Legal

Privacy Policy

Effective date: 1 April 2026  ·  Last updated: 18 April 2026
Short version: We collect only what we need to run the service. Your scan data never leaves the UK (AWS eu-west-2). We do not sell your data. You can request deletion at any time.

1. Who We Are

CodeCrypse IT Solutions LTD ("VeilScan", "we", "us") is the data controller for personal data collected through veilscan.net. We are registered with the Information Commissioner's Office (ICO) in the United Kingdom.

Contact: hello@veilscan.net

2. What Data We Collect

2.1 Account data

  • Work email address (required for authentication and report delivery)
  • Company name (required for reports and invoices)
  • Subscription plan and billing status
  • Rules of Engagement signature: name, date, domains covered

2.2 Scan data

  • Domain names and IP addresses you submit as scan targets
  • Scan results: open ports, vulnerabilities, misconfigurations, subdomains
  • Generated PDF reports
  • Scan history and timestamps

2.3 Technical data

  • API access logs (IP address, timestamp, endpoint, response code)
  • Session tokens (stored as HttpOnly cookies, not transmitted to third parties)
  • Error logs for debugging (anonymised where possible)

2.4 What we do NOT collect

  • Passwords — we use email-verified sessions only
  • Payment card details — processed directly by Stripe
  • Browser fingerprints, tracking pixels, or advertising identifiers
  • Data from authenticated or internal scans (all scans are external only)

3. Legal Basis for Processing

  • Contract performance — account data and scan data are necessary to deliver the Service
  • Legitimate interests — access logs for security monitoring and abuse prevention
  • Legal obligation — records retention as required by UK law

4. How We Use Your Data

  • Authenticate your account and maintain your session
  • Execute scans against your authorised targets and deliver reports
  • Send scan notifications, reports, and invoices to your registered email
  • Provide Slack alerts for critical findings (if configured by you)
  • Detect and prevent abuse, fraud, and Terms of Service violations
  • Improve the Service using aggregated, anonymised usage statistics

We do not use your data for advertising, profiling, or sale to third parties.

5. Data Storage and Transfers

All customer data — including scan results, reports, and account records — is stored exclusively in AWS eu-west-2 (London). Data does not leave the United Kingdom. Session and authentication data is stored in an encrypted PostgreSQL database in the same region.

6. Third-Party Processors

We use the following sub-processors:

  • AWS (Amazon Web Services) — cloud infrastructure, S3 storage, eu-west-2 region only
  • Stripe Inc. — payment processing. Card data is processed directly by Stripe and is not transmitted to us. Stripe is certified PCI DSS Level 1.
  • Resend — transactional email (report delivery, scan notifications). Only your email address and the email content are shared.

We do not use third-party analytics, advertising networks, or social media tracking pixels.

7. Data Retention

  • Active account: data retained for the lifetime of the subscription
  • Cancelled account: scan data and reports retained for 30 days, then permanently deleted
  • Deletion request: processed within 30 days; see Section 8
  • Invoices and billing records: retained for 7 years as required by UK financial regulations

8. Your Rights (UK GDPR)

You have the following rights regarding your personal data:

  • Access — request a copy of all personal data we hold about you
  • Rectification — request correction of inaccurate data
  • Erasure — request deletion of your data ("right to be forgotten")
  • Restriction — request we limit processing in certain circumstances
  • Portability — receive your data in a machine-readable format
  • Objection — object to processing based on legitimate interests

To exercise any right, email hello@veilscan.net with the subject line "Data Rights Request". We will respond within 30 days. We may need to verify your identity before fulfilling the request.

You also have the right to lodge a complaint with the ICO: ico.org.uk | 0303 123 1113.

9. Cookies

We use one strictly necessary cookie: vs_session, an HttpOnly, Secure, SameSite=Lax session token used exclusively for authentication. We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.

We also use a short-lived vs_flash cookie for displaying one-time UI notifications. It contains no personal data and expires after a single page load.

10. Security

We implement appropriate technical and organisational measures to protect your data, including: encryption at rest (AES-256), encryption in transit (TLS 1.2+), access control with least privilege, and regular security reviews. For details, see our Security page.

11. Changes to This Policy

Material changes to this Privacy Policy will be communicated to your registered email address at least 14 days before they take effect. The current effective date is always shown at the top.

12. Contact

Privacy questions and rights requests:
hello@veilscan.net
CodeCrypse IT Solutions LTD, England & Wales