1. Introduction

SecuritySurface ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our cybersecurity intelligence platform, including SecuritySurface Browser, SecuritySurface Scan, and related services (collectively, the "Services").

By accessing or using our Services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Services.

2. Information We Collect

2.1 Information You Provide

• Account Information: When you create an account, we collect your email address, password, and any other information you choose to provide.
• Payment Information: We collect payment information through our payment processor (Stripe). We do not store your full credit card details on our servers.
• Profile Information: You may provide additional information such as your name, company name, and contact details.
• Communication Data: When you contact us for support or inquiries, we collect the information you provide in those communications.
• Query and Scan Data: When you use our Services, you may provide domain names, IP addresses, URLs, or other targets for analysis, scanning, or intelligence gathering. This includes queries made through SecuritySurface Browser, scan targets for SecuritySurface Scan, and API requests.

2.2 Information Automatically Collected

• Usage Data: We collect information about how you use our Services, including features accessed, queries performed, API calls made, scans initiated, credits consumed, and service interaction patterns.
• Device Information: We collect information about your device, including IP address, browser type, operating system, device identifiers, and network information.
• Log Data: Our servers automatically record information when you access our Services, including timestamps, request details, API endpoints accessed, query parameters, response codes, error logs, and performance metrics.
• Cookies and Tracking Technologies: We use cookies and similar technologies to track activity on our Services and store certain information, including session identifiers, authentication tokens, and user preferences.
• Query Results and Scan Data: We may collect and store the results of your queries, scans, and analyses, including WHOIS data, DNS records, subdomain lists, IP information, SSL certificate details, technology stack information, vulnerability reports, and search results from the Global Probe Search Engine.
• API Usage Data: For API services, we collect API keys, request patterns, rate limit usage, error rates, and response times to monitor service usage and improve performance.

2.3 Information from Third Parties

• Payment Processors: We receive transaction information from Stripe, including payment method details, transaction amounts, and billing information.
• Authentication Services: If you use third-party authentication services, we may receive information from those providers.
• Public Data Sources: We collect and aggregate information from various public sources, including WHOIS databases, DNS registries, SSL certificate authorities, public IP databases, and other publicly available cybersecurity intelligence sources.
• Third-Party Data Providers: We may receive data from third-party cybersecurity intelligence providers, threat intelligence feeds, and security research organizations to enhance our Services.
• Scan Target Information: When you initiate scans, we may collect publicly available information about the scanned targets from various sources to provide comprehensive scan results.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our Services, including SecuritySurface Browser, SecuritySurface Scan, API services, and the Global Probe Search Engine
• Process transactions and manage your subscription
• Authenticate users and prevent unauthorized access
• Send you service-related notifications and updates
• Respond to your inquiries and provide customer support
• Monitor and analyze usage patterns to improve user experience
• Detect, prevent, and address technical issues and security threats
• Comply with legal obligations and enforce our terms of service
• Send marketing communications (with your consent, where required)
• Query Processing: Process your domain queries, IP lookups, DNS queries, subdomain searches, and other intelligence requests
• Scan Execution: Execute security scans on requested targets, analyze results, and generate vulnerability reports
• Data Aggregation: Aggregate query results, scan data, and intelligence information to improve our database and provide faster responses to future queries
• API Service Delivery: Process API requests, manage API rate limits, monitor API usage, and deliver API responses
• Service Analytics: Analyze query patterns, scan results, and usage data to improve our algorithms, detection capabilities, and service offerings
• Data Caching: Cache query results and scan data to improve service performance and reduce redundant queries to third-party sources

Note on Query and Scan Data: When you query a domain, IP address, or initiate a scan, we may store the query parameters, results, and associated metadata. This data helps us improve our Services, provide faster responses, and maintain historical records. However, we do not use your query targets or scan results to identify or profile you personally, except as necessary to provide the Services or as required by law.

4. Information Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

4.1 Service Providers

We may share information with third-party service providers who perform services on our behalf, including payment processing, data storage, analytics, and customer support. These providers are contractually obligated to protect your information and use it only for the purposes we specify.

4.2 Legal Requirements

We may disclose your information if required by law, court order, or governmental authority, or if we believe disclosure is necessary to protect our rights, property, or safety, or that of our users or others. This may include disclosing query logs, scan records, or usage data in response to legal process or law enforcement requests.

4.3 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified information that does not identify you personally. This may include statistical information about query patterns, common vulnerabilities, technology trends, or other anonymized insights derived from our Services.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.

5. Data Security

We implement appropriate technical and organizational security measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include encryption, secure servers, access controls, and regular security assessments.

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

6. Data Retention

We retain your information for as long as necessary to provide our Services, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:

• Account Information: Retained while your account is active. After account deletion, we may retain certain information for up to 7 years for legal, regulatory, or business purposes as required by law.
• Payment Information: Retained as required by payment processors and financial regulations, typically for 7 years after the last transaction.
• Query and Scan Data: Query parameters, scan targets, and results may be retained for up to 2 years to improve our Services, provide historical access, and maintain service quality. Some aggregated or anonymized data may be retained longer for analytical purposes.
• API Usage Logs: API request logs, including endpoints accessed, timestamps, and response codes, are typically retained for 90 days to 1 year for troubleshooting, security monitoring, and service improvement.
• Communication Records: Support tickets, emails, and other communications are retained for up to 3 years after the last interaction.
• Security Logs: Security-related logs, including login attempts, authentication events, and security incidents, may be retained for up to 2 years for security monitoring and incident response.

When information is no longer needed, we will securely delete or anonymize it in accordance with our data retention policies. However, some information may be retained longer if required by law, court order, or for legitimate business purposes such as dispute resolution or security incident investigation.

7. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information:

• Access: Request access to the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information
• Portability: Request transfer of your information to another service
• Objection: Object to certain processing of your information
• Restriction: Request restriction of processing your information
• Withdraw Consent: Withdraw consent where processing is based on consent

To exercise these rights, please contact us using the information provided in the "Contact Us" section below.

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our Services and store certain information. Cookies are small data files stored on your device. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent.

However, if you do not accept cookies, you may not be able to use some portions of our Services. We use both session cookies (which expire when you close your browser) and persistent cookies (which remain on your device until deleted or expired).

9. Third-Party Links

Our Services may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party sites you visit.

10. Children's Privacy

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately, and we will take steps to delete such information.

11. International Data Transfers and GDPR Compliance

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those in your country. By using our Services, you consent to the transfer of your information to these countries.

11.1 GDPR Rights (European Users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR), including:

• Right of Access: You can request a copy of your personal data we hold
• Right to Rectification: You can request correction of inaccurate personal data
• Right to Erasure ("Right to be Forgotten"): You can request deletion of your personal data under certain circumstances
• Right to Restrict Processing: You can request restriction of processing your personal data
• Right to Data Portability: You can request transfer of your personal data to another service provider
• Right to Object: You can object to processing of your personal data for certain purposes
• Right to Withdraw Consent: Where processing is based on consent, you can withdraw consent at any time
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your country

To exercise your GDPR rights, please contact us using the information provided in the "Contact Us" section. We will respond to your request within 30 days, or as required by applicable law.

11.2 Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds under GDPR:

• Contract Performance: Processing necessary to provide our Services and fulfill our contractual obligations
• Legitimate Interests: Processing necessary for our legitimate business interests, such as service improvement, security monitoring, and fraud prevention
• Consent: Processing based on your explicit consent, such as marketing communications
• Legal Obligations: Processing necessary to comply with legal obligations, such as tax reporting or law enforcement requests

11.3 Data Transfer Safeguards

When transferring personal data outside the EEA, we implement appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission, to ensure adequate protection of your personal data in accordance with GDPR requirements.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

13. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us:

• Email: Contact Support
• Website: securitysurface.com/contact