographic location data (country, region, city, ISP) obtained via ip-api.com for threat assessment
  • Classification of traffic patterns (e.g., known scanner signatures, suspicious request sequences)

This data is processed under our legitimate interest in maintaining service security (GDPR Art. 6(1)(f)). Threat data is retained for 30 days for routine events and up to 6 months for confirmed attack sessions. IP addresses associated with confirmed attacks may be blocked automatically. You may request review of any blocking decision by contacting [email protected].

2.10 Domain Scan Cache Log

When you request a scan, we record a cache log entry containing the root domain scanned, the original requested domain, your account identifier, and the request timestamp. This log allows us to deduplicate scan results across users (so a domain scanned recently can be served from cache without re-scanning), reduce load on third-party security APIs, and prevent abuse such as repeated scanning of the same target.

Only the most recent 24 hours of cache log entries are used for cache deduplication decisions. Older entries are retained for internal analytics, abuse detection, and scanner reliability measurement. This log is processed under our legitimate interest (Art. 6(1)(f) GDPR) in operating an efficient and abuse-resistant service. The cache log is never shared externally and is not used for advertising or sold to third parties.

2.11 Scan Telemetry

We collect technical telemetry data from security scans, including: detected frameworks and hosting platforms, security feature adoption (SSL, CSP, DMARC, etc.), vulnerability categories and counts, and security grade distributions. This data is used to improve our scanning accuracy and to publish aggregated, de-identified threat statistics. Internal telemetry may be linked to the underlying scan ID for de-duplication, debugging, abuse prevention, scanner reliability measurement, and opt-out handling. Public statistics and research do not identify the scanning account or publish raw scan output.

You may opt out of scan telemetry collection by contacting [email protected]. Opting out does not affect your access to platform features.

3. How We Use Your Data

We use the data we collect to:

  • Provide and operate the scanning and monitoring service (Art. 6(1)(b) GDPR - contractual necessity).
  • Send security alerts, scan completion notifications, and product updates (Art. 6(1)(f) GDPR - legitimate interest; Art. 6(1)(a) GDPR - consent for marketing communications).
  • Process subscription payments and manage billing via Freemius (Art. 6(1)(b) GDPR - contractual necessity).
  • Improve the accuracy of AI-generated reports and platform performance (Art. 6(1)(f) GDPR - legitimate interest).
  • Detect and prevent fraud, abuse, and security threats to the platform (Art. 6(1)(f) GDPR - legitimate interest).
  • Respond to support requests and communicate with you (Art. 6(1)(f) GDPR - legitimate interest).
  • Analyze website usage and traffic sources via analytics and marketing attribution (Art. 6(1)(a) GDPR - consent).
  • Comply with legal obligations (Art. 6(1)(c) GDPR - legal obligation).

We do not sell your personal data or scan results to third parties. We do not use your data for advertising purposes.

3.1 Scan Metadata in Communications

We may reference scan metadata (domain names and aggregate security scores) in product communications, support interactions, marketing materials, and case studies, in a manner that does not disclose vulnerability details, fix instructions, business impact analysis, or any of the protected report content described in our Terms of Service. Domain names and aggregate scores are derived from publicly observable HTTP responses that any internet user can reproduce independently. Users may opt out of being identified in such communications by contacting [email protected].

4. Third-Party Services

To provide the service, we share limited data with the following categories of third parties:

  • Security data APIs: we send domain names to external security services (e.g., certificate transparency logs, CVE databases) to retrieve scan data. Those providers have their own privacy policies.
  • Supabase: our primary database and authentication provider. Data is stored in EU-region infrastructure.
  • Freemius: payment processing. We do not store full card or bank details.
  • Vercel: application hosting and edge delivery.
  • Anthropic (AI provider): see Section 4A below for a full disclosure of how AI processing works.
  • Resend: transactional email delivery. Resend receives recipient email addresses and email content (e.g., scan completion notifications, security alerts) in order to deliver messages on our behalf.
  • Sentry: application error monitoring. Sentry receives technical error data including stack traces, request URLs, and browser information. We do not explicitly attach user IDs or email addresses to error reports.
  • Cloudflare: DNS, CDN, DDoS protection, and optional DNS management integration. All traffic to unpwned.io is proxied through Cloudflare’s network. Cloudflare processes IP addresses and request metadata as part of its infrastructure services. When you connect a limited Cloudflare DNS token, UNPWNED communicates with the Cloudflare API (api.cloudflare.com) using your encrypted API token to list zones, read DNS records, and create or delete DNS records as described in Section 2.8 above and in our Terms of Service Section 4b. All API calls are made server-side; your token is never sent to the browser. Cloudflare’s privacy policy governs their processing of data within their infrastructure.
  • ip-api.com: IP geolocation and threat assessment. IP addresses are sent to ip-api.com for geographic location lookup and VPN/proxy/Tor detection as part of our threat intelligence system.

