Privacy Policy
Last updated 2026-07-09
1. Controller & supervisory authority
The controller responsible for data processing on this site (Art. 4 No. 7 GDPR) is Bent Eisheuer. Contact details are in the Imprint. As a solo operator, we are not required to appoint a Data Protection Officer under § 38 BDSG (the threshold of at least 20 people constantly processing personal data is not met).
You have the right to lodge a complaint with a supervisory authority. The authority competent for us is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
https://www.lda.bayern.de
2. What breach403 does, in brief
breach403 runs an automated, non-destructive external security scan against a website whose ownership you have proven you control, then produces a plain-language report of what the scan found. That core purpose shapes every data flow below. We only ever process data about domains you have verified, and scan results can be security-sensitive by nature, since they describe real exposures on a real website, so they get the strongest protection on this page.
3. The domain, verification, and scan data
What:the domain you submit; the ownership-verification token we issue and its status (DNS TXT record, HTML meta tag, or file upload, whichever you used); the scan's findings (e.g. exposed configuration files, missing security headers, outdated software, misconfigurations) and the plain-language report generated from them.
Why: this is the entire service. We cannot scan a domain without it, and we cannot show you a report without storing the result. Legal basis: Art. 6(1)(b) GDPR (performing the contract you request by starting a scan).
No scan runs without proof of ownership.We re-verify ownership at scan time, not just at submission, and only ever test the domain and its subdomains, never a third party's site. See Terms of Service for the authorization you give us by starting a scan.
Anti-abuse: we also use scan counts (how many scans a site or the platform has run recently) to enforce rate limits and prevent the Service from being used to attack third parties. Legal basis: Art. 6(1)(f) (keeping the Service safe and abuse-free). This does not involve any new data beyond what is already described above.
Authorization record: when you create a site, we record an authorization event alongside it: the exact authorization statement you accepted, the version of our Terms in force at that moment, and the IP address and browser user-agent of that request. Why: to hold provable, tamper-evident evidence that security-testing of that domain was authorized, which protects both you and us. This is the one place we store your IP address. Legal basis: Art. 6(1)(f) GDPR (our legitimate interest, as a security-testing service, in a verifiable authorization record and in being able to rebut any claim that a scan was unauthorized). It is kept for as long as the site exists, as part of its audit trail.
Protection:scan results are encrypted at rest, access to them is restricted to your account via database-level row security (a query for someone else's scan simply returns nothing, not an error), and any secret our scanner discovers is masked before it is ever displayed or stored in the report. We never re-publish a live credential.
Retention: kept for as long as your account exists so you can see your scan history. Email us at legetdev@gmail.com to request deletion of your account and its data, and we will action it within the timeframe required by Art. 12(3) GDPR (one month, extendable once for complex requests). If you use the anonymous free scan without creating an account, the underlying anonymous session and its data is periodically cleaned up if it is never converted to a real account.
4. Account data
Anonymous use (the free scan):starting a free scan creates an anonymous session (Supabase Auth's built-in anonymous sign-in), a random session identifier with no email, password, or other personal information attached. It exists so your scan history stays yours across page loads on the same browser. Legal basis: Art. 6(1)(b).
A real account (email + password): creating a real account (to unlock AI-enhanced reports) stores your email address and a securely hashed password. We never see or store your password in plain text; this is handled entirely by our authentication provider, Supabase Auth. Legal basis: Art. 6(1)(b).
5. AI-enhanced reports
If you unlock the AI-powered report, the scan's findings (severity, category, affected URL, and a technical description, not your account email or password) are sent to Google's Gemini APIto generate the plain-language summary and per-finding fix prompts. Google processes this data as our processor under its API terms. Per Google's published API terms, data submitted via the paid Gemini API is not used to train Google's models. Legal basis: Art. 6(1)(b), this is the feature you are unlocking. If AI processing fails, we fall back to a deterministic, template-based report with no AI involvement.
6. Where the scan actually runs
The scan itself executes inside a short-lived, isolated sandbox (Vercel Sandbox). At the time of writing, that compute step runs in the United States (Vercel's iad1 region) even though all stored data, your account, your scan history, and the findings themselves, is stored in the EU (Supabase, Frankfurt/eu-central-1). In practice, this means the domain name you submit and the scan's traffic transit through US infrastructure for the duration of the scan (typically under a few minutes), before the results are stored back in the EU. See §7 for the transfer safeguard this relies on. We are evaluating an EU-native scan host and will update this section if that changes.
7. Hosting, infrastructure & international transfers
We use the following processors to run this service. Where a processor is headquartered outside the EU/EEA, transfers rely on the EU-US Data Privacy Framework (where the provider is certified) and/or the European Commission's Standard Contractual Clauses as an additional safeguard.
- Vercel Inc. (USA): hosts this website and application, and runs the scan-execution sandbox described in §6. Processes IP address and request metadata as part of normal web hosting. Legal basis: Art. 6(1)(f) (operating the service).
- Supabase, Inc.: database, authentication, and file storage. Data is stored in the EU (Frankfurt,
eu-central-1). Legal basis: Art. 6(1)(b)/(f). - Google LLC (USA): the Gemini API described in §5, used only for accounts that have unlocked the AI report. Legal basis: Art. 6(1)(b).
8. Payment (Lemon Squeezy)
AI-scan credits are purchased through Lemon Squeezy, which acts as the merchant of record for these sales. When you buy credits, Lemon Squeezy collects and processes your payment details, billing address, and email directly. We never see or store your card details, and Lemon Squeezy is a separate, independent data controller for that payment data, not our processor. We receive only the confirmation that a purchase succeeded (via a cryptographically signed webhook) and the number of credits it grants, which we store against your account (payment_events: order ID, account, credits granted, and timestamp), kept for German statutory bookkeeping retention, currently 8 years under § 147 AO / § 257 HGB. See Lemon Squeezy's own privacy policy for how they handle your payment data.
9. Analytics
We use Vercel Web Analytics and Speed Insights to understand aggregate site usage and performance. Both are designed to work without cookies or any other persistent identifier written to or read from your device, and do not track you individually across sites. No consent banner is required for this under § 25 TDDDG because nothing is stored on or read from your device. Legal basis: Art. 6(1)(f) (understanding and improving the service).
10. Cookies
The only cookies this site sets are strictly necessary session cookies from our authentication provider (Supabase), which keep you signed in between page loads. These are required for the service to function (you could not stay signed in without them) and do not require consent under § 25 Abs. 2 Nr. 2 TDDDG. We do not use advertising or cross-site tracking cookies.
11. Automated decision-making
We do not use your data for automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you (Art. 22 GDPR). The AI-generated report is a description of your own scan results, not a decision made about you.
12. Your rights
Under the GDPR, you have the right to:
- Access the personal data we hold about you (Art. 15).
- Have inaccurate data corrected (Art. 16).
- Have your data deleted (Art. 17). Email us to request account deletion.
- Restrict processing in certain circumstances (Art. 18).
- Receive your data in a portable format (Art. 20).
- Object to processing based on legitimate interest (Art. 21).
- Withdraw consent at any time, where processing is based on consent (Art. 7(3)).
- Lodge a complaint with a supervisory authority (Art. 77). See §1 for the one competent for us.
To exercise any of these, contact us at legetdev@gmail.com.
13. Changes to this policy
If our data processing changes, whether a new processor or a new feature that collects new data, we will update this page and the date at the top. Material changes will be reflected here before they take effect.