Privacy Policy
Last updated: 25 April 2026Contents
WebsiteScanner is committed to protecting your personal information. This Privacy Policy explains what data we collect, how we use it, and your rights under the General Data Protection Regulation (GDPR) and the Australian Privacy Act 1988 (Cth) (the APPs).
1. Who We Are
WebsiteScanner ("we", "our", "us") is a security auditing platform operated from Australia. Our registered business details and Privacy Officer contact are in Section 12 below.
2. What Personal Data We Collect
| Category | Examples |
|---|---|
| Account data | Name, email address, hashed password, email verification status |
| Domain data | Domain names you add for scanning, verification tokens, verification method |
| Scan data | Scan type, results (SSL, HTTP headers, open ports, CMS vulnerabilities), security score, AI-generated reports |
| Technical data | IP address (server logs), browser type, Livewire session token |
| Usage data | AI report generation requests (token counts, approximate cost), scan history |
We do not collect payment card numbers directly — billing is handled by Stripe (see Section 5).
3. How We Collect It
- Registration: when you create an account
- Domain addition: when you add domains for auditing
- Scan initiation: scan results are collected from publicly accessible endpoints of the domain you scan
- Automatically: server access logs (IP, timestamp) and session cookies
4. Why We Process It — Legal Bases
| Purpose | GDPR legal basis | APP basis |
|---|---|---|
| Provide the scanning service | Contract (Art. 6(1)(b)) | Primary purpose (APP 3) |
| Account management | Contract (Art. 6(1)(b)) | Primary purpose (APP 3) |
| Security and fraud prevention | Legitimate interests (Art. 6(1)(f)) | Necessary for services (APP 6.2) |
| Service improvement via aggregate analytics | Legitimate interests (Art. 6(1)(f)) | Secondary purpose with consent (APP 6.1) |
| Billing and subscription management | Contract (Art. 6(1)(b)) | Primary purpose (APP 3) |
5. Third-Party Processors
We share data with the following processors under written data-processing agreements:
| Processor | Purpose | Data shared | Location |
|---|---|---|---|
| Anthropic (Claude AI) | AI-generated security reports | Scan findings (no name or email) | USA |
| Stripe | Payment processing | Name, email, billing address | USA / EU |
| Infrastructure provider | Hosting & database | All account data (encrypted at rest) | Australia |
| Google (AdSense & Analytics) | Advertising and aggregate analytics | IP address, user agent, page URL, and consent state. No name or email shared. | USA / EU |
We do not sell your personal data to any third party. Personalised ads from Google AdSense are only served when you have granted "Marketing" consent through our cookie banner; otherwise we serve non-personalised ads or our own house ads.
6. Data Retention
- Active account: data retained for the life of the account
- Account closure / anonymisation: personal identifiers (name, email) are replaced with anonymous values; domain records are deleted; scan and findings data are retained for system integrity and aggregate analytics
- Server logs: retained for 90 days for security monitoring
- Billing records: retained for 7 years as required by Australian tax law
7. Your Rights
GDPR (EU/UK residents)
- Access (Art. 15)
- Rectification (Art. 16)
- Erasure / "right to be forgotten" (Art. 17)
- Portability (Art. 20)
- Restriction (Art. 18)
- Object to processing (Art. 21)
Australian Privacy Act (APPs)
- Access to your information (APP 12)
- Correction of inaccurate data (APP 13)
- Make a complaint (APP 1.4)
- Opt out of direct marketing (APP 7)
How to exercise your rights: Most rights can be exercised directly in the app:
- Export your data — Profile → Data & Privacy → Export as JSON or CSV
- Update your information — Profile → Profile Information
- Anonymise your account — Profile → Data & Privacy → Anonymise Account
- All other requests — email [email protected]
We will respond to requests within 30 days (GDPR: one month; APP 12.3: 30 days).
8. International Data Transfers
When AI-generated reports are created, scan findings (not your name or email) are transmitted to Anthropic's API servers, which may be located in the United States. For EU residents, this transfer is made under Standard Contractual Clauses (SCCs). Anthropic's privacy practices are governed by their Privacy Policy.
Payment data transferred to Stripe is covered by Stripe's EU-US Data Privacy Framework certification.
10. Children
WebsiteScanner is intended for business and professional use. We do not knowingly collect personal data from individuals under the age of 18. If you believe a child has created an account, please contact us immediately.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users by email and update the "Last updated" date above. Continued use of the service after the effective date constitutes acceptance of the revised policy.
12. Contact & Privacy Officer
WebsiteScanner Privacy Officer
Email: [email protected]
Address: Australia (full address available on request)
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au (Australia) or your national supervisory authority (EU/UK).