Privacy Policy

ScanAix collects only what is strictly necessary to operate the service: Email address — when you create an account via magic link or Google OAuth. Used for authentication and sending security alerts you explicitly opt into. Scan metadata — when the ScanAix Chrome extension scans a page, we log the domain visited, the trust score returned, and whether a threat was detected. We do NOT log the content of your AI conversations, your prompts, or any personal data you entered into AI tools. Payment data — if you upgrade to a paid plan, your payment is processed by Stripe. ScanAix never stores your card number, expiry, or CVV. We only store a Stripe customer ID to manage your subscription. Extension usage — anonymous counts of scans run, threats blocked, and features used. No personally identifiable information is attached.

We explicitly do not collect: — The content of your prompts or AI conversations — Your browsing history outside of AI tool domains we score — Passwords (we use passwordless magic link authentication) — Device fingerprints or precise geolocation — Any data from third-party websites unrelated to ScanAix features

Email — to send your magic link sign-in, security alert notifications (if enabled), and transactional emails about your subscription (receipts, renewal reminders). Scan data — to calculate your personal threat dashboard, display your scan history, and improve our AI vulnerability database. Aggregated, anonymised data may be used to identify emerging threats. Payment data — to process subscription charges, issue refunds, and manage billing through Stripe. We do not sell, rent, or share your personal data with third parties for advertising purposes. Ever.

All data is stored in Supabase (hosted on AWS in the US-East region) with: — Encryption at rest (AES-256) — Encryption in transit (TLS 1.2+) — Row-Level Security on every database table — your data is only accessible to you — Service role keys never exposed client-side Payment processing is handled entirely by Stripe, which is PCI DSS Level 1 certified.

The ScanAix extension requests the following Chrome permissions and uses them only as described: activeTab — to read the domain of the page you are currently viewing, so we can show the X-Ray trust score for that AI tool. storage — to save your settings (notification preferences, scan thresholds) locally in your browser. This data never leaves your device. notifications — to show browser notifications when a high-risk threat is detected on a page you visit. webRequest — to monitor outbound network requests from the current page and detect data exfiltration to known shadow AI endpoints. We do not use any extension permission to read, copy, or transmit the content of your AI conversations.

Scan history — retained for 12 months, then automatically deleted. Account data — retained for the lifetime of your account. You may delete your account at any time from your dashboard. Payment records — retained for 7 years as required by financial regulations. When you delete your account, all personal data (email, scan history, settings) is permanently deleted from our systems within 30 days. Stripe may retain billing records separately per their own retention policy.

If you are located in the EU, EEA, or California, you have the right to: — Access the personal data we hold about you — Correct inaccurate data — Request deletion of your data ("right to be forgotten") — Export your data in a portable format — Withdraw consent for non-essential data processing at any time To exercise any of these rights, email us at privacy@scanaix.com. We will respond within 30 days.

ScanAix uses the following third-party services, each with their own privacy policies: Supabase (supabase.com) — database and authentication Stripe (stripe.com) — payment processing Vercel (vercel.com) — hosting and edge delivery Google (for OAuth sign-in, if you choose it) We do not use Google Analytics, Meta Pixel, or any advertising tracking technology.

ScanAix is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at privacy@scanaix.com and we will delete it immediately.

We may update this Privacy Policy when we add new features or change how we handle data. When we make material changes, we will notify you by email (if you have an account) and update the "Last updated" date at the top of this page. Continued use of ScanAix after changes constitutes acceptance of the updated policy.

For privacy questions, data requests, or concerns: Email: privacy@scanaix.com Response time: within 5 business days For urgent security disclosures: security@scanaix.com