1. Introduction

At Grawlr, we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website security scanning and testing services ("Service").

By using our Service, you consent to the data practices described in this Privacy Policy. If you do not agree with the practices described in this policy, please do not use our Service. This Privacy Policy should be read in conjunction with our Terms of Service, which govern your use of the Service.

2. Information We Collect

Grawlr collects information necessary to provide, maintain, and improve our security testing services. We follow the principle of data minimization, collecting only the information that is essential for our Service to function effectively.

Grawlr only collects the minimum data necessary to provide our security testing services:

• Website URLs: The websites you want us to test
• Contact Information: Your email address, company name, and company address
• Security Test Results: Vulnerability findings and attack patterns
• Usage Data: How you use our dashboard and services

We collect this information through various means, including when you register for an account, add websites to your account, configure security scanning settings, interact with our dashboard, or communicate with our support team. We may also collect technical information such as IP addresses, browser types, device information, and usage patterns to improve our Service and ensure security.

3. How We Use Your Information

We use the information we collect to provide, maintain, and improve our Service, as well as to communicate with you about your account and security findings. Your data is used exclusively for legitimate business purposes related to our security testing services.

Your data is used exclusively for:

• Conducting security tests on your websites
• Providing security reports and recommendations
• Improving our threat detection algorithms
• Communicating with you about your account and security findings

We may also use your information to send you important updates about our Service, security alerts, billing information, and respond to your inquiries. With your consent, we may send you marketing communications about new features, security tips, and industry insights. You can opt-out of marketing communications at any time through your account settings or by clicking the unsubscribe link in our emails.

4. Data Security

Protecting your data is a top priority at Grawlr. We implement comprehensive security measures to safeguard your information against unauthorized access, alteration, disclosure, or destruction. Our security practices are designed to meet or exceed industry standards and regulatory requirements.

We implement industry-standard security measures to protect your data:

• All data is encrypted in transit and at rest
• Access to customer data is strictly limited and logged
• We undergo regular security audits and penetration testing
• Data is stored in SOC 2 Type II compliant facilities

We use industry-standard encryption protocols (TLS/SSL) to protect data in transit between your browser and our servers. All sensitive data stored in our databases is encrypted at rest using strong encryption algorithms. Access to customer data is restricted to authorized personnel only, and all access is logged and monitored for security purposes.

Despite our security measures, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. We encourage you to use strong passwords, enable two-factor authentication when available, and keep your account credentials confidential.

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We may share your information only in the limited circumstances described below, and always in accordance with this Privacy Policy and applicable data protection laws.

We may share your information with:

• Service Providers: Trusted third-party service providers who assist us in operating our Service, such as payment processors (Stripe), email service providers, and cloud hosting providers. These providers are contractually obligated to protect your information and use it only for the purposes we specify.
• Legal Requirements: When required by law, court order, or government regulation, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections.
• With Your Consent: We may share your information with third parties when you explicitly consent to such sharing.

All third-party service providers are carefully vetted and required to maintain appropriate security measures and confidentiality obligations. We do not allow our service providers to use your information for their own purposes beyond what is necessary to provide services to us.

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. The retention period depends on the type of information and the purpose for which it was collected.

Account information and website data are retained for as long as your account is active. If you cancel your account, we will retain your information for a reasonable period to comply with legal obligations, resolve disputes, and enforce our agreements. Security scan results and reports may be retained for longer periods to provide historical security analysis and comply with regulatory requirements.

When we no longer need your information, we will securely delete or anonymize it in accordance with our data retention policies and applicable laws. You may request deletion of your information at any time, subject to our legal obligations to retain certain data.

7. Your Rights and Choices

You have certain rights regarding your personal information, which may vary depending on your location and applicable data protection laws. We are committed to helping you exercise these rights.

You have the right to:

• Access: Request access to the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information, subject to legal requirements
• Portability: Request a copy of your data in a portable format
• Objection: Object to certain processing activities, such as marketing communications
• Restriction: Request restriction of processing in certain circumstances
• Withdraw Consent: Withdraw consent where processing is based on consent

To exercise these rights, please contact us at privacy@grawlr.com. We will respond to your request within a reasonable timeframe and in accordance with applicable laws. We may need to verify your identity before processing certain requests to protect your privacy and security.

