NEW AI & agent attack-surface fingerprinting is live

Privacy Policy

How Resensor collects, uses, shares, and protects personal data when you use our external attack surface management platform.

Last updated: May 20, 2026

This Privacy Policy explains how Resensor ("Resensor", "we", "us", or "our") handles personal data in connection with our website at resensor.io and our application at app.resensor.io (together, the "Service"). It applies to visitors, account holders, and members of organizations that use the Service.

For the purposes of European and UK data-protection law, Resensor is the controller of personal data we collect from you directly (such as your account information). When we process personal data on behalf of an organization that uses the Service, we act as a processor for that organization.

1. Information We Collect

Information you give us

Information we collect automatically

Information generated by the Service

Note on scan targets. The Service is designed to assess assets you own or are authorized to assess. You are responsible for ensuring you have authorization for each target you submit. We do not require, and do not knowingly collect, personal data about third parties — but scan output (for example, WHOIS records, email contacts published on a domain, or breach indicators referencing email addresses) may incidentally contain personal data. You are responsible for handling that data lawfully.

2. How We Use Information

We use personal data to:

Legal bases (EEA, UK, Switzerland)

Where data-protection law requires us to identify a legal basis, we rely on: performance of a contract (to provide the Service you have signed up for), legitimate interests (to secure and improve the Service, prevent abuse, and operate our business in a reasonable way that does not override your rights), consent (where required, for example for non-essential marketing), and legal obligation (for example, to retain billing records for tax purposes).

3. How We Share Information

We do not sell personal data. We share personal data only as described below.

Within your organization

If you join an organization, other members and administrators of that organization may see your account information (such as your email and role) and the activity you generate within that organization, including targets you add and scans you run.

Service providers (subprocessors)

We rely on a small number of vendors to operate the Service. They process personal data on our behalf under written agreements and are not permitted to use it for their own purposes.

ProviderPurposeRegion
CloudflareMarketing site hosting, CDN, DNS, DDoS protectionGlobal
DigitalOceanApplication hosting and databaseUnited States / Europe
StripePayment processing, subscription billing, customer portalUnited States / Europe
Transactional email providerMagic-link sign-in, billing receipts, alert deliveryUnited States / Europe

Connectors you configure

If you connect Resensor to third-party systems (for example, Slack, email recipients, GitHub Actions, or other webhook destinations), we will transmit relevant scan output to those destinations as configured by you. Once data leaves the Service, it is governed by the receiving system's terms and privacy policy.

Legal and safety

We may disclose personal data when we believe in good faith that it is necessary to comply with applicable law, valid legal process, or a government request; to enforce our Terms of Service; to protect the rights, property, or safety of Resensor, our users, or the public; or to detect and prevent fraud, security incidents, or technical issues.

Business transfers

If Resensor is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our assets, personal data may be transferred as part of that transaction, subject to standard confidentiality arrangements and any restrictions in this Policy.

4. International Data Transfers

Resensor and our service providers may process personal data in countries other than the one in which you live, including the United States and the European Economic Area. Where required, we rely on appropriate safeguards (such as the European Commission's Standard Contractual Clauses, or the UK International Data Transfer Addendum) to protect personal data transferred internationally.

5. Data Retention

We retain personal data for as long as your account is active and as needed to provide the Service. After your account or organization is deleted, we delete or anonymize associated personal data within a reasonable period, except where we are required to retain it (for example, billing and tax records, security logs, or to comply with legal obligations). Backups are rotated on a regular schedule and personal data in backups is purged in accordance with that schedule.

6. Security

We use administrative, technical, and physical safeguards designed to protect personal data — including encryption in transit, encrypted storage for credentials and sensitive secrets, least-privilege access controls, and continuous monitoring of our own infrastructure. No system is perfectly secure; you are responsible for keeping your account credentials confidential and for promptly reporting suspected compromise to [email protected].

7. Your Rights

Depending on where you live, you may have the following rights regarding your personal data:

You can exercise most of these rights directly in the Service (for example, by updating your account settings or deleting your account). For anything else, email [email protected]. If you are a member of an organization that uses the Service, please direct requests about content within that organization to the organization first; we will refer such requests to them where appropriate.

8. Cookies

We use a minimal set of cookies and similar tokens to operate the Service:

We do not use third-party advertising cookies or cross-site tracking. You can block or delete cookies in your browser settings; some parts of the Service will not work without authentication cookies.

9. Children

The Service is not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact [email protected] and we will delete it.

10. Marketing Communications

We send operational messages (security alerts, billing receipts, scan results, account notices) as part of providing the Service; you cannot opt out of these while you have an account. Any product-update or marketing emails will include an unsubscribe link, and you can opt out at any time. Opting out does not affect operational communications.

11. Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will notify you by email or by posting a notice in the Service before the change takes effect. The "Last updated" date at the top of this page indicates when the Policy was most recently revised.

12. Contact

Questions about this Privacy Policy or how we handle personal data? Email [email protected]. For security issues, email [email protected].