Privacy Policy.

01Who we are

This website is operated by Mythoscan, an individual business (auto-entrepreneur) registered in France. You can reach us at hello@mythoscansec.com. For all data protection matters under the GDPR (Regulation (EU) 2016/679), you are dealing with the same contact.

02What we collect

We collect only what we need to deliver the Service:

• Account data: email, hashed password, agency name, optional logo and brand color.
• Scan data: the domain names you submit, the raw technical results returned by our scanner modules, and the derived issue list.
• Billing data: managed by Stripe. We store only a Stripe customer ID and subscription status — never your card number.
• Technical data: IP address, timestamp, and user agent for security logs and abuse prevention. Kept for 12 months maximum.

We do not use behavioral advertising cookies. No Google Analytics, no Meta Pixel, no third-party session replay.

03Why we process your data

• To provide the Service: running scans, storing results, generating reports, sending alerts. (Legal basis: contractual necessity.)
• To bill you: processing subscription payments through Stripe. (Legal basis: contractual necessity.)
• To improve security: keeping abuse logs, detecting fraudulent use, enforcing our Acceptable Use Policy. (Legal basis: legitimate interest.)
• To communicate: sending essential service emails (alerts, invoices, password resets). Marketing emails only with explicit opt-in.

04Who has access

We share data only with technical sub-processors strictly required to run the Service:

• Supabase (EU, Paris): authentication, database, file storage.
• Vercel (EU edge): frontend hosting.
• Railway (EU, Amsterdam): backend worker hosting.
• Stripe Payments Europe (Ireland): billing and invoicing.
• Resend (EU): transactional email delivery.
• Inngest (US, SOC-2 compliant): job queue and cron scheduling. Only event metadata is transmitted, never personal data.

We never sell, rent, or disclose your data to third parties for marketing or analytics purposes. We will only disclose data when legally compelled by a court order or a validly issued judicial request.

05Where your data lives

All primary storage is located in the European Union. The Supabase project is provisioned in the eu-west-3 AWS region (Paris). Customer data never transits to non-EU regions during normal operation.

06How long we keep it

• Active accounts: for as long as you have a subscription.
• Cancelled accounts: 30 days to allow restoration or export, then fully deleted.
• Invoices: 10 years as required by French tax law.
• Security logs: 12 months maximum.

07Your rights under the GDPR

You have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request erasure (“right to be forgotten”).
• Export your data in a portable format (JSON).
• Object to processing based on legitimate interest.
• Lodge a complaint with the French data protection authority (CNIL — cnil.fr) or your local regulator.

To exercise any of these rights, email us at privacy@mythoscansec.com. We respond within 30 days.

08Cookies

We use only strictly-necessary cookies: session cookies for authentication and a CSRF token. No tracking, no analytics, no advertising. See our Terms of Service for details on third-party processors.

09Security

Passwords are stored using bcrypt hashing. Database access is gated by Supabase Row-Level Security, ensuring each organization only ever sees its own data. All traffic is encrypted in transit (TLS 1.3). Backups are encrypted at rest.

10Changes to this policy

We may update this Privacy Policy to reflect changes in the Service or applicable law. Material changes will be notified by email at least 30 days before taking effect. The “last updated” date at the top of this page is always authoritative.

11Contact

Privacy questions or GDPR requests? privacy@mythoscansec.com.