Privacy Policy - WebScanify

1. Data Controller

WebScanify is the data controller for personal information collected through webscanify.com. We are an Indian entity subject to the IT Act, 2000 and SPDI Rules. For all data protection enquiries, contact us at [email protected] with the subject "Privacy Request".

2. Data We Collect

Category	Examples	Purpose	Legal Basis
Account data	Email address, scrypt password hash, plan type, registration date	Account creation and authentication	Contract performance; IT Act S.43A
Scan targets	Domain names submitted for scanning; origin IP if provided	Performing the security scan service	Contract performance
Scan results	Vulnerability findings, risk scores, compliance readiness indicators, reports	Delivering results and maintaining scan history	Contract performance
Authenticated scan credentials	Login URL, username, password (for authenticated scans only)	Enabling authenticated scanning of target systems you own	Contract performance; explicit consent at submission
Payment data	Order IDs, plan purchased, transaction references (card details held solely by Razorpay/Stripe)	Processing payments, invoicing, financial records	Contract performance; legal obligation
Usage data	IP address, browser type, pages visited, scan timestamps, API usage	Security, analytics, abuse prevention, rate limiting	Legitimate interest; IT Act S.43A
Communications	Support messages, contact form submissions, email threads	Responding to enquiries and resolving disputes	Legitimate interest; consent
Cookies	Session tokens, CSRF tokens, preference cookies	Authentication and security	Essential (no consent needed); see Cookie Policy

We do not sell your personal data to any third party. We do not collect government-issued IDs, health data, biometric data, or financial account credentials. We do not build advertising profiles.

3. Authenticated Scan Credentials - Special Handling

When you use the optional authenticated scan feature, you may provide login credentials for a target system. These credentials receive the following specific protections:

Transit encryption: transmitted over TLS 1.3 (TLS 1.2, 1.1, 1.0 are disabled) from your browser to our servers, and within our internal network over encrypted channels.
Not stored in our application database: credentials are passed directly to the isolated scan worker via an encrypted internal message queue (TLS-in-transit) and are consumed immediately when the scan starts. They are never written to our application database and are not present in scan result records.
Retention limit: not retained after scan completion. Credentials exist only in the message queue from submission until the worker picks up the task (typically seconds). Once the scan task is consumed, the credentials leave our systems entirely.
Access restriction: accessible only to the scan worker process during active scan execution; not logged to application logs, not exported, not visible to support staff.
No third-party sharing: credentials are never shared with any third party under any circumstance.

By providing credentials you confirm you are authorised to use them for testing the target system.

4. How We Share Data

We share personal data only as follows:

Payment processors (Razorpay, Stripe): to process transactions under their own PCI-DSS Level 1 compliant privacy policies.
Infrastructure providers (hosting, database, transactional email): acting as data processors under contractual obligations and their platform terms that require adequate security measures. We select providers that maintain recognised security certifications (e.g., ISO 27001, SOC 2) where available.
Legal obligations: if required by Indian law, court order, CERT-In directive, or MeitY order; or to protect the rights, safety, or property of WebScanify and its users from harm or fraud.
Business transfers: if WebScanify is acquired or merges, your data may transfer with 30 days' prior notice to you and the right to delete your account before transfer.
Anonymised aggregates: we may publish anonymised, aggregated statistics (e.g., most common vulnerability types, scan volumes) that cannot identify any individual or organisation.

We will never sell, rent, or trade personal data.

5. Data Retention

Account data: retained while your account is active plus 12 months after account deletion request, then permanently deleted.
Authenticated scan credentials: not retained after the scan worker consumes the task (typically within seconds of submission). Credentials are never written to our application database.
Scan results and reports: 12 months from the date of the scan, or until you delete them from your account.
Payment and billing records: 7 years to comply with Indian financial and tax regulations (Companies Act, GST rules).
Support communications: 24 months from last contact.
Usage and access logs: 90 days for security and abuse prevention. Security incident logs may be retained for up to 5 years if a suspected offence is involved.

After the applicable retention period, data is permanently deleted or irreversibly anonymised.

6. Cookies

We use essential cookies (session tokens, CSRF protection) that are strictly necessary for the Service to function. We do not use third-party advertising or tracking cookies. See our full Cookie Policy for a complete breakdown and any opt-out options.

7. Security Measures

We implement the following technical and organisational controls in compliance with IT Act SPDI Rules:

Passwords: stored as scrypt hashes (N=32768, r=8, p=1 — memory-hard, OWASP-recommended). Never stored or transmitted in plain text.
Transport security: all data transmitted over TLS 1.3. TLS 1.2, 1.1, and 1.0 are disabled at the web server level. AES-256-GCM is the negotiated cipher suite.
Data at rest: scan result records are encrypted with AES-256-GCM before writing to the database. A server-side 256-bit encryption key (stored outside the database, not accessible to application code directly) is required to decrypt them. Authenticated scan credentials are never written to the database (see Section 3).
Network security: database accessible only from application servers via private network. External SSH access via key-only authentication.
Dependency management: automated dependency scanning; critical vulnerabilities patched within 72 hours of disclosure.
Rate limiting: all API endpoints subject to rate limits to prevent abuse and enumeration attacks.
Access control: principle of least privilege applied to all service components.

Third-party security audits: WebScanify currently conducts internal security reviews as part of its development process. We have not commissioned an independent third-party security audit. We intend to engage an external auditor as the platform matures and will update this policy when that occurs. Users are encouraged to apply their own risk assessment accordingly.

Breach notification: in the event of a personal data breach, we will notify affected users without undue delay and no later than 72 hours for GDPR purposes and within 6 hours of discovery for CERT-In reporting (as required by IT Amendment Rules, 2022). Notifications will describe the nature of the breach, data affected, and remedial steps taken.

8. International Transfers

WebScanify is operated from India. Our cloud infrastructure may process data in regions including Asia-Pacific and Europe. For EEA residents, transfers outside the EEA rely on Standard Contractual Clauses (SCCs) maintained by our infrastructure providers (e.g., AWS, GCP, or equivalent). We do not independently transfer personal data to any third country beyond what is inherent in our hosting and payment infrastructure. On request, we can identify the primary data residency region for your account data.

9. Your Rights

Depending on your location and applicable law (GDPR, CCPA, IT Act SPDI Rules), you have the following rights:

Right to Access

Request a copy of your personal data we hold. Response within 30 days.

Right to Rectification

Request correction of inaccurate or incomplete data.

Right to Erasure

Request deletion of your data. We will action within 30 days subject to legal retention obligations.

Right to Restrict

Request that we restrict processing of your data while a dispute is resolved.

Data Portability

Receive your account and scan data in a machine-readable format (JSON).

Right to Object

Object to processing based on legitimate interest. We will comply unless we have compelling grounds.

Email [email protected] with subject "Privacy Request - [Your Name]". We will respond within 30 days. GDPR users may also lodge a complaint with their national data protection authority. Indian users may contact the IT Secretary / Adjudicating Officer under the IT Act.

CCPA (California) residents: you have the right to know, delete, and opt out of sale of personal information. We do not sell personal information. To exercise rights, email us with "CCPA Request" in the subject.

10. CCPA — Do Not Sell or Share My Personal Information

We do not sell or share your personal information for monetary or other valuable consideration, and we have not done so in the preceding 12 months. "Sell" and "share" are used as defined in the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

Because we do not sell or share personal information, no opt-out mechanism is required. However, if you are a California resident and wish to:

Know what personal information we have collected about you,
Delete your personal information,
Correct inaccurate personal information, or
Limit use of sensitive personal information,

please email [email protected] with the subject line "CCPA Request — [Your Name]". We will respond within 45 days (extendable by a further 45 days where reasonably necessary). We will not discriminate against you for exercising any CCPA right.

11. Children's Privacy

WebScanify is not directed at persons under 18. We do not knowingly collect data from minors. If you believe a minor has provided us with personal data, email [email protected] and we will delete it within 14 days.

12. Transparency Reporting

At least once per calendar year, WebScanify will publish an anonymised Transparency Report covering: total scans processed (by category, not by user), number of data subject requests received and actioned, number of abuse/unauthorised-scan reports received and referred to authorities, and any material security incidents and their resolution. No personally identifiable information or scan targets will be included in these reports.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in law or our practices. When we make material changes, we will update the "Last updated" date and notify registered users by email with at least 14 days' notice before the changes take effect.

14. Governing Law

This Privacy Policy is governed by the laws of India, including the IT Act, 2000, SPDI Rules, 2011, and any successor data protection legislation enacted in India. Disputes are subject to the exclusive jurisdiction of the courts of Madhya Pradesh, India.

15. Contact & Data Requests

For privacy-related enquiries, data subject access requests, or complaints: [email protected]

Subject line: "Privacy Request - [Your Name]"

We commit to acknowledging your request within 3 business days and providing a full response within 30 days.