Introduction
Orbitwise Ltd runs BoringSec. This page tells you what we do with your data — in plain English on the left, in the binding legal text below.
Orbitwise Ltd ("Company", "we", "us", or "our") operates the BoringSecplatform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
We are committed to protecting your privacy and handling your data transparently and responsibly. By accessing or using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.
If you do not agree, please do not access or use the Service.
Information We Collect
Three buckets: what you give us (account, payments, the URL you scan), what your browser tells us automatically (logs, cookies), and the public scan data we generate from those URLs.
2.1 Information You Provide
We collect information you voluntarily provide when using our Service:
- Account Information: Name, email, and authentication data (email or third-party providers like Google or GitHub).
- Profile Information: Optional profile details you choose to provide.
- Payment Information: Billing address and payment method details (processed securely by Stripe).
- Scan Data: Domain names and URLs you submit for security scanning.
- Communications: Messages you send for support or feedback.
2.2 Information Collected Automatically
When you access our Service, we automatically collect:
- Device Information: Browser type, operating system, device identifiers.
- Usage Data: Pages visited, features used, time spent on the Service.
- Log Data: IP address, access times, referring URLs, error logs.
- Cookies and Similar Technologies: See Section 6.
2.3 Anonymous Purchase Data
When you purchase a single report without registering, we create a minimal account record with your email so we can deliver the report and validate access. You can request deletion at any time via support@boringsec.com.
Data we store for anonymous purchases:
- Email address (for delivery)
- Stripe customer/payment IDs (for refund processing)
- Purchase metadata (which report, package type, timestamp)
We do not store payment card details — those are handled exclusively by Stripe.
2.4 Scan Result Data
When you perform security scans, we collect and store the scan results, which may include HTTP headers, SSL/TLS certificate details, DNS records, and other publicly available technical information about the scanned domains. This data is necessary to provide the Service and generate security reports.
How We Use Your Information
We use your data to run the product, talk to you about your account, prevent abuse, and (only with your consent) send promotional emails. Nothing else.
We use the information we collect for the following purposes:
- Provide the Service: Process scans, generate reports, deliver security analysis.
- Account Management: Create and manage your account, authenticate users, process payments.
- Communication: Send service notifications, security alerts, respond to inquiries.
- Improvement: Analyze usage patterns to improve the Service.
- Security: Detect, prevent, and address technical issues, fraud, and abuse.
- Legal Compliance: Comply with applicable laws, regulations, and legal processes.
- Marketing: Send promotional communications (with consent, where required).
Data Retention
We keep data only as long as needed. Account data while your account exists; usage logs ≤ 12 months; payment records as long as tax law requires. Email us to delete sooner.
We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy. Specifically:
- Account Data: Retained while your account is active and for a reasonable period after account deletion for legal and business purposes.
- Scan Results: Retained according to your subscription plan and account preferences.
- Usage Logs: Generally retained for up to 12 months.
- Payment Records: Retained as required for tax and legal compliance.
You may request deletion of your data by contacting us. We will delete or anonymize your data within a reasonable timeframe, except where retention is required by law.
Data Security
TLS in transit, encryption at rest, audit logs, secure auth. Standard practice — but no system is 100% breach-proof.
We implement appropriate technical and organizational measures to protect your information, including:
- Encryption of data in transit (TLS/SSL) and at rest
- Secure authentication mechanisms
- Regular security assessments and monitoring
- Access controls and audit logging
- Secure software development practices
While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.
Your Privacy Rights (GDPR Articles 15–22)
You can ask for a copy of your data, correct it, delete it, or take it elsewhere. We respond within 30 days. Email privacy@boringsec.com to start any request.
Under GDPR and similar privacy laws, you have the following rights regarding your personal data:
Request a copy of all personal data we hold — scan results, account info, usage data.
request →Correct inaccurate or incomplete personal data we have on file.
request →"Right to be Forgotten" — deletion of your account and data within 30 days, except where law requires retention.
request →Receive your data in a machine-readable format (JSON / CSV) for transfer to another service.
request →Object to processing based on legitimate interests. Opt out of marketing emails any time.
request →Withdraw consent for optional processing (marketing cookies). Doesn't affect prior processing.
request →We respond within 30 days as required by GDPR. For complex requests, we may extend up to 60 additional days, and will inform you within the initial 30-day period.
For all requests, contact us at privacy@boringsec.com. We may verify your identity before processing your request.
International Data Transfers
Some of our infrastructure (Vercel, Stripe, Google/GitHub OAuth) runs partly in the US. We use Standard Contractual Clauses and minimize transferred data.
Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws.
9.1 Data Transfers to the United States
Some of our service providers are located in the United States, which is not considered to have an adequate level of data protection under EU law. Specifically:
- Google Ads: If you consent to marketing cookies, conversion tracking is processed in the USA by Google LLC.
- Vercel: Our hosting provider processes request logs in the USA (with EU edge locations).
- Stripe: Payment processing may involve USA data centers.
- Authentication: Google and GitHub OAuth use USA servers.
9.2 Safeguards We Use
When we transfer your data internationally, we implement appropriate safeguards:
- Standard Contractual Clauses (SCCs): EU-approved contractual clauses binding service providers to protect your data.
- Data Processing Agreements: Contracts ensuring GDPR-compliant data handling.
- Consent: For optional services like marketing cookies, we obtain your explicit consent first.
- Data Minimization: We only transfer data necessary for the specific service.
European Users (GDPR)
If you are in the EEA, UK, or Switzerland, you get full GDPR rights — and you can complain to your local data protection authority if anything looks wrong.
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply.
Legal Basis for Processing: We process your personal data based on:
- Contract: Processing necessary for performance of our contract with you (providing the Service).
- Legitimate Interests: Improving the Service, preventing fraud.
- Consent: Marketing communications and optional cookies.
- Legal Obligation: Compliance with legal requirements.
You have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.
California Residents (CCPA)
California residents have the same right to know, delete, and not be discriminated against — and we don't sell personal info under CCPA either.
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to Know: Disclosure of categories and specific pieces of personal information we have collected.
- Right to Delete: Request deletion of your personal information.
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights.
We do not sell personal information as defined under the CCPA.
Children's Privacy
Service is not for users under 18. If we ever discover we collected data from a child, we delete it.
The Service is not intended for children under 18 years of age. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us at privacy@boringsec.com. If we learn that we have collected personal information from a child, we will take steps to delete that information.
Changes to This Privacy Policy
We update this page when needed and bump the date. For material changes we email account holders.
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated Privacy Policy on this page and updating the "Last updated" date. For significant changes, we may also send you an email notification. Your continued use of the Service after any changes indicates your acceptance of the updated Privacy Policy.
Contact Us
privacy@boringsec.com for privacy questions or DSARs. support@boringsec.com for everything else.
If you have any questions about this Privacy Policy or our data practices, please contact us: