Privacy Policy

This Privacy Policy describes how Defenty ("we", "our", "the Service") collects, uses, stores, and shares information when you use the Defenty Scanner platform at defenty.com. It applies to all users, including visitors, free-tier users, and paying customers.

This policy is written to comply with the Lei Geral de Proteção de Dados — LGPD (Brazil, Law 13.709/2018) and the core principles of the GDPR (EU Regulation 2016/679).

We collect the following categories of data:

We use the data we collect for the following purposes:

• Executing scans — your domain and session data are used to run the requested security scan.
• Delivering reports — your email address is used to send the scan report and any follow-up notifications you opt into.
• Security logging and fraud prevention — IP address, geolocation, and timestamp are logged to detect and prevent unauthorized use of the platform.
• Legal compliance — scan logs may be provided to law enforcement authorities in response to lawful requests.
• Service improvement — anonymised aggregate statistics (e.g., number of scans per plan tier, common misconfiguration types) are used to improve scan coverage and product quality. Individual scan results are not used to train machine learning models.
• Language personalisation — your browser language is used to set the default interface language.

We do not sell your personal data to third parties. We do not use your data for targeted advertising.

We share data only with the following categories of recipients:

• Stripe — payment processing. Receives email and payment information; does not receive scan data.
• Email delivery provider — used to send scan reports to your email address.
• Cloud infrastructure provider — our scanning infrastructure runs on cloud servers. Data at rest is encrypted.
• ipapi.co — a third-party IP geolocation service. Your IP address is sent to this service at the time of scan submission to retrieve city, country, and ISP data. Review their privacy policy.
• Law enforcement — scan logs may be disclosed to competent authorities when required by law or valid legal process.

• Scan logs (IP, domain, timestamp, geolocation) — retained for a minimum of 12 months for security and legal compliance purposes.
• Scan results — retained for 90 days after scan completion, then permanently deleted.
• Email addresses — retained for as long as needed to deliver reports and handle support requests. You may request deletion at any time (see Section 6).
• Payment records — retained in accordance with Brazilian tax law (5 years).
• Session data (sessionStorage) — automatically deleted when you close the browser tab. No server-side persistence.

Defenty does not use tracking cookies or third-party advertising cookies. We use only:

• sessionStorage — stores your domain, email, and selected plan temporarily between pages in the same browser session. This is not a cookie and is never sent to our servers. It is cleared automatically when you close the tab.
• Language preference — if you switch the interface language, this preference may be preserved via the URL path (locale prefix) rather than a cookie.
• Consent record — if you interact with our cookie/consent notice, your choice is stored in localStorage with a timestamp. This data never leaves your device.

Under the LGPD and GDPR you have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you.
• Rectification — request correction of inaccurate data.
• Deletion — request erasure of your personal data, subject to legal retention obligations.
• Portability — request your data in a structured, machine-readable format.
• Restriction — request that we limit processing of your data in certain circumstances.
• Objection — object to processing based on legitimate interest.

To exercise any of these rights, email us at contact@defenty.com. We will respond within 15 business days as required by the LGPD.

You also have the right to lodge a complaint with Brazil's national data protection authority, the Autoridade Nacional de Proteção de Dados (ANPD), or your local supervisory authority if you are based in the EU.

We implement industry-standard technical and organisational measures to protect your data, including:

• HTTPS/TLS encryption for all data in transit;
• Encryption at rest for stored scan data;
• Access controls limiting who can access production data;
• Regular security reviews of our own infrastructure.

No method of transmission over the internet is 100% secure. If you discover a security vulnerability in our platform, please report it responsibly to report@defenty.com or see our Responsible Disclosure Policy.

Our infrastructure is primarily located in Brazil. If personal data is processed outside Brazil (for example, via Stripe's global infrastructure), we ensure appropriate safeguards are in place in accordance with LGPD Article 33, including transfers to countries with adequate data protection levels or under contractual clauses.

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe we have collected data from a minor, please contact us immediately at contact@defenty.com.

We may update this Privacy Policy from time to time. When we do, we update the "Last updated" date at the top of this page. Continued use of the Service after changes are posted constitutes acceptance of the revised policy.

Use the appropriate contact below depending on your inquiry:

• Privacy requests, data deletion, LGPD/GDPR inquiries: contact@defenty.com
• Security vulnerability reports and abuse: report@defenty.com

São Paulo, Brazil