Privacy Policy

1. Who We Are

BreachBolt (“we”, “us”, “our”) is a UK-based cybersecurity company that provides AI-powered website security auditing services. We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

If you have any questions about this policy, you can contact us at hello@breachbolt.com.

2. What Data We Collect

We collect the minimum data necessary to provide our services:

• Account information: Email address, name, and company name when you create an account or request a scan.
• Scan data: Domain names submitted for scanning, scan results, security scores, and vulnerability findings.
• Payment information: Processed securely by Stripe. We never store your card details on our servers.
• Usage data: Pages visited, features used, and interactions with our platform, collected via Google Analytics.
• Communications: Messages sent through our contact form or support ticket system.

3. How We Use Your Data

We use your data to:

• Provide and improve our security scanning services
• Generate security reports and deliver them to you
• Process payments and manage subscriptions
• Send you scan results, security alerts, and service updates
• Respond to support requests and communications
• Analyse usage patterns to improve our platform
• Comply with legal obligations

We process your data under the following lawful bases: contract performance (providing the service you requested), legitimate interests (improving our services and communicating with you), and consent (where applicable, such as marketing communications).

4. What Our Scanner Collects

Our AI-powered scanning engine performs passive reconnaissance only. This means:

• We only check publicly accessible information (HTTP headers, DNS records, publicly exposed files)
• We never attempt to access private data, bypass authentication, or exploit vulnerabilities
• We do not download, store, or process personal data from the websites we scan
• Our scanner identifies configurations and misconfigurations, not personal data
• Scan results describe technical security posture, not the content of websites

5. Data Sharing

We do not sell your data. We share data only with:

• Stripe: For payment processing. Stripe's privacy policy applies to payment data.
• Supabase: Our database provider, where account and scan data is stored securely.
• Resend: For transactional emails (scan results, account notifications).
• Vercel: Our hosting provider, which processes requests to our website.
• Google Analytics: For anonymised usage analytics.

All third-party providers are GDPR-compliant and process data under appropriate safeguards.

6. Data Retention

We retain your data as follows:

• Account data: Until you request deletion or 2 years after last login
• Scan results: Retained for the duration of your subscription or 1 year for one-off purchases
• Payment records: 7 years as required by UK tax law
• Support tickets: 2 years after resolution

7. Your Rights

Under UK GDPR, you have the right to:

• Access — Request a copy of your personal data
• Rectification — Correct inaccurate data
• Erasure — Request deletion of your data
• Portability — Receive your data in a machine-readable format
• Objection — Object to processing based on legitimate interests
• Restriction — Request limited processing in certain circumstances

To exercise any of these rights, contact us at hello@breachbolt.com. We will respond within 30 days.

8. Cookies

We use the following cookies:

• Session cookie (bb_session): Essential for maintaining your login. HttpOnly, Secure, SameSite=Lax. Expires after 30 days.
• Analytics cookies (Google Analytics): Used to understand how visitors use our site. You can opt out using browser extensions or by declining analytics cookies.

9. Security

We take the security of your data seriously. We use encryption in transit (TLS), secure password hashing (bcrypt), HttpOnly session cookies, and follow security best practices throughout our infrastructure. Ironic, we know — but a security company that doesn't secure its own data wouldn't be worth much.

10. Changes to This Policy

We may update this policy from time to time. We will notify registered users of material changes by email. The “last updated” date at the top of this page indicates when the policy was last revised.