Privacy Policy

1. Introduction

Nordic Expert Group Ltd ("Company", "we", "us", or "our") operates the BoringSecplatform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

We are committed to protecting your privacy and handling your data transparently and responsibly. Please read this Privacy Policy carefully. By accessing or using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2. Information We Collect

2.1 Information You Provide

We collect information you voluntarily provide when using our Service:

• Account Information: Name, email address, and authentication data (when you sign up via email or third-party providers like Google or GitHub)
• Profile Information: Optional profile details you choose to provide
• Payment Information: Billing address and payment method details (processed securely by our payment provider, Stripe)
• Scan Data: Domain names and URLs you submit for security scanning
• Communications: Messages you send to us for support or feedback

2.2 Information Collected Automatically

When you access our Service, we automatically collect certain information:

• Device Information: Browser type, operating system, device identifiers
• Usage Data: Pages visited, features used, time spent on the Service
• Log Data: IP address, access times, referring URLs, error logs
• Cookies and Similar Technologies: See Section 6 for details

2.3 Scan Result Data

When you perform security scans, we collect and store the scan results, which may include: HTTP headers, SSL/TLS certificate details, DNS records, and other publicly available technical information about the scanned domains. This data is necessary to provide the Service and generate security reports.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Provide the Service: Process scans, generate reports, and deliver security analysis
• Account Management: Create and manage your account, authenticate users, and process payments
• Communication: Send service notifications, security alerts, and respond to your inquiries
• Improvement: Analyze usage patterns to improve and optimize the Service
• Security: Detect, prevent, and address technical issues, fraud, and abuse
• Legal Compliance: Comply with applicable laws, regulations, and legal processes
• Marketing: Send promotional communications (with your consent, where required)

4. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

• Service Providers: With trusted third-party providers who assist us in operating the Service (e.g., hosting, payment processing, analytics). These providers are contractually bound to protect your data.
• Legal Requirements: When required by law, regulation, legal process, or governmental request
• Protection of Rights: To protect our rights, privacy, safety, or property, and that of our users and the public
• Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, with appropriate confidentiality protections
• With Your Consent: When you explicitly authorize us to share your information

4.1 Third-Party Service Providers

We use the following specific service providers:

Analytics and advertising services only process your data if you consent via our cookie banner.

5. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy. Specifically:

• Account Data: Retained while your account is active and for a reasonable period after account deletion for legal and business purposes
• Scan Results: Retained according to your subscription plan and account preferences
• Usage Logs: Generally retained for up to 12 months
• Payment Records: Retained as required for tax and legal compliance

You may request deletion of your data by contacting us. We will delete or anonymize your data within a reasonable timeframe, except where retention is required by law.

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience:

• Essential Cookies: Required for the Service to function properly (authentication, security, preferences)
• Analytics Cookies: Help us understand how users interact with the Service to improve functionality
• Preference Cookies: Remember your settings and preferences

You can control cookie settings through your browser. Disabling certain cookies may affect the functionality of the Service.

7. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

• Encryption of data in transit (TLS/SSL) and at rest
• Secure authentication mechanisms
• Regular security assessments and monitoring
• Access controls and audit logging
• Secure software development practices

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.

8. Your Privacy Rights (GDPR Articles 15-22)

Under GDPR and similar privacy laws, you have the following rights regarding your personal data:

For all requests, contact us at privacy@boringsec.com. We may verify your identity before processing your request.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws.

9.1 Data Transfers to the United States

Some of our service providers are located in the United States, which is not considered to have an adequate level of data protection under EU law. Specifically:

• Google Ads: If you consent to marketing cookies, conversion tracking data is processed in the USA by Google LLC.
• Vercel: Our hosting provider processes request logs in the USA (with EU edge locations).
• Stripe: Payment processing may involve USA data centers.
• Authentication: Google and GitHub OAuth use USA servers.

9.2 Safeguards We Use

When we transfer your data internationally, we implement appropriate safeguards:

• Standard Contractual Clauses (SCCs): EU-approved contractual clauses that bind service providers to protect your data
• Data Processing Agreements: Contracts ensuring GDPR-compliant data handling
• Consent: For optional services like marketing cookies, we obtain your explicit consent before any data transfer
• Data Minimization: We only transfer data necessary for the specific service

10. European Users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply:

Legal Basis for Processing: We process your personal data based on:

• Contract: Processing necessary for the performance of our contract with you (providing the Service)
• Legitimate Interests: Processing necessary for our legitimate business interests (improving the Service, preventing fraud)
• Consent: Processing based on your explicit consent (marketing communications)
• Legal Obligation: Processing necessary to comply with legal requirements

You have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.

11. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected
• Right to Delete: Request deletion of your personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

We do not sell personal information as defined under the CCPA.

12. Children's Privacy

The Service is not intended for children under 18 years of age. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us at privacy@boringsec.com. If we learn that we have collected personal information from a child, we will take steps to delete that information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated Privacy Policy on this page and updating the "Last updated" date. For significant changes, we may also send you an email notification. Your continued use of the Service after any changes indicates your acceptance of the updated Privacy Policy.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: