Privacy Policy

Last updated: 11 June 2026

Contents

  1. 1. Who We Are
  2. 2. What Personal Data We Collect
  3. 3. How We Collect It
  4. 4. Why We Process It — Legal Bases
  5. 5. Third-Party Processors
  6. 6. Data Retention
  7. 7. Your Rights
  8. 8. Data Quality & Unsolicited Information
  9. 9. International Data Transfers
  10. 10. Cookies
  11. 11. Children
  12. 12. Changes to This Policy
  13. 13. Contact & Privacy Officer

WebsiteScanner is committed to protecting your personal information. This Privacy Policy explains what data we collect, how we use it, and your rights under the General Data Protection Regulation (GDPR) and the Australian Privacy Act 1988 (Cth) (the APPs).

APP Certified by PrivacyMate
WebsiteScanner is independently certified for compliance with the Australian Privacy Principles by PrivacyMate. Click the badge to view our current certification.

1. Who We Are

WebsiteScanner ("we", "our", "us") is a security auditing platform operated from Australia. Our registered business details and Privacy Officer contact are in Section 12 below.

2. What Personal Data We Collect

Category Examples
Account dataName, email address, hashed password, email verification status
Domain dataDomain names you add for scanning, verification tokens, verification method
Scan dataScan type, results (SSL, HTTP headers, open ports, CMS vulnerabilities), security score, AI-generated reports
Technical dataIP address (server logs), browser type, Livewire session token
Usage dataAI report generation requests (token counts, approximate cost), scan history

We do not collect payment card numbers directly — billing is handled by Stripe (see Section 5).

3. How We Collect It

  • Registration: when you create an account
  • Domain addition: when you add domains for auditing
  • Scan initiation: scan results are collected from publicly accessible endpoints of the domain you scan
  • Automatically: server access logs (IP, timestamp) and session cookies

4. Why We Process It — Legal Bases

Purpose GDPR legal basis APP basis
Provide the scanning serviceContract (Art. 6(1)(b))Primary purpose (APP 3)
Account managementContract (Art. 6(1)(b))Primary purpose (APP 3)
Security and fraud preventionLegitimate interests (Art. 6(1)(f))Necessary for services (APP 6.2)
Service improvement via aggregate analyticsLegitimate interests (Art. 6(1)(f))Secondary purpose with consent (APP 6.1)
Billing and subscription managementContract (Art. 6(1)(b))Primary purpose (APP 3)

5. Third-Party Processors

We share data with the following processors under written data-processing agreements:

Processor Purpose Data shared Location
Anthropic (Claude AI)AI-generated security reportsScan findings (no name or email)USA
StripePayment processingName, email, billing addressUSA / EU
Infrastructure providerHosting & databaseAll account data (encrypted at rest)Australia
Google (AdSense, Analytics via Google Tag Manager)Advertising and aggregate analytics. Analytics is loaded via Google Tag Manager from googletagmanager.com.IP address, user agent, page URL, and consent state. No name or email shared.USA / EU
CloudflareCDN, DDoS protection, and Turnstile bot verification on public formsIP address, request headers, browser characteristics. Turnstile uses minimal device signals to verify human visitors; no profile or behavioural data is shared with Cloudflare.Global edge / USA

We do not sell your personal data to any third party. Personalised ads from Google AdSense are only served when you have granted "Marketing" consent through our cookie banner; otherwise we serve non-personalised ads or our own house ads.

6. Data Retention

  • Active account: data retained for the life of the account
  • Account closure / anonymisation: personal identifiers (name, email) are replaced with anonymous values; domain records are deleted; scan and findings data are retained for system integrity and aggregate analytics
  • Server logs: retained for 90 days for security monitoring
  • Billing records: retained for 7 years as required by Australian tax law

7. Your Rights

GDPR (EU/UK residents)

  • Access (Art. 15)
  • Rectification (Art. 16)
  • Erasure / "right to be forgotten" (Art. 17)
  • Portability (Art. 20)
  • Restriction (Art. 18)
  • Object to processing (Art. 21)

Australian Privacy Act (APPs)

  • Access to your information (APP 12)
  • Correction of inaccurate data (APP 13)
  • Make a complaint (APP 1.4)
  • Opt out of direct marketing (APP 7)

