Privacy Policy

Effective 2026-06-27

Is My Site Hackable? is built to collect as little as possible. This policy explains what we collect, why, who we share it with, and the choices you have.

What we collect

  • The URL you submit and the results of scanning it (findings, severities, and the generated report).
  • Your email — optional for a free scan; required for an account.
  • Your acceptance of our terms, stored as a record of the terms version, a timestamp, and the IP address you accepted from.
  • Account identifiers for signed-in users (managed by Amazon Cognito).
  • Billing metadata from Stripe (such as your customer and subscription identifiers). We never receive or store your raw card details.
  • Minimal operational logs needed to run and secure the Service.

What we deliberately don't store

If a scan discovers a secret (an API key, token, or similar), we never store or log it in readable form — it is redacted or hashed before anything is written down. We never store raw payment-card data; Stripe handles payments directly.

How we use it

  • to run your scans and deliver your reports;
  • to operate accounts, subscriptions, and billing;
  • to keep the Service secure and prevent abuse;
  • to maintain and improve how the Service works.

Who we share it with

We don't sell your data. We share it only with the service providers we need to run the product:

  • Amazon Web Services — hosting, storage, and infrastructure.
  • Stripe — payment processing.
  • Amazon Cognito — account sign-in.
  • Anthropic — we send scan findings (with secrets already redacted) to generate the plain-language fix guidance in your report.

We may also disclose information if required by law, or to protect the rights, safety, and security of the Service and its users.

Retention

We keep data only as long as needed. Free-scan results are short-lived and expire automatically. Account and billing records are kept while your account is active and for as long as we're required to retain them afterward.

Cookies

We use only what's necessary to run the site and keep you signed in. We don't use advertising trackers.

Your choices and rights

You can request access to, correction of, or deletion of the personal data we hold about you by emailing us. Depending on where you live, you may have additional rights under laws such as the GDPR or CCPA; we'll honor those rights as required.

Security and data location

Data is encrypted in transit, access is least-privilege, and active scans egress from a dedicated address for traceability. The Service runs on AWS infrastructure in the United States; if you use it from elsewhere, your data is processed there.

Children

The Service isn't directed to children, and we don't knowingly collect data from anyone under 16.

Changes

We may update this policy; the effective date above will change when we do. Significant changes will be made clear on this page.

Contact

Privacy questions or requests? Email security@ismysitehackable.com. See also our Terms of Service.