Privacy Policy

Effective Date: March 2025 | Last Updated: March 2026

This Privacy Policy explains how RedSight ("the Service", "we", "us", "our") collects, uses, and protects your information.

1. Information We Collect

Account Information: Name, email address, and profile picture from OAuth providers (Google, GitHub) or email registration.

Scan Data: Target URLs you submit, scan results, vulnerability findings, severity ratings, and generated reports. This is the core data the Service produces.

Domain Verification Data: Records of domains you have verified ownership of, and the verification method used.

Usage Data: IP addresses, browser type, pages visited, feature usage, and timestamps. Collected for security, rate limiting, and service improvement.

Payment Data: Processed entirely by PayPal. We store your plan type and transaction references — never your credit card number or PayPal password.

2. How We Use Your Data

• To perform security scans you request and deliver results
• To authenticate your identity and manage your account
• To verify domain ownership before disclosing full findings
• To process payments and manage subscriptions
• To enforce rate limits and prevent abuse
• To improve scan accuracy and Service reliability
• To communicate important Service updates

3. Scan Data Privacy

Your scan results are private. Only you (and team members on your account, if applicable) can access your scan data. We do not share, sell, or expose vulnerability findings to any third party. Full vulnerability details are only accessible to users who have verified ownership of the scanned domain.

4. Data Storage & Security

Data is stored on secure servers. We protect your data with:

• HTTPS encryption for all communications
• HttpOnly, Secure, SameSite=Lax session cookies
• Hashed passwords (scrypt) — we never store plaintext passwords
• Hashed API keys — stored as irreversible hashes
• SSRF protection on scan inputs to prevent internal network access
• Rate limiting on all endpoints

5. Data Retention

Account data: Retained while your account is active, deleted upon account deletion request.

Scan data: Free tier retains the last 5 scans per domain. Paid plans retain scan history for the duration of the subscription. Scan data may be purged after 90 days of account inactivity.

Server logs: Access logs are retained for up to 30 days for security and debugging purposes.

6. Data Sharing

We do not sell, rent, or trade your personal information. We share data only: (a) with payment processors (PayPal) to complete transactions, (b) when required by law or valid legal process, (c) with your explicit consent.

7. Cookies & Tracking Technologies

We use the following categories of cookies and similar technologies:

Necessary cookies (always active): Session authentication cookies (HttpOnly, Secure, SameSite=Lax). Required for the Service to function. Cannot be disabled.

Analytics cookies (consent required): Google Analytics 4 (GA4) and Microsoft Clarity. These help us understand how the Service is used — page views, feature usage, session recordings. No advertising or cross-site tracking. Data is processed by Google LLC (USA) and Microsoft Corporation (USA) under their respective privacy policies.

Functional cookies (consent required): localStorage preferences such as theme choice, scan defaults, and consent state. These remain on your device and are not transmitted to any server.

On your first visit, a cookie consent banner asks for your permission before any analytics cookies are loaded. You can change your preferences at any time via the "Cookie Settings" link in the footer. Rejecting analytics cookies does not affect Service functionality.

We do not use advertising cookies, retargeting pixels, or sell cookie data to third parties.

8. International Data Transfers

Our servers are hosted in secure data centers. When you use the Service, your data may be processed in Israel (our operating jurisdiction) and, if you consent to analytics, by Google LLC and Microsoft Corporation in the United States. These transfers rely on the providers' standard contractual clauses and data processing agreements. By using the Service and consenting to analytics, you acknowledge these transfers.

9. Your Rights

You have the right to:

• Access your stored data
• Correct inaccurate information
• Delete your account and associated data
• Export your scan results (paid plans)
• Withdraw consent for analytics via Cookie Settings or by deleting your account
• Object to processing based on legitimate interest
• Data portability — receive your data in a structured format

To exercise any of these rights, contact privacy@redsight.app. We respond within 30 days.

10. GDPR & International Users

For users in the European Economic Area: our legal bases for processing are:

• Consent — when you create an account, initiate scans, or accept analytics cookies
• Contract performance — to deliver the scanning Service you requested
• Legitimate interest — service operation, security, abuse prevention, and service improvement

You may withdraw consent at any time — for analytics via the Cookie Settings link in the footer, or for the entire Service by deleting your account. Withdrawal does not affect the lawfulness of prior processing. If you believe your data rights have been violated, you have the right to lodge a complaint with your local data protection authority.

11. Age Restriction

RedSight is not intended for users under 18 years of age. We do not knowingly collect data from minors. If we become aware that we have collected data from a minor, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or in-app notice at least 14 days before taking effect. Continued use after changes constitutes acceptance.

13. Contact

Data protection inquiries: privacy@redsight.app

General support: support@redsight.app