Where required and available, we rely on Data Processing Agreements, provider data processing terms, Standard Contractual Clauses, or equivalent safeguards with third-party service providers. Some providers may act as independent controllers for limited processing they perform under their own terms, such as payment, fraud prevention, tax, infrastructure security, or legal compliance.

4A. AI Processing: Full Disclosure

What we send to AI providers

To generate human-readable fix suggestions, we transmit a narrow subset of scan output to AI providers (currently Anthropic, via the Claude API). This includes:

  • The domain name submitted for scanning
  • Vulnerability names and severity classifications
  • Domain structure metadata (e.g., subdomain count, detected technologies)
  • Security header names and their current values or absence
  • Generic CVE identifiers and CVSS scores where applicable

We do not send your name, email address, account ID, billing information, or any other personal data to AI providers. The payload is limited to technical, domain-level security findings.

Purpose and legal basis

The purpose of this processing is to convert raw, technical scan output into plain-English remediation guidance. The legal basis is contractual necessity (Art. 6(1)(b) GDPR), as AI-generated fix suggestions are a core feature of the paid service you have subscribed to.

Model training

UNPWNED does not permit AI providers to use data submitted via our API calls for model training or improvement purposes, to the extent this is guaranteed by our contractual agreements, provider API terms, or data processing terms with those providers. If a provider’s terms change in a way that affects this commitment, we will notify users in advance of any such change taking effect where required by law or by these Terms.

Data retention by AI providers

Data transmitted to AI providers is ephemeral. To the extent guaranteed by our contractual agreements, AI providers do not persistently store request payloads beyond the scope of a single API call. We do not control AI providers’ internal infrastructure but rely on their published API data handling terms and applicable data processing terms.

Opting out of AI-generated suggestions

You may opt out of AI-generated fix suggestions at any time by contacting us at [email protected]. If you opt out, your scans will continue to run and results will still be displayed. You will simply not receive AI-generated remediation text. No scan data will be sent to AI providers on your behalf after your opt-out is applied.

5. Cross-Border Data Transfers

Your personal data may be transferred to and processed in countries outside your country of residence, including the United States. Below is how each service provider handles your data geographically:

  • Supabase: EU region (eu-central-1) - data remains in the European Union.
  • Vercel: global edge network, with data processing in the United States.
  • Anthropic (Claude API): United States.
  • Resend: United States.
  • Sentry: United States.
  • Cloudflare: global network.
  • Freemius: United States / European Union.
  • ip-api.com: processing location varies by endpoint.

Where data is transferred outside the European Economic Area, we rely on Standard Contractual Clauses (SCCs), Data Processing Agreements, provider data processing terms, adequacy decisions, or other lawful transfer safeguards as applicable. Israel has been granted an adequacy decision by the European Commission, facilitating lawful transfers between the EU and Israel. We do not rely on consent as the primary legal basis for international transfers.

6. Data Retention

  • Account data: retained for the duration of your account and deleted within 30 days of account deletion.
  • Scan results & reports: retained while your account is active. After account deletion, scan data is purged within 90 days.
  • Usage / analytics data: retained in aggregated, anonymized form for up to 24 months.
  • Billing records: retained for 7 years to comply with financial regulations.
  • Scan authorization & consent logs: retained for 5 years from the date of the scan, as required for legal defense purposes (consistent with our Terms of Service Section 3a). These logs are retained even after account deletion to support legal compliance, fraud prevention, and legal defense in the event of a dispute. If your account is deleted, we may retain a minimal authorization snapshot containing the domain, scan ID, declaration timestamp, declaration source, and hashed IP/user-agent values. Deletion of consent logs cannot be actioned while any active legal dispute involving the relevant account or scan is pending.
  • Monitoring authorization records: retained for 5 years from the date the scheduled monitor is created or last used to generate a recurring scan. These records contain the domain, authorization timestamp, authorization source, and hashed IP/user-agent values needed to prove recurring scan authorization.
  • Advanced Assessment authorization records: retained for 5 years from the date of authorization. These records are retained even after account deletion because they document explicit written consent for active security testing, which carries heightened legal significance. The extended retention period reflects the statute of limitations for potential claims related to authorized penetration testing and security assessments.
  • Threat intelligence data: routine events retained for 30 days; confirmed attack sessions retained for up to 6 months.
  • Cloudflare API tokens: retained in encrypted form until you disconnect the integration or delete your account. Upon disconnection or account deletion, the encrypted token is permanently deleted from our database. DNS modification audit logs are retained for 2 years for compliance and dispute resolution purposes.

