Privacy policy

Last updated: April 4, 2026

What we collect

  • Email address (provided at sign-up)
  • URLs you submit for scanning
  • Scan results and security findings (stored in your account)
  • Payment information — processed by Stripe; we never see your full card number
  • Usage data — pages visited, scans run, credits used
  • IP address — used for rate limiting and abuse prevention; we do not sell it or use it for profiling

How we use it

  • Running security scans on URLs you submit
  • Delivering scan results and PDF reports to you
  • Sending transactional emails (scan complete, credit warnings, magic link sign-in)
  • Preventing abuse and enforcing rate limits
  • Improving the product in aggregate — never to profile individuals

Who we share it with

  • Anthropic (Claude API)— scan findings are sent for AI analysis. Anthropic's data retention policy applies. We send findings, not your email or other personal data tied to the request beyond what the API requires to operate.
  • Supabase — database and file storage. Your data is stored on Supabase-managed PostgreSQL and related services.
  • Stripe — payment processing. We share your email with Stripe when you make a purchase. Stripe is PCI DSS certified.
  • Resend — transactional email delivery. Your email address is shared so we can send emails you request (e.g. scan complete).
  • We do not sell your data. We do not share it for advertising.

Your rights (GDPR)

  • Right to access:download your data from Account / Settings → "Download my data".
  • Right to erasure:delete your account from Account / Settings → "Delete account". Scan data, findings, and PDFs are permanently removed as part of that process, within 24 hours.
  • Right to portability: your export is provided in JSON format.
  • Right to object: opt out of non-essential emails in Account / Settings → Notifications (sign-in links cannot be disabled).
  • To exercise any right or ask a data question: privacy@scorra.io.

Data retention

  • Scan results: retained until you delete your account
  • PDF reports: retained in secure storage until account deletion
  • Payment records: retained by Stripe according to their legal obligations (we cannot delete Stripe's billing records)
  • Inactive accounts: accounts with no activity for 24 months may be deleted with 30 days' notice where we can reach you

Cookies and analytics

  • We use Vercel Analytics, which is cookieless and does not track individuals
  • We set one functional cookie for your language preference (English / French)
  • We do not use advertising cookies or third-party tracking pixels

Security

  • All data is transmitted over HTTPS / TLS
  • Row-level security is enforced at the database level where configured
  • We never store passwords — authentication uses magic link and OAuth
  • Scan results are accessible only to the account that ran the scan

Contact

Data controller: Scorra (Junior Mabiala), France.
Email: privacy@scorra.io
We respond within 30 days as required by GDPR where applicable.

← Back to Scorra