How to exercise your rights: Most rights can be exercised directly in the app:

  • Export your data — Profile → Data & Privacy → Export as JSON or CSV
  • Update your information — Profile → Profile Information
  • Anonymise your account — Profile → Data & Privacy → Anonymise Account
  • All other requests — email privacy@websitescanner.ai

Service-level commitments:

  • Access requests (APP 12, GDPR Art. 15): we provide a copy of the personal information we hold about you within 30 calendar days of receiving a verified request.
  • Correction requests (APP 13, GDPR Art. 16): we correct inaccurate, out-of-date, or misleading personal information within 10 business days, or notify you in writing if we decline (with reasons and the option to attach a statement to the disputed record per APP 13.4).
  • Erasure / anonymisation: account anonymisation (Profile → Data & Privacy → Anonymise Account) takes effect immediately. Email-based erasure requests are completed within 30 calendar days.
  • Complaints: we acknowledge complaints within 5 business days and respond substantively within 30 calendar days.

8. Data Quality & Unsolicited Information

8.1 Data quality (APP 10)

We take reasonable steps to ensure the personal information we collect, use, and disclose is accurate, up-to-date, complete, and relevant for the purpose for which it is used:

  • Validation at entry: email addresses are verified via signed confirmation link; domain ownership is verified via DNS TXT record or HTTP file upload before any active scan can be run; payment details are validated by Stripe before being accepted.
  • Self-service correction: users can update name, email, password, and notification preferences from Profile → Profile Information at any time. Changes propagate immediately.
  • Automatic invalidation: domain verification status is rechecked periodically; scan results older than the plan's retention window are purged automatically.
  • Periodic review: account records inactive for more than 24 months are flagged for review; we contact the account owner before any anonymisation.

8.2 Unsolicited personal information (APP 4)

Where we receive personal information we did not solicit (for example, information included in a free-form support email, scan-target inputs that contain personal data, or a domain ownership submission that incidentally exposes personal information), we apply the following process within 10 business days of identification:

  1. Determine whether we could have lawfully collected the information under APP 3 had we solicited it.
  2. If yes, the information is treated as if it had been solicited and is protected under the rest of this policy.
  3. If no, we destroy or de-identify the information as soon as practicable, provided it is lawful and reasonable to do so. Where destruction is not lawful or reasonable, we record the reason and continue to handle the information under APPs 6–13.

If you believe you have inadvertently sent us personal information we should not hold, please contact privacy@websitescanner.ai and we will action removal under this process.

9. International Data Transfers

When AI-generated reports are created, scan findings (not your name or email) are transmitted to Anthropic's API servers, which may be located in the United States. For EU residents, this transfer is made under Standard Contractual Clauses (SCCs). Anthropic's privacy practices are governed by their Privacy Policy.

Payment data transferred to Stripe is covered by Stripe's EU-US Data Privacy Framework certification.

10. Cookies

We use cookies for authentication and session management. Optional analytics and marketing cookies may be enabled with your consent. See our full Cookie Policy for details. You can manage your cookie preferences at any time via the cookie banner or the "Cookie Settings" link in the footer.

11. Children

WebsiteScanner is intended for business and professional use. We do not knowingly collect personal data from individuals under the age of 18. If you believe a child has created an account, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users by email and update the "Last updated" date above. Continued use of the service after the effective date constitutes acceptance of the revised policy.

13. Contact & Privacy Officer

WebsiteScanner Privacy Officer

Email: privacy@websitescanner.ai

Address: Australia (full address available on request)

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au (Australia) or your national supervisory authority (EU/UK).

We use cookies

We use essential cookies to keep your session secure. Optional cookies help us improve your experience. Privacy Policy · Cookie Policy

Cookie Preferences

Choose which cookies you accept.

Strictly Necessary Required

Session authentication, CSRF protection, and Livewire functionality. The site cannot function without these.

laravel_session, XSRF-TOKEN

Analytics

Helps us understand how the service is used so we can improve it. No personal data is shared with third parties.

_ga, _ga_R581LZLTQX (Google Analytics 4)

Marketing

Used to deliver relevant promotional content. We do not sell your data to third parties.

No marketing cookies currently set.

View Cookie Policy