Privacy Notice

Privacy

Last updated .

This notice describes what PennScan (“we”) collects when you use the service, how we store it, who we share it with, and how you ask us to delete it. Questions go to legal@pennscan.com.

Data we collect

  • Account data — email, name, hashed password or SSO identifier, and the organization you belong to.
  • Target metadata — URLs, repositories, and allowlists you register as scan targets. We do not collect secrets; if you paste one into a configuration field we redact it before persisting.
  • Scan output — findings, their payloads, proof-of-concept artifacts, and AI-written analyses. These are scoped to your organization and never shared with other customers.
  • Operational logs — request timestamps, IP, user agent, and error traces, retained for 90 days and used for fraud prevention, rate-limit enforcement, and incident investigation.

How we use it

To provide and operate the service, to prevent abuse, to respond to support requests, and — if you opt in — to improve our AI analyses using aggregated patterns. We do not sell your data. We do not use scan output to train models without your explicit opt-in.

Sub-processors

Vercel (hosting), Supabase (database), Stripe (billing), and OpenAI / Anthropic (AI analyses, opt-in). Each operates under a DPA available on request.

Retention

Scan findings follow the retention window of your tier (30 days Free, 180 days Pro, 10 years Enterprise). Account data persists until you close your account, after which we purge within 30 days except where legal obligations (tax, anti-fraud) require longer.

Your rights

You can export your data, correct inaccuracies, and request deletion at any time via your account settings or by emailing legal@pennscan.com. EU/UK residents have GDPR rights; California residents have CCPA rights. We honor verifiable requests within 30 days.

Security

Data in transit is TLS 1.2+. Data at rest is encrypted. Access is scoped to your organization via row-level policies; PennScan staff cannot read scan output without an explicit support escalation logged to your audit trail.

Changes

Material changes are announced on /changelog and via email at least 14 days before they take effect. Continued use after the effective date constitutes acceptance.

This page is a good-faith summary, not a substitute for the full DPA or any signed agreement. The signed documents govern where they conflict with this summary.