Privacy Policy

Scanthra · Last updated: 28 May 2026

TL;DR: We collect only what we need to run a security scan and email you the report: your email address, the domain you asked us to scan, and basic technical logs. We keep reports for 30 days, email logs for 12 months, store everything inside the European Union, and delete on request at /privacy/delete-request. We don't sell data and we don't run advertising trackers.

Who we are

"Scanthra", "we", "us" and "our" refer to the operator of the website scanthra.com and the related scanning service. You can reach us at hello@scanthra.com.

This policy explains how we process personal data in the meaning of Article 4 of Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and equivalent laws.

What we collect, and why

1. When you request a scan

Your email address — so we can send you the verification code and, later, a link to your report.
The domain you submitted — the target of the scan.
Your two consent flags — that you confirm you own (or are authorised to test) the domain, and that you have read this policy.

Legal basis: your consent (GDPR Art. 6(1)(a)) and, for the actual delivery of the service after consent is given, the performance of a service you requested (Art. 6(1)(b)).

2. When we run the scan

Publicly visible technical information about the domain — HTTP response headers, TLS certificate data, public DNS records, robots.txt and similar passively-readable signals. This is the same information any visitor or search engine would see.
Server logs on our side — IP address, request time, user agent — kept for security and abuse prevention. IP addresses in long-term logs are truncated or hashed where practical.

Legal basis: our legitimate interest in operating and securing the service (Art. 6(1)(f)).

3. When you delete your data

We keep a short hashed record of the deletion request so we can prove it was carried out, even after the underlying data is gone.

What we don't collect

We don't run advertising trackers or third-party ad cookies.
We don't fingerprint your device for marketing.
We don't store the body of any pages on the scanned website — only short evidence snippets needed to justify a finding (for example, the value of a security header).
We don't try to log into the scanned site or read authenticated content.

How long we keep it

Scan reports (PDF) and findings metadata: 30 days, then deleted automatically.
Email send log (timestamp, hashed email, message ID): up to 12 months, for deliverability and abuse handling.
Server / application logs: up to 30 days, then rotated.
Records of deletion requests: kept as a hash, indefinitely, as proof of compliance.

On a verified deletion request we remove the corresponding records within 24 hours, save for items we are legally required to keep (e.g. invoicing records, if any).

Where your data lives

All scan data, reports and application logs are stored on infrastructure located in the European Union. We do not transfer scan data outside the EU / EEA.

The third-party services we use to deliver the service are listed below. Each is bound by a data-processing agreement and processes data only on our documented instructions.

Cloud hosting — EU data centre, for the application servers, database and report storage.
Email delivery — EU-routed transactional email provider, for verification codes and report links.
CDN / DNS — used for caching public pages and DDoS protection. Edge traffic may be routed via global points of presence, but no personal data from scans is stored at the edge.
Error monitoring — captures technical errors only; scrubs known personal-data fields before storage.
Privacy-friendly web analytics — aggregate page-view counts only, no cookies, no cross-site tracking.

Where any provider is established outside the EU/EEA, we rely on the European Commission's adequacy decisions or on Standard Contractual Clauses (Art. 46 GDPR).

Your rights

Under the GDPR you have the right to:

Access the personal data we hold about you (Art. 15).
Have it rectified if it is wrong (Art. 16).
Have it erased — the easiest path is the form at /privacy/delete-request (Art. 17).
Restrict or object to processing (Art. 18, 21).
Receive your data in a portable, machine-readable form (Art. 20).
Withdraw consent at any time, without affecting prior processing (Art. 7(3)).
Lodge a complaint with a supervisory authority in your EU country of residence (Art. 77).

To exercise any of these rights, write to hello@scanthra.com. We may ask you to confirm the email used for the original scan, to make sure we don't release someone else's data to you.

Cookies

Scanthra uses only the cookies strictly necessary to operate the service (for example, anti-CSRF tokens during form submission). We do not set advertising, profiling or cross-site tracking cookies. The privacy-friendly analytics we use is cookieless.

Security

We use TLS for all connections, encrypted storage for reports, short retention windows, role-based access for our own staff, and we follow the spirit of GDPR Art. 32 ("appropriate technical and organisational measures"). No system is perfect — see our Terms of Use for the limits of our liability.

Children

The service is intended for adults running or representing a business. We do not knowingly collect data from children under 16.

Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the latest revision. Material changes will be communicated by email to active users or by a clear notice on the website.

Contact

Questions, requests, or to exercise any of your rights: hello@scanthra.com.

Want your data deleted now?

One form, your email, a confirmation link. Done within 24 hours.

Delete my data