← Back to Home

Privacy Policy

Last updated: May 8, 2026

1. Who We Are; Data Controller

The RedVolt service (the "Service") is operated by Winnito L.L.C., a Delaware limited liability company (registered with the Delaware Division of Corporations; mailing address available on written request to privacy@redvolt.ai) ("Winnito," the "Company," "we," "us," or "our"). "RedVolt" is the brand and trading name under which Winnito offers the Service. For purposes of the EU and UK General Data Protection Regulation, Winnito L.L.C. is the data controller for the personal data described in this Policy.

All references in this Policy to "RedVolt" (other than the brand and Service name) should be read as references to Winnito L.L.C.

2. Information We Collect

Account Data: Email address, name, hashed password, and timestamp of Terms of Service acceptance when you register.

Scan Data: Target URLs, domains, scan configurations, vulnerability findings, and reports generated during security testing.

Smart Contract Data: Solidity, Vyper, Move, or Rust source files, GitHub repository metadata, audit configurations, generated audit findings, and proof-of-concept tests produced during the audit. Contract source files are transmitted to our backend, processed inside isolated per-audit workers, and stored in our encrypted object storage.

Payment Data: Processed by Stripe; we do not store credit card numbers. We retain transaction IDs, subscription status, and refund records for tax and accounting compliance.

Usage Data: IP addresses, browser type, interaction logs, API usage metrics, and feature usage for service improvement and security.

Authorization Records: Timestamps and confirmation of your authorization to test specific targets, retained for legal compliance.

3. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases:

  • Contract Performance: Processing necessary to provide the Service you signed up for (account management, scan execution, report generation)
  • Legitimate Interest: Service improvement, security monitoring, fraud prevention, and abuse detection
  • Legal Obligation: Retaining authorization records, responding to law enforcement requests, and complying with applicable regulations
  • Consent: Where required, such as for marketing communications (which you may opt out of at any time)

4. How We Use Your Data

We use your data to:

  • Provide and operate the Service (scan execution, AI analysis, report generation)
  • Process payments and manage subscriptions
  • Send transactional emails (scan results, account notifications, verification emails)
  • Ensure platform security and prevent abuse
  • Improve the Service through aggregated, anonymized usage analysis
  • Comply with legal obligations and enforce our Terms of Service

5. Data Storage and Security

Our production infrastructure runs on Amazon Web Services (AWS) in the us-east-1 region. All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Scan results, audit reports, and uploaded contract sources are stored in encrypted S3-compatible object storage with access controlled by IAM policies. Passwords are hashed using bcrypt and never stored in plaintext. Authentication credentials provided for authenticated pentests are encrypted and used only for the duration of the scan or mission, then deleted.

Each audit runs inside an isolated Fargate container that is destroyed at the end of the run; temporary working directories containing your contract source are cleaned up automatically and do not persist between audits.

6. Data Retention

We retain your data according to the following schedule:

  • Account data: Retained while your account is active; deleted within 30 days of account termination.
  • Pentest scan data and reports: Retained per subscription tier (Free: 7 days, Starter: 30 days, Professional: 90 days, Security Auditor: 1 year).
  • Smart contract source files: Retained while your account is active so you can re-audit or re-download them. Automatically deleted within 30 days of audit completion unless you have kept the files in your workspace. You can delete uploaded contract source at any time from your dashboard.
  • Smart contract audit reports: Retained while your account is active. You can delete any individual audit report from your dashboard at any time. On account termination, all audit reports are permanently deleted within 30 days.
  • Authorization records: Retained for 3 years for legal compliance.
  • Payment records: Retained for 7 years as required by tax and financial regulations.
  • Server logs: Retained for 90 days.

7. Data Sharing and Sub-Processors

We do not sell your data. We do not share your uploaded contract source with any party other than the sub-processors listed below, which are strictly necessary to operate the Service:

  • Amazon Web Services (AWS): Compute (ECS Fargate), encrypted object storage (S3), database (RDS), and networking in us-east-1.
  • Stripe: Payment processing, subscription management, and refunds.
  • SendGrid: Transactional email delivery (account verification, audit completion notices, billing receipts).
  • Anthropic: AI model provider for our Claude-powered audit pipeline. Contract source and analysis prompts are sent to Anthropic's API for the sole purpose of performing the analysis you requested. Under Anthropic's Commercial Terms of Service, customer inputs are not used to train Anthropic's models. Data may be retained briefly by Anthropic for standard abuse-monitoring purposes per their operational policies.

We may also disclose data when required by law, court order, or to protect the rights, safety, or property of RedVolt, our users, or others. A current, versioned list of sub-processors is available on request to privacy@redvolt.ai.

8. AI Model Training — We Do Not Train on Your Code

We do not use your uploaded contract source, pentest targets, audit findings, or any content you submit to the Service to train, fine-tune, or continuously improve any AI model, whether operated by us or by any sub-processor. This applies to all paid tiers and to free/demo usage alike. If this policy ever changes, we will notify you in advance and require explicit opt-in for any new processing.

9. International Data Transfers

Your data may be processed in the United States and other countries where our infrastructure providers operate. When transferring data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on the service provider's Data Privacy Framework certification.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate personal data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Portability: Request your data in a structured, machine-readable format
  • Restriction: Request that we limit how we process your data
  • Objection: Object to processing based on legitimate interest
  • Withdraw Consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at privacy@redvolt.ai. We will respond within 30 days. Upon account deletion, all associated data is permanently removed within 30 days, except where retention is required by law.

11. Cookies and Local Storage

We use only strictly necessary technologies for authentication:

  • httpOnly Cookies: Secure authentication tokens (access_token, refresh_token) set by our backend. These are essential for the Service to function and cannot be disabled.
  • Local Storage: Authentication state and user preferences. No tracking data is stored.

We do not use third-party tracking cookies, analytics services, advertising pixels, or fingerprinting technologies. Because we only use strictly necessary cookies, no cookie consent banner is required under GDPR or ePrivacy Directive.

12. Children's Privacy

The Service is not intended for anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will take steps to delete that information promptly.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users via email within 72 hours of becoming aware of the breach, as required by GDPR. We will also notify the relevant supervisory authority where applicable.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days in advance via email or in-app notification. The "Last updated" date at the top of this page indicates when the policy was last revised.

15. Contact and Supervisory Authority

For privacy inquiries, including requests to exercise the rights described in Section 10, contact:

Winnito L.L.C.
(operating under the brand "RedVolt")
Delaware, United States
Privacy: privacy@redvolt.ai
Legal: legal@redvolt.ai

If you are in the European Economic Area or the United Kingdom and believe we have not adequately addressed your data-protection concerns, you have the right to lodge a complaint with your local Data Protection Authority (DPA).