Privacy Policy

ShakerScan may process account profile data, workspace membership, target URLs, target configuration, scan results, AI transcripts, redacted evidence, raw evidence artifacts, usage events, and billing metadata.

Credential secrets must be stored only in the credential paths designed for secret handling and must not be placed in docs, screenshots, support tickets, or public examples.

ShakerScan currently serves an initial United States and possible Canadian customer base from United States hosted infrastructure. The current deployment posture uses US-region VPS hosting, US-region Supabase, and AWS worker infrastructure in US regions, including us-east-1 where applicable.

This hosting posture is not a custom data-residency commitment unless included in a signed agreement. Customers with strict residency, transfer, sector, or regional requirements should use a signed agreement before sending sensitive production data.

Security scans can create request metadata, response metadata, screenshots, payload samples, HTTP headers, AI prompts, AI responses, trace excerpts, finding evidence, policy evidence, attestations, approval-token records, and worker artifact pointers.

Customers are expected to use test accounts, non-production secrets, staging environments, bounded request budgets, and redaction-friendly fixtures whenever possible. Customers must not intentionally submit regulated, payment, health, or highly sensitive production data unless a signed agreement permits that use.

Customer scan data is used to provide the service, troubleshoot support issues, enforce quotas, detect abuse, maintain security, and produce evidence or audit exports requested by the customer.

Customer target content, credentials, transcripts, and evidence are not used to train foundation models without explicit written customer authorization.

Retention follows the active plan, workspace settings, legal obligations, incident-preservation needs, and backup constraints. Raw and redacted evidence may have different access and retention controls.

Permanent target deletion removes tenant-owned database records where implemented. Object-storage transcripts, worker artifacts, backups, billing records, security logs, and legal-preservation records may require separate lifecycle cleanup or retention before deletion is complete.

Public DAST preview reports: short-lived public preview data, currently intended for approximately 7 days where cleanup is enabled. Hosted evidence: plan-based retention, currently Free Preview 7 days, Dev 30 days, Build Gate 60 days, and Agent Control 180 days unless a signed agreement says otherwise.

Raw evidence artifacts, redacted evidence, AI transcripts, screenshots, DOM/network artifacts, and scan records follow the applicable plan retention where implemented, but worker-uploaded object-storage artifacts may require separate lifecycle cleanup and should not be treated as fully deleted by target deletion until artifact purge is implemented and verified.

Billing records, tax/accounting records, abuse-prevention records, security logs, backup copies, and legal-hold or incident-preservation records may be retained for the period required for accounting, security, fraud prevention, legal compliance, dispute handling, or operational recovery. Exact backup and security-log retention periods must be published before paid launch.

ShakerScan does not train foundation models on customer target content, credentials, transcripts, findings, or evidence. Where optional AI judging or semantic evaluation is enabled, ShakerScan may send bounded, minimized, and where supported redacted excerpts to configured AI providers solely to provide the service.

Customers should not place production secrets, privileged credentials, regulated data, or unnecessary personal data into prompts, targets, documents, traces, or support requests. Provider-specific retention, abuse monitoring, and regional processing depend on the configured provider and must be reflected in the Subprocessors page or signed agreement before regulated production use.

ShakerScan may use essential cookies and similar technologies for authentication, session security, fraud prevention, product operation, and usage measurement. Advertising or retargeting technologies should not be enabled unless the Privacy Policy is updated to describe the related disclosure, sale/share, opt-out, and consent implications.

California and similar privacy-rights requests may include access, deletion, correction, and non-discrimination rights where applicable. Request handling may require identity and workspace-authority verification, and deletion remains subject to retention exceptions described in this policy.

Customer administrators can request export, deletion, or offboarding support through the published support or security contact. ShakerScan may need to verify workspace authority before taking action.

Deletion requests do not require ShakerScan to delete records it must retain for security, fraud prevention, accounting, legal compliance, incident investigation, or contractual dispute handling.