Legal

Privacy Policy

Last updated: 1 June 2026. We keep this plain and readable — no legal maze.

1. Who we are

PenScan ("we", "us", "our") is an automated penetration testing platform operated at penscan.org and platform.penscan.org. This policy explains how we handle personal data when you use our marketing website or platform.

2. Data we collect

Account information — Name and email address when you register. We use this to create your account and communicate with you.
Scan targets — The domains you add to PenScan. These are stored to enable scanning and are never shared with other users.
Scan results — Vulnerability findings generated by our scanners. These are private to your organisation and not visible to us unless you contact support.
Usage data — Standard server logs including IP address, browser type, and pages visited. Used to maintain service reliability.
Payment data — Processed exclusively by Razorpay. We never store your card details.

3. How we use your data

  • To provide the PenScan platform and run scans on domains you have verified ownership of.
  • To send transactional emails (scan completion, credit purchase receipts, security alerts).
  • To respond to support requests.
  • To maintain and improve platform reliability and security.
  • To comply with legal obligations.

We do not sell your personal data. We do not use your data for advertising. We do not share your scan results with third parties.

4. Data storage & retention

Your data is stored on servers in the European Union. Scan results and account data are retained for as long as your account is active. You may request deletion of your data at any time by emailing hello@penscan.org. We will respond within 30 days.

5. Third-party services

PenScan uses a small number of third-party services to operate:

  • Razorpay — Payment processing. Subject to Razorpay's privacy policy.
  • HackerTarget / AlienVault OTX — Passive DNS data for asset discovery only. No personal data is shared.
  • crt.sh — Certificate transparency log queries for asset discovery only.

6. Your rights

You have the right to access, correct, or delete your personal data. You may also object to or restrict certain processing. To exercise any of these rights, email hello@penscan.org.

7. Cookies

The marketing website (penscan.org) does not use tracking or advertising cookies. The platform (platform.penscan.org) uses a session cookie to keep you logged in. No third-party tracking pixels are used on either domain.

8. Contact

Privacy questions or requests: hello@penscan.org. We aim to respond within 5 business days.