Privacy Policy

When you use ArkenSec, we collect information necessary to deliver our security assessment services:

• Account information: email address and name when you create an account (via email/password or Google OAuth).

• Domain information: domain names you register for scanning, including DNS verification tokens.

• Scan data: security assessment results, findings, and reports generated for your domains.

• Usage data: IP addresses, browser type, and page views for rate limiting and abuse prevention.

• Payment information: billing details processed through Stripe (we do not store full card numbers).

• AI chatbot interactions: questions and context you provide to the remediation chatbot.

We do not sell, rent, or share your personal information with third parties for marketing purposes.

If you are located in the European Economic Area (EEA), UK, or Switzerland, we process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b)): processing your account data, scan data, and domain information is necessary to provide the Service you requested.

• Legitimate interest (Art. 6(1)(f)): security monitoring, service improvement, abuse prevention, and aggregated analytics. We balance our interests against your rights and freedoms.

• Legal obligation (Art. 6(1)(c)): retaining billing and tax records as required by applicable law.

• Consent (Art. 6(1)(a)): marketing communications, if any. You may withdraw consent at any time by contacting [email protected].

Your data is used exclusively to provide and improve our security assessment services:

• Performing security scans and generating reports for domains you own and have verified.

• Authenticating your identity and enforcing access controls on your data.

• Sending scan completion notifications and security alerts to your registered email.

• Providing AI-powered vulnerability analysis and remediation guidance via the Anthropic Claude API.

• Rate limiting and abuse prevention to protect the platform and other users.

• Improving scan accuracy and reducing false positives through aggregated, anonymized analysis.

Security is our core business. We protect your data with the same rigor we apply to our assessments:

• All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).

• Infrastructure is hosted on hardened servers with no publicly exposed services — all traffic routes through Cloudflare.

• Database access is restricted to internal networks only, with no public-facing ports.

• Authentication uses industry-standard JWT tokens with bcrypt password hashing.

• Scan results are isolated per user — you can only access findings for domains you own and have verified via DNS.

We retain your data only as long as necessary for the purposes described in this policy:

• Account data: retained while your account is active plus 30 days after deletion request, then permanently deleted.

• Scan results and findings: retained during your subscription plus a 30-day export window after cancellation or termination.

• Payment and billing records: retained for 7 years as required by tax law.

• Server and application logs: retained for 90 days for security monitoring, then automatically purged.

• Anonymous scan data (unauthenticated free scans): retained for 30 days, then automatically deleted.

• AI chatbot conversations: retained during your subscription, deleted with account data.

You may request early deletion of specific data by contacting [email protected]. Some data may be retained longer where required by law.

We use a limited number of third-party services to operate the platform. Each sub-processor is listed below with the data it processes and its location:

• Hetzner Online GmbH (Falkenstein, Germany) — primary hosting and data storage. All account data, scan results, and databases are stored on Hetzner infrastructure within the EU.

• Anthropic / Claude API (United States) — AI-powered vulnerability analysis, severity scoring, remediation guidance, and chatbot responses. Scan data is sent to Anthropic for processing. Per Anthropic's commercial API terms, your data is not used to train their models. Anthropic retains API data for up to 30 days for trust and safety purposes.

• Cloudflare (United States / Global) — DNS, CDN, DDoS protection, WAF, and tunnel ingress. Cloudflare processes request metadata (IP addresses, headers) for security purposes.

• Stripe (Ireland / United States) — payment processing for paid subscriptions. Stripe processes your payment card details and billing information.

• Resend / Amazon SES (United States) — transactional email delivery for scan notifications, security alerts, and account communications.

• Sentry (United States) — error monitoring and performance tracking. Sentry may receive anonymized error data to help us maintain service reliability.

• Google (United States) — OAuth authentication for users who sign in with Google. Google processes authentication tokens only.