7. Cookies & Tracking

We use the following categories of cookies and tracking technologies. Non-essential cookies are only activated after you accept via our cookie consent banner.

Strictly necessary cookies:

  • Authentication session tokens to keep you logged in

Analytics (consent required):

  • Vercel Web Analytics and Speed Insights: pageview counts, device type, country, referrer, and performance metrics. These tools are only activated after you accept analytics cookies via our consent banner.
  • Marketing attribution cookie (unpwned_utm, 30 days): stores how you found our site (e.g., which platform or campaign link you clicked). Only activated after you accept analytics cookies via our consent banner.
  • First-party analytics identifiers: a pseudonymous device ID in localStorage and a session ID in sessionStorage, used only for internal attribution, retention, and funnel analysis. These identifiers are deleted when you withdraw analytics consent.

Advertising (consent required):

  • Meta Pixel: conversion tracking for Facebook/Instagram advertising. Only loaded after you accept cookies.
  • Google Ads tag: conversion measurement and campaign attribution for Google advertising. It is configured with Google Consent Mode and advertising storage is denied unless you accept advertising cookies.

We do not use Google Analytics, cross-site fingerprinting, or hidden advertising tracking. If you accept advertising cookies, Meta Pixel and Google Ads may receive limited conversion events for advertising measurement as described above. You can opt out at any time through Cookie Settings, the Do Not Sell or Share link, or a Global Privacy Control signal.

We recognize and honor the Global Privacy Control (GPC) browser signal. When we detect a GPC signal (navigator.globalPrivacyControl), we automatically disable non-essential tracking cookies including advertising cookies, without requiring additional action from you.

Session cookies are deleted when you log out or when the session expires. You can change your cookie preferences at any time using the Cookie Settings link in our website footer. You can also withdraw consent by clearing your browser cookies or declining when the consent banner reappears.

8. Audit & Consent Logs

When you authorize a security scan, we record a consent log entry to create a verifiable audit trail. This practice serves the following purposes and legal bases:

  • Fraud prevention: confirming that scans were initiated by authorized account holders, not by unauthorized third parties.
  • Legal defense: maintaining evidence that a domain scan was authorized in the event of a legal dispute or regulatory inquiry.
  • Contractual compliance: fulfilling our obligations under our Terms of Service, which require users to confirm they have authority over any domain they submit for scanning.

The legal basis for processing consent log data is legitimate interests (Art. 6(1)(f) GDPR), specifically fraud prevention and legal defense, and contractual necessity (Art. 6(1)(b) GDPR).

Each consent log record contains: the timestamp of authorization; the user’s internal account identifier (UUID); SHA-256 hashes of the IP address and browser user-agent string; and the domain name submitted for scanning. A separate audit log also records the action, actor, and originating IP address in plaintext for fraud prevention purposes.

Consent logs are retained for 5 years from the date of the scan, as required for legal defense purposes (consistent with our Terms of Service Section 3a). They are retained even after account deletion. A deletion request under Art. 17 GDPR cannot be applied to consent log entries while an active legal dispute involving the relevant account remains unresolved. Outside of active disputes, you may contact us to request early deletion of consent log records, and we will assess this on a case-by-case basis against our legitimate interests.

When an account is deleted, scan reports and findings may be deleted from the product database, while a minimal authorization snapshot may be retained in the audit log for legal defense. This snapshot is limited to data needed to evidence scan authorization and does not preserve full vulnerability reports or remediation content.

Advanced Security Assessment authorization records store IP addresses in plaintext (not as SHA-256 hashes). Unlike standard scan consent logs, these records may need to serve as evidence of written consent for active security testing - including methods such as HTTP method testing, CORS probing, and subdomain enumeration. The higher evidentiary standard applicable to authorized penetration testing requires a verifiable original IP address rather than a one-way hash. These records are retained for 5 years from the date of authorization.