8. GDPR Compliance

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and similar data protection laws apply to the processing of your personal information. Grawlr is committed to complying with GDPR requirements and protecting your privacy rights.

Under GDPR, you have enhanced rights regarding your personal data, including:

• Right to be Informed: You have the right to be informed about how we collect and use your personal data, which this Privacy Policy addresses
• Right of Access: You can request copies of your personal data we hold
• Right to Rectification: You can request correction of inaccurate data
• Right to Erasure: You can request deletion of your data in certain circumstances
• Right to Restrict Processing: You can request limitation of how we process your data
• Right to Data Portability: You can request transfer of your data to another service
• Right to Object: You can object to processing based on legitimate interests or for direct marketing
• Rights Related to Automated Decision-Making: You have rights regarding automated processing and profiling

Our legal basis for processing your personal data under GDPR includes:

• Contract Performance: Processing necessary to provide our Service under our Terms of Service
• Legitimate Interests: Processing necessary for our legitimate business interests, such as improving our Service and preventing fraud
• Consent: Processing based on your explicit consent, such as marketing communications
• Legal Obligations: Processing necessary to comply with legal requirements

If you have concerns about how we process your personal data, you have the right to lodge a complaint with your local data protection authority. However, we encourage you to contact us first at privacy@grawlr.com so we can address your concerns directly.

9. Server Locations and Data Processing

Understanding where your data is stored and processed is important for compliance with data protection laws and understanding the security and performance characteristics of our Service.

Database and Primary Storage: Our primary database and customer data storage infrastructure are located in Germany, which is part of the European Union. This means your data is stored within the EU and benefits from EU data protection laws, including GDPR. All customer account information, website configurations, security scan results, and reports are stored in our German data center facilities.

Automated Security Scanning: Our automated security scanning service operates from multiple geographic locations to provide comprehensive testing and ensure optimal performance. Security test requests may originate from various regions including:

• European Union: Multiple data centers in Germany and other EU countries
• United States: Data centers in US East (New York), US West (Seattle), and US Central (St. Louis) regions
• United Kingdom: Data center in Portsmouth, England
• Asia-Pacific: Data centers in Singapore, Japan (Tokyo), Australia (Sydney), and India (Mumbai)

These distributed scanning locations allow us to test your websites from different geographic perspectives, which helps identify region-specific vulnerabilities and ensures comprehensive security coverage. However, it's important to note that:

• All scan results and data are immediately transmitted back to and stored in our German database
• No persistent storage of your website data occurs at these scanning locations
• All scanning activities are logged and monitored from our primary EU-based infrastructure
• We maintain strict data processing agreements with all infrastructure providers to ensure GDPR compliance

By using our Service, you consent to this distributed processing model, which is necessary to provide effective security testing services. All data processing activities comply with applicable data protection laws, and we maintain appropriate safeguards to protect your information regardless of where processing occurs.

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience with our Service, analyze usage patterns, and improve our platform. Cookies are small text files stored on your device when you visit our website.

We use the following types of cookies:

• Essential Cookies: Required for the Service to function properly, such as authentication and session management
• Analytics Cookies: Help us understand how visitors use our Service to improve functionality

You can control cookies through your browser settings. However, disabling certain cookies may affect the functionality of our Service. We do not use cookies for advertising purposes or to track you across third-party websites.

11. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@grawlr.com, and we will take steps to delete such information from our systems.

12. International Data Transfers

As described in the Server Locations section, some of our service providers and infrastructure may be located outside the European Economic Area (EEA). When we transfer your personal data outside the EEA, we ensure appropriate safeguards are in place to protect your information in accordance with GDPR and other applicable data protection laws.

We use Standard Contractual Clauses (SCCs) approved by the European Commission, and other appropriate legal mechanisms, to ensure that your data receives adequate protection when transferred internationally. All our service providers are contractually obligated to maintain the same level of data protection as required under GDPR.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by posting the updated Privacy Policy on this page with a new "Last Updated" date, and we may also notify you via email or through our Service.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of our Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: privacy@grawlr.com

Support: support@grawlr.com

Data Protection Officer: For GDPR-related inquiries, you can reach our Data Protection Officer at privacy@grawlr.com

We are committed to addressing your privacy concerns promptly and transparently. We will respond to your inquiries within a reasonable timeframe and in accordance with applicable data protection laws.