Privacy Policy

Caspori ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our cybersecurity platform at caspori.com and its subdomains.

1. Information We Collect

Account Information

When you create an account, we collect:

• Email address
• Display name (optional)
• Authentication tokens (managed via Firebase Authentication)
• Billing information (processed and stored by Stripe; we do not store card details)

Scan Targets

When you use our domain scanning features, we store:

• Domain names and URLs you submit for scanning
• Scan results including security headers, SSL certificate data, DNS records, and vulnerability findings
• Compliance assessment results

Usage Metrics

We collect basic usage data to improve our service:

• Feature usage frequency
• Session duration
• Error logs for troubleshooting
• API request counts

2. Information We Do NOT Collect

We want to be explicit about what we do not collect or store:

• Remote Browser Isolation (RBI) browsing history: We do not log, store, or monitor the websites you visit through our Safe Browsing feature. Each session is fully isolated and destroyed after use.
• Tunnel traffic: When Secure Tunnel is available, we will not inspect, log, or store any traffic passing through our encrypted tunnel nodes.
• Passwords: We never have access to your passwords. Authentication is handled through Firebase Authentication using industry-standard protocols.
• Content from browsed pages: The content you view in RBI sessions is rendered in isolated containers and never persisted.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our cybersecurity services
• Process your transactions and manage your subscription
• Send you security alerts and scan completion notifications
• Respond to your support requests
• Detect and prevent abuse of our platform
• Generate aggregated, anonymized analytics to improve our service

4. Your Rights Under GDPR

As a data subject under the General Data Protection Regulation (GDPR), you have the following rights:

• Right of Access: You can request a copy of all personal data we hold about you.
• Right to Rectification: You can request correction of inaccurate personal data.
• Right to Erasure: You can request deletion of your personal data. We will comply within 30 days unless we have a legal obligation to retain it.
• Right to Data Portability: You can request your data in a machine-readable format (JSON).
• Right to Restrict Processing: You can request that we limit how we use your data.
• Right to Object: You can object to processing of your personal data for specific purposes.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

5. Data Hosting and Security

Your data is hosted within the European Union, specifically in Frankfurt, Germany. We use industry-standard security measures including:

• Encryption at rest and in transit (TLS 1.3)
• Regular security audits of our infrastructure
• Access controls and least-privilege principles
• Automated vulnerability scanning of our own systems

6. Third-Party Services

We use the following third-party services that may process your data:

• Firebase Authentication (Google): For user authentication and identity management. Firebase Privacy Policy
• Stripe: For payment processing and subscription management. Stripe is PCI DSS Level 1 certified. Stripe Privacy Policy
• Cloudflare: For CDN, DDoS protection, and DNS. Cloudflare Privacy Policy

7. Cookies

We use minimal cookies:

• Authentication cookies: Essential for keeping you logged in.
• Preference cookies: To remember your settings (e.g., theme, language).

We do not use third-party tracking cookies or advertising cookies.

8. Data Retention

We retain your data as follows:

• Account data: Until you delete your account.
• Scan results: 12 months after the scan, or until you delete them.
• Usage logs: 90 days.
• RBI sessions: Destroyed immediately after the session ends. No data retained.

9. Children's Privacy

Caspori is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a notice on our platform. Continued use of the service after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

• Email: [email protected]
• General inquiries: [email protected]