← Back to Home

Privacy Policy

Last updated: February 28, 2026

1. Information We Collect

Account Data: Email address, name, hashed password, and timestamp of Terms of Service acceptance when you register.

Scan Data: Target URLs, domains, scan configurations, vulnerability findings, and reports generated during security testing.

Smart Contract Data: Solidity source files, audit results, and reports uploaded for Web3 audits.

Payment Data: Processed by Stripe; we do not store credit card numbers. We retain transaction IDs and subscription status.

Usage Data: IP addresses, browser type, interaction logs, API usage metrics, and feature usage for service improvement and security.

Authorization Records: Timestamps and confirmation of your authorization to test specific targets, retained for legal compliance.

2. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases:

  • Contract Performance: Processing necessary to provide the Service you signed up for (account management, scan execution, report generation)
  • Legitimate Interest: Service improvement, security monitoring, fraud prevention, and abuse detection
  • Legal Obligation: Retaining authorization records, responding to law enforcement requests, and complying with applicable regulations
  • Consent: Where required, such as for marketing communications (which you may opt out of at any time)

3. How We Use Your Data

We use your data to:

  • Provide and operate the Service (scan execution, AI analysis, report generation)
  • Process payments and manage subscriptions
  • Send transactional emails (scan results, account notifications, verification emails)
  • Ensure platform security and prevent abuse
  • Improve the Service through aggregated, anonymized usage analysis
  • Comply with legal obligations and enforce our Terms of Service

4. Data Storage and Security

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Scan results and reports are stored in encrypted object storage. Passwords are hashed using bcrypt and never stored in plaintext. Authentication credentials provided for authenticated testing are encrypted and used only for the duration of the scan or mission.

5. Data Retention

We retain your data according to the following schedule:

  • Account data: Retained while your account is active, deleted within 30 days of account termination
  • Scan data and reports: Retained per subscription tier (Free: 7 days, Starter: 30 days, Professional: 90 days, Security Auditor: 1 year)
  • Web3 audit reports: Retained indefinitely (audit certificates are permanent records)
  • Authorization records: Retained for 3 years for legal compliance
  • Payment records: Retained for 7 years as required by tax and financial regulations
  • Server logs: Retained for 90 days

6. Data Sharing and Sub-Processors

We do not sell your data. We share data only with the following third-party sub-processors necessary to operate the Service:

  • Cloud Infrastructure: Hosting provider for compute, storage, and database services
  • Stripe: Payment processing and subscription management
  • SendGrid: Transactional email delivery
  • Anthropic: AI model provider for AI-powered analysis (scan data is sent to the AI API for processing and is not retained by the provider beyond the request)
  • MinIO / Object Storage: Encrypted storage for scan reports, contract files, and audit reports

We may also disclose data when required by law, court order, or to protect the rights, safety, or property of RedVolt, our users, or others.

7. International Data Transfers

Your data may be processed in the United States and other countries where our infrastructure providers operate. When transferring data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on the service provider's Data Privacy Framework certification.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate personal data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Portability: Request your data in a structured, machine-readable format
  • Restriction: Request that we limit how we process your data
  • Objection: Object to processing based on legitimate interest
  • Withdraw Consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at privacy@redvolt.ai. We will respond within 30 days. Upon account deletion, all associated data is permanently removed within 30 days, except where retention is required by law.

9. Cookies and Local Storage

We use only strictly necessary technologies for authentication:

  • httpOnly Cookies: Secure authentication tokens (access_token, refresh_token) set by our backend. These are essential for the Service to function and cannot be disabled.
  • Local Storage: Authentication state and user preferences. No tracking data is stored.

We do not use third-party tracking cookies, analytics services, advertising pixels, or fingerprinting technologies. Because we only use strictly necessary cookies, no cookie consent banner is required under GDPR or ePrivacy Directive.

10. Children's Privacy

The Service is not intended for anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will take steps to delete that information promptly.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users via email within 72 hours of becoming aware of the breach, as required by GDPR. We will also notify the relevant supervisory authority where applicable.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days in advance via email or in-app notification. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Contact and Supervisory Authority

For privacy inquiries, contact our Data Protection contact at privacy@redvolt.ai.

If you are in the EEA and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local Data Protection Authority (DPA).