Privacy Policy

Privacy Policy

Last updated: May 1, 2026

What we collect

  • Email address (provided at sign-up)
  • URLs you submit for scanning
  • Scan results and security findings (stored in your account)
  • Payment information processed by Stripe; we never see your full card number
  • Usage data such as pages visited, scans run, and credits used
  • IP address used for rate limiting and abuse prevention; we do not sell it or use it for profiling

How we use it

  • Running security scans on URLs you submit
  • Delivering scan results and PDF reports to you
  • Sending transactional emails (scan complete, credit warnings, magic-link sign-in)
  • Preventing abuse and enforcing rate limits
  • Improving the product in aggregate, never to profile individuals

Who we share it with

  • Anthropic (Claude API): scan findings are sent for AI analysis
  • Supabase: database and file storage
  • Stripe: payment processing
  • Resend: transactional email delivery
  • We do not sell your data. We do not share it for advertising.

Legal basis for processing (GDPR Article 6)

Contract performance (Article 6(1)(b))

Email address, scan URLs, scan results, and payment records. We need this data to provide the service you signed up for.

Legitimate interests (Article 6(1)(f))

IP address for rate limiting and abuse prevention, and aggregate usage data to improve the product.

Legal obligation (Article 6(1)(c))

Stripe billing records retained for tax and accounting requirements.

International data transfers

Some subprocessors are based in the United States. Where relevant, we rely on:

  • Standard Contractual Clauses (SCCs)
  • EU-US Data Privacy Framework certifications
  • EU adequacy decisions where available

You can request details at privacy@scorra.io.

Sub-processors and DPAs

We maintain Data Processing Agreements with subprocessors where required under GDPR Article 28.

Current subprocessors include Supabase, Anthropic, Stripe, Resend, Vercel, and Railway.

Your rights (GDPR)

  • Right to access
  • Right to erasure
  • Right to portability
  • Right to object to non-essential processing

To exercise your rights, contact privacy@scorra.io.

Data retention

  • Scan results: retained until account deletion
  • PDF reports: retained until account deletion
  • Payment records: retained by Stripe per legal obligations
  • Inactive accounts: may be removed after 24 months with notice where possible

Cookies and analytics

  • We use Vercel Analytics (cookieless)
  • We set one functional cookie for language preference
  • We do not use advertising cookies or third-party tracking pixels

Security

  • Data is transmitted over HTTPS/TLS
  • Row-level security is enforced where configured
  • We never store passwords (magic link and OAuth authentication)
  • Scan results are accessible only to the account that ran the scan

Contact

Data controller: Scorra (Junior Mabiala), France.

Email: privacy@scorra.io

← Back to Scorra