• Google Analytics (United States) — aggregated, cookieless website analytics to understand page views, traffic sources, and conversion events. Google Analytics runs in consent-denied mode with no tracking cookies, no advertising identifiers, and no cross-site tracking. Data is aggregated and cannot identify individual users. Google may process this data on servers in the US under the EU-U.S. Data Privacy Framework.

We use Google Analytics in cookieless mode for aggregated website analytics only. We do not use advertising trackers or data brokers. We do not use analytics cookies or any form of cross-site tracking. We will provide at least 30 days' notice before adding new sub-processors that process customer personal data.

Primary data storage is in Falkenstein, Germany (EU), operated by Hetzner Online GmbH. However, certain data is transferred to the United States for processing by our sub-processors:

• Scan data is sent to Anthropic (Claude API) in the US for AI analysis.

• Error data may be sent to Sentry in the US for service reliability monitoring.

• Aggregated analytics data is processed by Google Analytics in the US. No personally identifiable information is sent — only anonymized page views and conversion events.

• Transactional emails are sent via Resend / Amazon SES in the US.

• Payment data is processed by Stripe in Ireland (EU) and the US.

These transfers are made pursuant to the EU-U.S. Data Privacy Framework and/or EU Standard Contractual Clauses (SCCs), as applicable. We have assessed the adequacy of protections for each transfer in accordance with the requirements of the Schrems II decision.

ArkenSec is operated from the United States. If you access the Service from outside the US, you acknowledge that your data may be transferred to and processed in jurisdictions with different data protection laws than your own.

Regardless of your location, you have the right to:

• Access (GDPR Art. 15): request a copy of all personal data we hold about you.

• Rectification (GDPR Art. 16): correct inaccurate or incomplete personal data.

• Erasure (GDPR Art. 17): request deletion of your account and associated data ("right to be forgotten").

• Restriction (GDPR Art. 18): request that we limit how we process your data.

• Portability (GDPR Art. 20): receive your data in a structured, machine-readable format (PDF reports, JSON exports).

• Objection (GDPR Art. 21): object to processing based on legitimate interest.

• Automated decisions (GDPR Art. 22): request human review of automated decisions that significantly affect you, including AI-generated severity assessments.

• Withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

• Supervisory authority: you have the right to lodge a complaint with a data protection supervisory authority in your country of residence.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. We may request identification to verify your identity before processing your request.

ArkenSec uses artificial intelligence (powered by Anthropic's Claude API) to generate vulnerability severity ratings, risk assessments, compliance mapping, and remediation recommendations. These automated assessments may influence your prioritization of security fixes.

You have the right to:

• Understand the logic: our AI scoring combines deterministic rules (based on CVSS, CWE, and compliance framework mappings) with AI-generated analysis. The deterministic score serves as a baseline, and AI adjustments are clamped to a maximum of ±15 points.

• Request human review: contact [email protected] to request a human review of any AI-generated severity assessment or remediation recommendation.

• Contest a decision: if you believe an automated assessment is incorrect, you can flag it through the dashboard or contact our team for manual review.

The Service is not directed to individuals under 16 years of age (the age of digital consent under Germany's BDSG and GDPR Article 8). We do not knowingly collect personal data from children under 16.

If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly. If you believe we have collected data from a child under 16, please contact us at [email protected].

We use only essential cookies required for authentication and session management. Google Analytics runs in cookieless consent-denied mode and does not place any cookies. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

Essential cookies include: session tokens for authenticated users and security tokens (CSRF protection). These cookies are strictly necessary for the Service to function and do not require consent under the ePrivacy Directive.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.

• Notify affected users without undue delay if the breach poses a high risk to their rights and freedoms, as required by GDPR Article 34.

• Document the breach, its effects, and the remedial actions taken.

Our incident response procedures are documented internally and tested regularly as part of our security program.

We may update this policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email to registered users at least 30 days before they take effect. This policy was last updated on April 10, 2026.

For privacy-related inquiries: [email protected]

For security concerns: [email protected]

For abuse reports: [email protected]

General inquiries: [email protected]

ArkenSec LLC — Miami, Florida