Privacy Policy

Last updated: March 20, 2026

1. Data Controller

ExposEdge ("we", "us", "our"), based in Luxembourg, is the data controller for personal data processed through this service. For privacy inquiries, contact us at privacy@exposedge.com.

2. What We Collect

We collect and process the following personal data:

  • Email address (provided at registration)
  • Authentication identifiers (Cognito user ID)
  • Domains you submit for scanning
  • Scan results, findings, and generated reports
  • Usage data: scan timestamps, credit usage, feature interactions
  • Technical data: IP address (stored with scan authorization attestation records and used for rate limiting), browser type (from HTTP headers)

We do not collect or process: names, physical addresses, phone numbers, or any special category data under GDPR Article 9. No payment information is collected during the free beta.

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b)): processing your email and scan data is necessary to provide the scanning service you requested.
  • Legitimate interest (Art. 6(1)(f)): rate limiting, fraud prevention, and service security. We have assessed that these interests do not override your rights.
  • Legal obligation (Art. 6(1)(c)): retaining transaction records as required by applicable tax and commercial law.

We do not rely on consent as a legal basis for core service processing. Where we send optional marketing communications, we will obtain your explicit consent first.

4. How We Use Your Data

Your data is used to: provide the scanning service and generate reports; manage your account and credits; send scan completion notifications (when email is configured); improve scanning accuracy and service reliability; and enforce our Terms of Service.

We do not sell, rent, or share your personal data with third parties for their marketing purposes. We do not use your data for profiling or automated decision-making that produces legal effects.

5. Sub-Processors and Data Transfers

We use the following sub-processors to provide the Service:

  • Amazon Web Services (AWS): infrastructure, compute, database, authentication, and AI processing. All data is processed and stored in AWS eu-west-1 (Dublin, Ireland). AWS is certified under the EU-US Data Privacy Framework.
  • Shodan (optional): IP address enrichment for discovered hosts. Only IP addresses are sent, no personal data. Used when configured.
  • GitHub API (optional): public code search for domain-related credential leaks. Only the domain name is sent, no personal data. Used when configured.

During scanning, the Service makes outbound requests to your target domain and to public data sources (crt.sh, NVD, RDAP registries, Wayback Machine). These requests contain only the target domain name, not your personal data.

No personal data is transferred outside the EU/EEA. All processing occurs within AWS eu-west-1 (Ireland).

6. Data Storage and Security

All data is stored in AWS DynamoDB in eu-west-1 (Dublin, Ireland). Data is encrypted at rest using AWS-managed encryption keys (AES-256) and in transit using TLS 1.2+. Authentication is handled by AWS Cognito with bcrypt password hashing. API access is protected by JWT tokens with 1-hour expiry.

Additional security measures include: per-IP rate limiting on all API endpoints (with tighter limits on public endpoints); unique request IDs for end-to-end tracing; input sanitization on all data passed to AI models to prevent prompt injection; CORS preflight caching; and security headers (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy) on all responses.

7. Data Retention

We apply the following retention periods:

  • Account data (email, user ID): retained until account deletion.
  • Scan results, findings, assets, and reports: automatically deleted 90 days after creation. DynamoDB Time-to-Live (TTL) enforces this automatically.
  • Intermediate scan processing data: automatically deleted upon scan completion.
  • Authorization attestation records (checkbox consent, timestamp, IP): retained for 36 months for legal compliance.

When you delete your account, all associated data (profile, scans, findings, assets, reports, attestation records) is permanently and irreversibly deleted from our database immediately. There is no soft-delete or recovery period.

8. Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights:

  • Right of access (Art. 15): request a copy of your personal data. Available via the "Export my data" button on your account settings page.
  • Right to rectification (Art. 16): correct inaccurate personal data.
  • Right to erasure (Art. 17): delete your account and all associated data. Available via the "Delete my account" button on your account settings page.
  • Right to data portability (Art. 20): export your data in a structured, machine-readable format (JSON). Available via the "Export my data" button.
  • Right to restriction of processing (Art. 18): request that we limit processing of your data.
  • Right to object (Art. 21): object to processing based on legitimate interest.

To exercise any right not available through self-service, contact privacy@exposedge.com. We will respond without undue delay and in any event within one month, as required by GDPR Article 12(3).

9. Cookies and Tracking

We use only essential cookies required for authentication (session tokens stored by AWS Cognito). We do not use analytics cookies, advertising cookies, or any third-party tracking. No cookie consent banner is required because we only use strictly necessary cookies exempt under the ePrivacy Directive (Art. 5(3)).

10. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33. If the breach poses a high risk, we will also notify affected users directly via email as required by Article 34.

11. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. Our lead supervisory authority is the Commission nationale pour la protection des données (CNPD) of Luxembourg: www.cnpd.public.lu.

12. Changes to This Policy

We will notify you of material changes to this Privacy Policy via email at least 30 days before they take effect.

13. Contact

Operator: ExposEdge, Luxembourg. For privacy-related inquiries or to exercise your data rights: privacy@exposedge.com.