Privacy Policy
Version 1.0 ยท Effective May 29, 2026
This Privacy Policy explains what information CipherSentinel collects, how we use it, who we share it with, and the choices you have. It complements our Terms of Service.
1. What We Collect
1.1 Account information you provide
- Your email address
- Your company name (optional)
- A hashed version of your password (we never store passwords in plain text)
- API keys you generate
- Brand keywords and primary domains you register for monitoring
1.2 Information generated by your use of the Service
- Hostnames, IPs, URLs, or hashes you submit for scanning or lookup
- Scan findings and reports generated by our scanner modules
- API usage logs (timestamp, endpoint, response status, customer ID) for billing, rate-limiting, and abuse detection
- Login timestamps
1.3 Information from our payment processor
- If you subscribe to a paid tier, Stripe, Inc. processes your payment. We receive limited billing metadata from Stripe (subscription status, period end, customer ID) but never your credit card number or full payment credentials. See Stripe's Privacy Policy for details on how Stripe handles payment data.
1.4 Cookies and similar technologies
We use a single first-party session cookie (cs_customer_id)
to keep you signed in to the dashboard. We do not use third-party
advertising cookies, tracking pixels, or cross-site identifiers.
2. How We Use Your Information
We use the information we collect to:
- Provide the Service: authenticate your requests, run scans you request, deliver reports and alerts, enforce tier limits
- Process payments: through Stripe, for subscriptions you opt into
- Operate and improve the Service: monitor performance, debug errors, plan capacity
- Send service-related communications: account confirmations, payment receipts, security alerts. We do not send marketing emails without your explicit consent.
- Maintain the Aggregate Pool of anonymized threat indicators (see Section 6 of the Terms of Service)
- Comply with legal obligations and respond to lawful requests
3. Who We Share Information With
3.1 Service providers acting on our behalf
- Render, Inc. โ our hosting provider (US-based); data is stored on Render's infrastructure
- Stripe, Inc. โ for payment processing
- External threat intelligence APIs โ when you run a scan, we may query third-party APIs (VirusTotal, AbuseIPDB, GreyNoise, AlienVault OTX, Shodan, etc.) about the indicators you submit. These queries reveal the indicator to the third-party provider, but never your account identity.
3.2 The Aggregate Pool (anonymized scan-derived IOCs)
As described in Section 6 of our Terms of Service, we maintain a shared database of anonymized indicators derived in part from customer scans. This database is queryable by other CipherSentinel customers and may be licensed to threat intelligence partners and enterprise customers. Aggregate Pool entries never include your name, email, company name, account identifier, IP address, or any other identifying information. They contain only the anonymized indicator metadata listed in Terms of Service Section 6(b).
3.3 Legal and safety disclosures
We may disclose information when we have a good-faith belief that it's required to: (a) comply with a valid subpoena, court order, or other legal process; (b) protect the safety of any person; (c) investigate fraud or violations of our Terms; or (d) protect CipherSentinel's rights or property.
3.4 We do NOT
- Sell your personal information to advertisers or data brokers
- Share your private scan reports with other customers or any unrelated third party
- Use your account data to train external AI/ML models without your explicit consent
4. Data Retention
We retain different categories of data for different periods:
- Account information โ until you close your account or request deletion
- Scan reports โ at least one (1) year from scan date; longer if your active subscription tier provides extended history
- API usage logs โ twelve (12) months, then aggregated and anonymized
- Billing records โ seven (7) years (required for tax and accounting law)
- Aggregate Pool entries โ retained indefinitely. As described in the Terms of Service, anonymized indicator entries derived from your scans are part of the Service and remain in our database even after you close your account.
5. Your Rights and Choices
You have the right to:
- Access the personal information we hold about you
- Correct inaccurate or incomplete information (most of this is editable from your dashboard)
- Delete your account and associated personal information (anonymized Aggregate Pool entries persist as described above)
- Export your scan reports and account data in a portable format
- Object to certain processing activities
To exercise any of these rights, email jason@ciphersentinel.io from the email address on your account. We'll respond within thirty (30) days. If we deny a request, we'll explain why.
For EU/UK residents: You have additional rights under the GDPR/UK GDPR, including the right to lodge a complaint with your local supervisory authority. Our legal bases for processing are: contract (to deliver the Service you signed up for), legitimate interests (to operate, secure, and improve the Service, and to maintain the Aggregate Pool), and consent (where applicable).
For California residents: You have rights under the CCPA/CPRA, including the right to know, the right to delete, and the right to opt out of certain sales of personal information. We do not sell personal information as that term is defined under the CCPA. Aggregate Pool entries are anonymized and do not constitute personal information.
6. International Data Transfers
Our Service is hosted in the United States (Render, Oregon region). If you access the Service from outside the United States, you understand and consent to your information being transferred to, stored in, and processed in the United States.
7. Security
We protect your information with industry-standard measures including TLS encryption in transit, hashed passwords (PBKDF2 with per-user salt), hashed API keys (SHA-256), and role-based access controls. No system is perfectly secure. If we discover a breach affecting your data, we'll notify you and any regulator as required by applicable law.
8. Children's Privacy
The Service is intended for users 18 years of age or older. We do not knowingly collect information from children under 18. If you believe a child has provided us information, contact us and we'll delete it.
9. Changes to This Policy
We may update this Privacy Policy occasionally. If we make material changes, we'll notify you by email and post the new version here with an updated effective date.
10. Contact
Privacy questions, data subject requests, and complaints should be directed to:
CipherSentinel
Email:
jason@ciphersentinel.io
This Privacy Policy is version 1.1, effective May 29, 2026.