Privacy Policy
How Resensor collects, uses, shares, and protects personal data when you use our external attack surface management platform.
This Privacy Policy explains how Resensor ("Resensor", "we", "us", or "our") handles personal data in connection with our website at resensor.io and our application at app.resensor.io (together, the "Service"). It applies to visitors, account holders, and members of organizations that use the Service.
For the purposes of European and UK data-protection law, Resensor is the controller of personal data we collect from you directly (such as your account information). When we process personal data on behalf of an organization that uses the Service, we act as a processor for that organization.
1. Information We Collect
Information you give us
- Account data. Email address, name (if provided), organization name, role, and the password hash or authentication tokens used to sign you in.
- Billing data. When you subscribe to a paid plan, our payment processor (Stripe) collects your payment-method details, billing address, and tax identifier on our behalf. We receive only limited information such as the last four digits of your card, country, and subscription status.
- Customer content. The targets (domains, IP addresses, hostnames, identifiers) you submit to the Service, scan configuration, alert rules, notification connectors, and any notes or other content you add.
- Support communications. Messages you send to [email protected], [email protected], or [email protected].
Information we collect automatically
- Usage data. Pages visited, features used, scan counts, request timestamps, and other product-telemetry events used to operate and improve the Service.
- Device and log data. IP address, user agent, browser type, operating system, referring URL, and timestamps recorded in our server logs.
- Cookies and similar technologies. A small number of strictly-necessary cookies and tokens used to keep you signed in and to remember preferences. See Cookies below.
Information generated by the Service
- Scan results and findings. When you submit a target, the Service performs reconnaissance against that target from our infrastructure and stores the results (DNS records, certificates, headers, observed services, identified vulnerabilities, exposure scores, and similar data) for your organization.
- Public data. The Service relies on publicly available data sources (DNS, certificate transparency logs, public vulnerability databases such as the KEV catalogue and EPSS, breach indicators, and similar) to enrich findings. We may retain copies of relevant public data for performance and reliability.
2. How We Use Information
We use personal data to:
- Provide, maintain, secure, and improve the Service, including running scans, generating reports, sending alerts, and supporting integrations;
- Create and manage your account and your organization, including authentication, access control, and seat management;
- Process payments, manage subscriptions, prevent fraud, and meet our tax and accounting obligations;
- Communicate with you about the Service — including operational notices, security alerts, billing receipts, and (where you have opted in or as otherwise permitted by law) product updates;
- Respond to support requests, vulnerability reports, and legal requests;
- Detect, investigate, and prevent abuse, security incidents, and violations of our Terms of Service;
- Comply with applicable law and enforce our agreements.
Legal bases (EEA, UK, Switzerland)
Where data-protection law requires us to identify a legal basis, we rely on: performance of a contract (to provide the Service you have signed up for), legitimate interests (to secure and improve the Service, prevent abuse, and operate our business in a reasonable way that does not override your rights), consent (where required, for example for non-essential marketing), and legal obligation (for example, to retain billing records for tax purposes).
3. How We Share Information
We do not sell personal data. We share personal data only as described below.
Within your organization
If you join an organization, other members and administrators of that organization may see your account information (such as your email and role) and the activity you generate within that organization, including targets you add and scans you run.
Service providers (subprocessors)
We rely on a small number of vendors to operate the Service. They process personal data on our behalf under written agreements and are not permitted to use it for their own purposes.
| Provider | Purpose | Region |
|---|---|---|
| Cloudflare | Marketing site hosting, CDN, DNS, DDoS protection | Global |
| DigitalOcean | Application hosting and database | United States / Europe |
| Stripe | Payment processing, subscription billing, customer portal | United States / Europe |
| Transactional email provider | Magic-link sign-in, billing receipts, alert delivery | United States / Europe |
Connectors you configure
If you connect Resensor to third-party systems (for example, Slack, email recipients, GitHub Actions, or other webhook destinations), we will transmit relevant scan output to those destinations as configured by you. Once data leaves the Service, it is governed by the receiving system's terms and privacy policy.
Legal and safety
We may disclose personal data when we believe in good faith that it is necessary to comply with applicable law, valid legal process, or a government request; to enforce our Terms of Service; to protect the rights, property, or safety of Resensor, our users, or the public; or to detect and prevent fraud, security incidents, or technical issues.
Business transfers
If Resensor is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our assets, personal data may be transferred as part of that transaction, subject to standard confidentiality arrangements and any restrictions in this Policy.
4. International Data Transfers
Resensor and our service providers may process personal data in countries other than the one in which you live, including the United States and the European Economic Area. Where required, we rely on appropriate safeguards (such as the European Commission's Standard Contractual Clauses, or the UK International Data Transfer Addendum) to protect personal data transferred internationally.
5. Data Retention
We retain personal data for as long as your account is active and as needed to provide the Service. After your account or organization is deleted, we delete or anonymize associated personal data within a reasonable period, except where we are required to retain it (for example, billing and tax records, security logs, or to comply with legal obligations). Backups are rotated on a regular schedule and personal data in backups is purged in accordance with that schedule.
6. Security
We use administrative, technical, and physical safeguards designed to protect personal data — including encryption in transit, encrypted storage for credentials and sensitive secrets, least-privilege access controls, and continuous monitoring of our own infrastructure. No system is perfectly secure; you are responsible for keeping your account credentials confidential and for promptly reporting suspected compromise to [email protected].
7. Your Rights
Depending on where you live, you may have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you;
- Correction — ask us to correct inaccurate or incomplete data;
- Deletion — ask us to delete your personal data;
- Portability — receive your personal data in a portable format;
- Restriction or objection — restrict or object to certain processing, including processing based on legitimate interests;
- Withdraw consent — where processing is based on consent, withdraw it at any time;
- Complaint — lodge a complaint with your local data-protection authority.
You can exercise most of these rights directly in the Service (for example, by updating your account settings or deleting your account). For anything else, email [email protected]. If you are a member of an organization that uses the Service, please direct requests about content within that organization to the organization first; we will refer such requests to them where appropriate.
8. Cookies
We use a minimal set of cookies and similar tokens to operate the Service:
- Authentication cookies that keep you signed in;
- CSRF tokens used to protect against cross-site request forgery;
- Preference cookies that remember choices such as your dashboard view.
We do not use third-party advertising cookies or cross-site tracking. You can block or delete cookies in your browser settings; some parts of the Service will not work without authentication cookies.
9. Children
The Service is not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact [email protected] and we will delete it.
10. Marketing Communications
We send operational messages (security alerts, billing receipts, scan results, account notices) as part of providing the Service; you cannot opt out of these while you have an account. Any product-update or marketing emails will include an unsubscribe link, and you can opt out at any time. Opting out does not affect operational communications.
11. Changes to This Policy
We may update this Policy from time to time. If we make material changes, we will notify you by email or by posting a notice in the Service before the change takes effect. The "Last updated" date at the top of this page indicates when the Policy was most recently revised.
12. Contact
Questions about this Privacy Policy or how we handle personal data? Email [email protected]. For security issues, email [email protected].