Legal

Privacy Policy

Last updated: July 7, 2026

1. Overview

This Privacy Policy explains what data Igris Radar ("we", "us", "our") collects when you use our website, dashboard, and audit tools (the "Service"), how we use it, and the choices you have. By using the Service, you agree to the practices described here.

2. Data we collect

Account data

When you sign up, we store your name, email address, and a bcrypt-hashed password. We never store your plaintext password, and it is never returned by our API.

Audit and scan data

When you run a scan, we store the target URL, the findings and scores our engines generate, and a timestamped scan history tied to your account so you can track progress over time.

Usage and device data

We automatically log request metadata such as IP address, user agent, and timestamps for security, rate-limiting, and abuse-prevention purposes (see Section 5).

Payment data

Paid plans are processed by Stripe. We do not store your card number; Stripe handles payment data under its own privacy policy.

3. How we use your data

  • To operate the Service — running audits, storing results, and rendering your dashboard.
  • To authenticate you and keep your account secure via session cookies.
  • To enforce plan limits (scan counts, tracked sites) tied to your account.
  • To send account, security, and billing emails (e.g. login alerts, password changes, scan-complete notifications).
  • To detect and prevent abuse, fraud, and security incidents.
  • To improve the accuracy of our audit engines and scoring methodology.

4. Cookies and sessions

We use a single HttpOnly session cookie (provenance_session) to keep you signed in. It is set server-side, cannot be read by client-side JavaScript, and is cleared when you log out. We do not use third-party advertising or tracking cookies.

A small amount of non-sensitive state (such as whether you've completed onboarding) is kept in your browser's local storage to avoid redundant server calls; no credentials or personal data are stored there.

5. Third-party services

Running an audit may send the target URL (never your account credentials) to third-party providers we use to power specific checks, including:

  • Google (Custom Search, PageSpeed) — for SEO and site-health signals.
  • Google Gemini, OpenAI, and Anthropic — for AI-driven deep analysis and AEO/GEO citation testing, where enabled.
  • Perplexity — for answer-engine citation checks.
  • Stripe — for billing and subscription management.
  • Our email delivery provider (SMTP or Resend) — for transactional email.

Each provider processes data under its own privacy policy and only receives the minimum information necessary to perform the specific check you requested.

6. Data retention

We retain account and scan data for as long as your account is active, so you can view historical trends. If you delete your account from Settings, we delete your account record and associated personal data within a reasonable period, except where we are required to retain limited records (e.g. billing records) for legal or accounting purposes.

7. How we protect your data

  • Passwords are hashed with bcrypt (12 rounds) — never stored or logged in plaintext.
  • Sessions are carried in HttpOnly, SameSite cookies, inaccessible to page scripts.
  • All production traffic is served over HTTPS.
  • Access to production data is limited to personnel who need it to operate the Service.
  • We apply rate limiting and request-size limits to reduce abuse and denial-of-service risk.

8. Your rights and choices

Depending on your location, you may have the right to:

  • Access, correct, or export the personal data we hold about you.
  • Delete your account and associated personal data from Settings at any time.
  • Object to or restrict certain processing, or withdraw consent where processing relies on it.
  • Lodge a complaint with your local data protection authority.

To exercise any of these rights, email support@igrisecurity.com and we will respond within a reasonable timeframe.

9. Children's privacy

The Service is not directed at individuals under 18, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

10. International data transfers

We and the third-party providers listed in Section 5 may process data in countries other than your own. Where required, we rely on appropriate safeguards (such as standard contractual clauses) to protect data transferred internationally.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be reflected by updating the "Last updated" date below, and where appropriate, by notifying you via email or an in-product notice.

12. Contact

Questions about this Privacy Policy can be sent to support@igrisecurity.com or via our contact page.

See also our Terms of Service.