Introduction
Orbitwise Ltd runs BoringSec. This page tells you what we do with your data — in plain English on the left, in the binding legal text below.
Orbitwise Ltd ("Company", "we", "us", or "our") operates the BoringSecplatform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
We are committed to protecting your privacy and handling your data transparently and responsibly. By accessing or using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.
If you do not agree, please do not access or use the Service.
Information We Collect
Three buckets: what you give us (account, payments, the URL you scan), what your browser tells us automatically (logs, cookies), and the public scan data we generate from those URLs.
2.1 Information You Provide
We collect information you voluntarily provide when using our Service:
- Account Information: Name, email, and authentication data (email or third-party providers like Google or GitHub).
- Profile Information: Optional profile details you choose to provide.
- Payment Information: Billing address and payment method details (processed securely by Stripe).
- Scan Data: Domain names and URLs you submit for security scanning.
- Connected Scan Data: Repository identifiers, selected source evidence, archive manifests, and an expiring authenticated-scan profile when you explicitly configure those features.
- Communications: Messages you send for support or feedback.
2.2 Information Collected Automatically
When you access our Service, we automatically collect:
- Device Information: Browser type, operating system, device identifiers.
- Usage Data: Pages visited, features used, time spent on the Service.
- Log Data: IP address, access times, referring URLs, error logs.
- Cookies and Similar Technologies: See Section 6.
2.3 Anonymous Purchase Data
When you purchase a single report without registering, we create a minimal account record with your email so we can deliver the report and validate access. You can request deletion at any time via support@boringsec.com.
Data we store for anonymous purchases:
- Email address (for delivery)
- Stripe customer/payment IDs (for refund processing)
- Purchase metadata (which report, package type, timestamp)
We do not store payment card details — those are handled exclusively by Stripe.
2.4 Scan Result Data
When you perform security scans, we collect and store the scan results, which may include HTTP headers, SSL/TLS certificate details, DNS records, and other publicly available technical information about the scanned domains. This data is necessary to provide the Service and generate security reports.
How We Use Your Information
We use your data to run the product, talk to you about your account, prevent abuse, and (only with your consent) send promotional emails. Nothing else.
We use the information we collect for the following purposes:
- Provide the Service: Process scans, generate reports, deliver security analysis.
- Account Management: Create and manage your account, authenticate users, process payments.
- Communication: Send service notifications, security alerts, respond to inquiries.
- Improvement: Analyze usage patterns to improve the Service.
- Security: Detect, prevent, and address technical issues, fraud, and abuse.
- Legal Compliance: Comply with applicable laws, regulations, and legal processes.
- Marketing: Send promotional communications (with consent, where required).
Data Retention
Each data class has an explicit window or retention rule. The matrix distinguishes report history, credentials, source connections, analytics, audit logs, support, and billing instead of hiding them behind “as long as necessary.”
The normal production retention rules are:
| Data class | Default window | Deletion or minimization | Exceptions |
|---|---|---|---|
| Anonymous URL scan report and request network metadata | Public report access expires after 30 days. | IP address, user agent, country, and city are removed when access expires. The anonymous scan record is deleted after a further 7-day cleanup grace period. | A scan retained for an active Care relationship or a required outreach/disclosure audit trail is protected from that automatic deletion path. |
| Signed-in domains, scans, findings, monitoring history, and paid reports | Retained while needed to provide the account, purchase, report history, or monitoring relationship; no shorter fixed automatic window is promised. | The owner can delete a domain/account or request erasure. Related product data is deleted or anonymized unless a legal or security obligation requires limited retention. | Billing, fraud, incident, and legally required records may be retained separately for the applicable obligation. |
| Authenticated-scan bearer token, cookie, custom header, or bounded form-login username/password | The owner selects 7, 30, or 90 days; the profile expires automatically. | Credentials are encrypted with authenticated encryption, never returned by the API, loaded only inside the isolated scan boundary, and can be revoked earlier. Form credentials are exchanged for a bounded session cookie inside that boundary. | The report stores status/evidence, not the decrypted credential value. |
| Connected repository content and repository access credentials | Source is fetched for the authorized scan; findings and scan metadata remain with the report history. | Repository credentials stay server-side and can be revoked. Full source content is not intentionally copied into public reports; evidence is minimized and secrets are masked. | Provider-side logs and repository retention remain governed by the connected provider and customer repository. |
| Authenticated repository ZIP, bounded file manifest, and redacted static-analysis findings | The raw ZIP is deleted immediately after a completed, failed, or quarantined result, with a 24-hour cleanup fallback. The manifest and findings expire after 30 days. | The owner can delete the scan sooner. Raw source stays in a dedicated non-public bucket; source files are never returned by the API, and secret-bearing evidence is redacted before result storage. | A short upload reservation expires after 15 minutes if the upload never becomes a valid queued scan. Audit metadata contains no source content or private object key. |
| Raw product analytics sessions | 90 days. | Raw analytics sessions older than the window are deleted by the scheduled retention job. | Aggregated, non-identifying operational metrics may remain after raw sessions are removed. |
| Audit-log IP addresses and user agents | Direct IP and routine user-agent detail are minimized after 90 days; routine cron heartbeat rows are deleted after 30 days. | IPv4 is reduced to /24 and IPv6 to /48. User agents are removed from non-security audit rows. | Security-relevant audit events may retain limited user-agent context for abuse, access, and incident review. |
| Closed support and inbound-reply conversations | 24 months after the last message. | Closed conversations older than the window are deleted by the scheduled retention job. | Open conversations and records under a legal/security hold are not part of the normal closed-conversation cleanup. |
| Billing and transaction records | For the tax, accounting, dispute, and fraud-prevention period required by applicable law and payment operations. | BoringSec stores provider identifiers and purchase state, not full payment-card data. | Stripe independently processes payment data under its own retention and legal obligations. |
You may request deletion of your data by contacting us. We will delete or anonymize your data within a reasonable timeframe, except where retention is required by law.
