Privacy Policy
Last updated: June 15, 2026
ScanForSecurity ("we", "us", "our") respects your privacy. This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and the rights you have under the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the CPRA (CCPA), and other applicable privacy laws. It also reflects the privacy controls expected by ISO/IEC 27001:2022 and ISO/IEC 27701:2019.
1. Data controller
The controller responsible for personal data processed via www.scanforsecurity.com is ScanForSecurity. For any privacy-related question or to exercise your rights, contact privacy@scanforsecurity.com.
2. Personal data we collect
2.1 Information you provide
- Account data (if you register as a contributor): email address, full name, password hash, role.
- Contact form submissions: name, email, subject, message body.
- Newsletter sign-ups: email address and consent timestamp.
- Comments / contributions: any content you submit for publication.
2.2 Information collected automatically
- Server logs: IP address, user-agent, referrer, URLs requested, timestamps. Retained for up to 30 days for security and abuse prevention.
- Privacy-preserving analytics: aggregate pageviews and traffic sources. We do not deploy cross-site tracking pixels or fingerprinting.
- Cookies: strictly necessary session cookies; analytics cookies only with consent. See the Cookies Policy.
2.3 Information from third parties
When you sign in via an identity provider (e.g. Google), we receive the data fields you authorize (typically name, email, and a stable user identifier).
3. Purposes and legal bases (GDPR Art. 6)
| Purpose | Categories | Legal basis |
|---|---|---|
| Deliver and operate the site | Technical, account | Legitimate interests / contract |
| Respond to contact requests | Contact form data | Legitimate interests / consent |
| Send newsletters | Email, preferences | Consent (Art. 6(1)(a)) |
| Security, fraud and abuse prevention | Logs, technical | Legitimate interests; legal obligation |
| Comply with legal obligations | As required | Legal obligation (Art. 6(1)(c)) |
| Aggregate analytics | Pseudonymous usage | Consent (where required) / legitimate interests |
4. How we share personal data
We do not sell or rent personal data. We share data only with vetted processors acting on documented instructions and bound by data-processing agreements:
- Hosting & database: Lovable Cloud (Supabase infrastructure) — EU/US regions.
- Email delivery: transactional email provider for newsletter and contact replies.
- Analytics: privacy-preserving aggregator (no cross-site profiles).
- Legal authorities: where required by binding legal process.
A current list of subprocessors is available on request from privacy@scanforsecurity.com.
5. International transfers
Where personal data is transferred outside the EEA / UK, we rely on European Commission adequacy decisions or the Standard Contractual Clauses (SCCs), and supplementary measures such as encryption in transit and at rest, where appropriate.
6. Retention
- Contact form messages: 24 months, then deleted.
- Newsletter subscriptions: until you unsubscribe.
- Account data: for the lifetime of the account plus 30 days.
- Server logs: up to 30 days.
- Backups: rolling 35-day cycle.
7. Your rights
Under the GDPR you have the right to:
- Access your personal data (Art. 15)
- Rectification of inaccurate data (Art. 16)
- Erasure / "right to be forgotten" (Art. 17)
- Restrict processing (Art. 18)
- Data portability (Art. 20)
- Object to processing based on legitimate interests (Art. 21)
- Withdraw consent at any time
- Lodge a complaint with your supervisory authority
California residents (CCPA/CPRA) have the right to know, delete, correct, and limit use of sensitive personal information, as well as the right not to be discriminated against for exercising privacy rights. We do not sell or share personal information for cross-context behavioral advertising.
To exercise any right, email privacy@scanforsecurity.com. We respond within 30 days (GDPR) / 45 days (CCPA).
8. Security
We follow an information security program aligned with ISO/IEC 27001:2022 controls: encryption in transit (TLS 1.2+), encryption at rest, principle of least privilege with role-based access control, MFA for staff accounts, vulnerability management, audit logging, change control, and incident response. No method of transmission is perfectly secure; we work continuously to harden our environment and respond promptly to incidents.
9. Data breach notification
In the event of a personal data breach likely to result in a risk to rights and freedoms, we notify the relevant supervisory authority within 72 hours and, where required, affected data subjects without undue delay.
10. Children
The site is not intended for children under 16. We do not knowingly collect personal data from children. If you believe we hold data about a child, contact us for prompt removal.
11. Changes
We may update this policy to reflect changes in law, technology, or our practices. Material changes will be announced on this page; the "Last updated" date above will be revised accordingly.
12. Contact
Privacy / DPO contact: privacy@scanforsecurity.com
See also: Cookies Policy, Personal Data Processing Policy.