9. Automated Decision-Making

UNPWNED uses automated processing, including AI-powered analysis, to generate security scores, grades, and vulnerability assessments for scanned domains. These automated assessments:

  • Are based on objective technical analysis of publicly accessible security configurations.
  • Do not produce legal effects or similarly significantly affect individuals.
  • Can be reviewed upon request - contact [email protected] for human review of any automated assessment.

Our threat detection system also uses automated processing to identify and block malicious traffic based on behavioral patterns. Blocked users may request human review of blocking decisions by contacting [email protected].

10. Your Rights (GDPR & Beyond)

If you are located in the EEA, UK, or another jurisdiction with data protection rights, you have the right to:

  • Access: request a copy of the personal data we hold about you.
  • Correction: request correction of inaccurate data.
  • Deletion: request erasure of your personal data (“right to be forgotten”).
  • Portability: receive your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interests.
  • Restriction: request that we restrict processing in certain circumstances.
  • Withdraw Consent: where processing is based on your consent, you have the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. You can withdraw cookie consent via the Cookie Settings link in our footer, and withdraw other consents by contacting [email protected].
  • Lodge a Complaint: you have the right to lodge a complaint with a supervisory authority. For users in Israel, this is the Privacy Protection Authority (Rashut LeHagnat HaPratiyut). For users in the EU/EEA, you may contact your local data protection authority. Contact details for EU DPAs are available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

You can exercise your right to data portability by requesting a machine-readable export of your data via [email protected] or through the Export Data feature in your account settings.

You can withdraw cookie consent at any time using the Cookie Settings link in our website footer.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days. Account deletion can also be initiated directly from the account settings page.

11. Data Security

We implement industry-standard security measures including encryption at rest and in transit (TLS 1.2+), row-level security on all database tables, and access controls limited to authorized personnel. However, no system is 100% secure. In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach where required by GDPR Article 33 or other applicable law. If the breach is likely to result in a high risk to your rights and notification is required, we will also notify you directly without undue delay.

12. Children’s Privacy

unpwned is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will delete it promptly.

13. Israeli Privacy Protection Law Compliance

UNPWNED is designed to align with the Privacy Protection Law, 5741-1981 (Hok Haganat HaPratiut), including Amendment 13 (Tikun 13), where applicable to our processing activity.

Database registration and notification:We assess whether any UNPWNED database is subject to registration, notification, or other filing requirements with the Registrar of Databases (Rasham Ma’agarei Meida) at the Privacy Protection Authority, and we will register, notify, or update records where required by law.

Data security regulations: We apply technical and organizational measures intended to align with the Privacy Protection Regulations (Data Security), 5777-2017, including access controls, access logging, periodic security review, and documented security procedures appropriate to the nature and scale of the service.

Cross-border transfers under Israeli law: Transfers of personal data outside Israel are conducted in accordance with Section 36d of the Privacy Protection Law, to countries with adequate data protection or under appropriate safeguards.

Right of access: Israeli residents have the right to access information held about them under Section 13 of the Privacy Protection Law, and to request correction or deletion of inaccurate information under Section 14.

14. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to know: what personal information we collect and how it is used.
  • Right to delete: your personal information.
  • Right to correct: you have the right to request correction of inaccurate personal information we hold about you.
  • Right to opt out: of the sale or sharing of personal information.

We do not sell your personal information. When you accept advertising cookies, browsing data may be shared with Meta (Facebook) for ad targeting purposes. You can opt out via our Cookie Settings in the website footer or the “Do Not Sell or Share” link in our footer.

To exercise your rights, email [email protected] or use the controls in your account settings. We will not discriminate against you for exercising your privacy rights.

15. Other U.S. State Privacy Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states with comprehensive privacy laws may exercise similar rights to access, correct, delete, and opt out of targeted advertising. We honor the Global Privacy Control (GPC) signal as a valid opt-out of sale/sharing of personal information. To exercise your rights, contact [email protected].

16. Governing Law

This Privacy Policy is governed by the laws of the State of Israel, in compliance with the Israeli Privacy Protection Law 5741-1981 (as amended), and the European Union General Data Protection Regulation (GDPR) where applicable.

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via an in-app notice at least 14 days before the change takes effect. The “last updated” date at the top reflects the most recent revision.

18. Contact

For privacy concerns, data requests, or questions about this policy, contact us at: [email protected]