Data Security
TLS in transit, encryption at rest, audit logs, secure auth. Standard practice — but no system is 100% breach-proof.
We implement appropriate technical and organizational measures to protect your information, including:
- Encryption of data in transit (TLS/SSL) and at rest
- Secure authentication mechanisms
- Regular security assessments and monitoring
- Access controls and audit logging
- Secure software development practices
While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.
Your Privacy Rights (GDPR Articles 15–22)
You can ask for a copy of your data, correct it, delete it, or take it elsewhere. We respond within 30 days. Email privacy@boringsec.com to start any request.
Under GDPR and similar privacy laws, you have the following rights regarding your personal data:
Request a copy of all personal data we hold — scan results, account info, usage data.
Request →Correct inaccurate or incomplete personal data we have on file.
Request →"Right to be Forgotten" — deletion of your account and data within 30 days, except where law requires retention.
Request →Receive your data in a machine-readable format (JSON / CSV) for transfer to another service.
Request →Object to processing based on legitimate interests. Opt out of marketing emails any time.
Request →Withdraw consent for optional processing (marketing cookies). Doesn't affect prior processing.
Request →We respond within 30 days as required by GDPR. For complex requests, we may extend up to 60 additional days, and will inform you within the initial 30-day period.
For all requests, contact us at privacy@boringsec.com. We may verify your identity before processing your request.
International Data Transfers
The production application stack is hosted in the EU. Stripe and optional Google/GitHub or externally configured AI features may involve international processing.
Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws.
9.1 Data Transfers to the United States
Some of our service providers are located in the United States, which is not considered to have an adequate level of data protection under EU law. Specifically:
- Google Ads: If you consent to marketing cookies, conversion tracking is processed in the USA by Google LLC.
- Stripe: Payment processing may involve USA data centers.
- Optional Authentication and Repository Features: Google and GitHub may process data on global infrastructure when you choose those features.
- Optional External AI: External model processing is disabled unless a server operator explicitly configures a provider. Before enabling one in production, we must disclose the provider and applicable transfer safeguards.
9.2 Safeguards We Use
When we transfer your data internationally, we implement appropriate safeguards:
- Standard Contractual Clauses (SCCs): EU-approved contractual clauses binding service providers to protect your data.
- Data Processing Agreements: Contracts ensuring GDPR-compliant data handling.
- Consent: For optional services like marketing cookies, we obtain your explicit consent first.
- Data Minimization: We only transfer data necessary for the specific service.
European Users (GDPR)
If you are in the EEA, UK, or Switzerland, you get full GDPR rights — and you can complain to your local data protection authority if anything looks wrong.
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply.
Legal Basis for Processing: We process your personal data based on:
- Contract: Processing necessary for performance of our contract with you (providing the Service).
- Legitimate Interests: Improving the Service, preventing fraud.
- Consent: Marketing communications and optional cookies.
- Legal Obligation: Compliance with legal requirements.
You have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.
California Residents (CCPA)
California residents have the same right to know, delete, and not be discriminated against — and we don't sell personal info under CCPA either.
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to Know: Disclosure of categories and specific pieces of personal information we have collected.
- Right to Delete: Request deletion of your personal information.
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights.
We do not sell personal information as defined under the CCPA.
Children's Privacy
Service is not for users under 18. If we ever discover we collected data from a child, we delete it.
The Service is not intended for children under 18 years of age. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us at privacy@boringsec.com. If we learn that we have collected personal information from a child, we will take steps to delete that information.
Changes to This Privacy Policy
We update this page when needed and bump the date. For material changes we email account holders.
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated Privacy Policy on this page and updating the "Last updated" date. For significant changes, we may also send you an email notification. Your continued use of the Service after any changes indicates your acceptance of the updated Privacy Policy.
Contact Us
privacy@boringsec.com for privacy questions or DSARs. support@boringsec.com for everything else.
If you have any questions about this Privacy Policy or our data practices, please contact us: