Privacy Policy

Version 2026-04-12-v3 · Last updated: April 12, 2026 · v3: ZZPL compliance (Art. 23, 38, 52), controller email, automated decision-making, data breach procedure, legitimate interest, cookie consent V2.

1. Who we are

Web Security Scanner is a free online tool for passive security analysis of websites. The site operator is Toske-Programer. This privacy policy explains in detail what we do with your data, how long we keep it, and how to exercise your rights.

2. What we actually store in our database

Unlike earlier versions of this service that kept data only in memory, the current version stores every scan in our persistent database (PostgreSQL via Supabase) for audit trail, abuse protection, and letting users review their own scans later. The specific data we store:

• The URL you scan and the normalized domain
• The full scan result (JSONB field: grade, score, counts, list of findings, categories)
• Hash of your IP address (SHA-256 with a server-side salt) — NOT the raw IP
• Hash of your User-Agent (SHA-256 with the same salt) — NOT the raw UA
• Optional session_id (browser session from frontend, UUID, never personal)
• Optional fingerprint_hash (canvas/WebGL fingerprint if the frontend passes it)
• Consent version (consent_version) and a flag that you explicitly accepted the Terms of Service
• Timestamps (creation, completion)

Each scan additionally generates 3 to 10 entries in the audit_log table (one per event: scan_request, scan_start, scan_complete, scan_blocked_*, scan_error). The audit_log stores the same pseudonymized identity information plus context in a details JSONB field.

What we do NOT store: names, email addresses (except in two cases — see below), passwords, contents of the scanned site beyond metadata (headers, score), raw IP addresses, raw User-Agent strings, or any history tied to your identity from external sources.

Email exceptions: We store your email address in two contexts:

• Abuse reports — if you voluntarily leave an email when filing an abuse report, we store it so we can reply with the outcome
• Pro subscriptions — if you buy a Pro plan, the email you used at Lemon Squeezy checkout is synced into our subscriptions table so we know which license_key belongs to whom. This email is kept for the duration of the subscription plus a 10-year legal retention period for tax/accounting purposes (Serbian statutory requirement)

3. PII pseudonymization (how the hashing works)

Instead of storing your IP address and User-Agent in their original form, we pass them through a SHA-256 hash function with a secret server-side salt that lives only in our deployment environment and is never written to the database:

ip_hash = SHA-256(your_ip + ":" + server_salt)

Under GDPR Art. 4(5) this qualifies as pseudonymization. The effects:

• If an attacker ever exfiltrates our database, they get hashes, not IP addresses. Without the salt, the hashes cannot be brute-forced (the salt is a 256-bit random string)
• We can still correlate your scans ("how many scans from this IP") because the same IP always produces the same hash
• We cannot enumerate all IP addresses that have ever used the service (hashing is one-way). This is a deliberate limitation to protect your anonymity
• When you request GDPR erasure, you will need to provide us with your IP and an approximate time — we then compute the hash and delete the matching rows. Without that information we cannot reliably identify "your" rows (see section 8)

4. How we use data

• Performing security analysis of the URL you entered
• Storing scan results so you can review them later (without ownership verification you only see basic statistics; with verified ownership you see the full content)
• Rate limiting — protecting the service from abuse (5 scans per 30 minutes per IP hash)
• Audit trail for forensic response to potential abuse
• Letting the owner of a scanned site file an abuse report and prove which scans affected them
• Displaying ads via Google AdSense

Legal basis for processing (GDPR Art. 6): legitimate interest in forensic audit and service protection, plus the consent you give on every scan through the checkbox before starting the analysis.

5. Retention — how long we keep what

Each table in our database has its own retention period, automated via daily pg_cron jobs:

• scans (scan results): retained until the user requests deletion or until a bulk cleanup is initiated by the operator. No automatic deletion.
• audit_log (forensic trail): 90 days for regular entries, then automatic deletion. Flagged entries (linked to an abuse report) are kept indefinitely as legal evidence.
• verified_domains (full-visibility grants): 30 days per (domain, IP hash) combination, then expires.
• verification_tokens (pending challenges): 1 hour for pending, then expires automatically.
• scan_requests (full-scan wizard): stores only created_date as DATE (NOT timestamp) — privacy-by-design, cannot reveal the exact time you clicked consent. Wizards not executed within 24 hours are auto-deleted by cron. Completed wizards keep only state-machine flags (consent given: yes/no, verify passed: yes/no) without any timestamp.
• rate_limits: rolling window, auto-pruned when the interval passes.
• abuse_reports: indefinitely, as legal evidence, unless the reporter withdraws the report.
• Backups: daily encrypted backups are stored on Cloudflare R2 for 90 days per the R2 lifecycle rule. Backup metadata is kept 180 days.

6. Data security

This section describes the concrete protections we apply:

• Transport: all data travels over HTTPS (TLS 1.2+) provided by Cloudflare and HF Spaces
• Encryption at rest: Supabase provides AES-256 disk-level encryption for the entire database
• Row-Level Security: every table has RLS enabled with a default-deny policy. The public anon key sees nothing — all reads and writes go through the service_role key which is backend-only
• Append-only audit_log: UPDATE and DELETE are revoked even for service_role. The audit history is intentionally impossible to rewrite from the application — it requires an explicit database migration
• PII pseudonymization: all personal information (IP, UA) is hashed with a server-side salt before being written (see section 3)
• Backup encryption: daily backups are AES-256-GCM encrypted before upload to Cloudflare R2. The decryption key exists only in our password manager and Supabase Vault
• Offsite storage: backups are on R2 (Cloudflare), a separate provider from the primary database — data loss due to a Supabase incident does not wipe out the backups
• Tested recovery: we test restore from backup on an isolated staging project quarterly to prove the backups actually work (not just that they are being created)

7. Cookies, advertising, and third parties

We use a granular cookie consent system (GDPR/ePrivacy compliant) with three categories:

• Essential (always active, cannot be disabled): cookie_consent_v2 (localStorage — your consent choice), wss-lang (language preference), scan session ID
• Analytics (optional): Google Analytics (_ga, _gid) — duration up to 2 years. These cookies are NOT set until you explicitly approve them
• Advertising (optional): Google AdSense (_gcl_*, IDE, NID, DSID, FLC, AID, TAID) — third party: Google LLC, duration up to 2 years. These cookies are NOT set until you explicitly approve them

The AdSense script does not load until you click "Accept All" or "Save Choices" with the advertising category checked. If you reject, no tracking cookies are set and no data is sent to Google.

You can change your decision at any time by clicking "Cookie Settings" in the footer of any page. More information at Google Ads Policy.

We use the following third-party services:

• Supabase (EU region) — primary PostgreSQL database + Edge Functions + Vault
• Cloudflare R2 — offsite backup storage (encrypted)
• Hugging Face Spaces — backend API hosting
• Vercel — frontend hosting
• Google AdSense — ad display
• Google Fonts — font loading
• Lemon Squeezy (USA, Merchant of Record) — payment processing for Pro subscriptions. If you buy a Pro plan, your card and personal payment information goes directly to Lemon Squeezy, not to us. From them we receive only: email address, amount, subscription status, and license_key. Lemon Squeezy is incorporated in Delaware (USA) and acts as the legal seller on our behalf — they issue invoices, calculate VAT in 100+ countries, and handle chargebacks. Their privacy policy: lemonsqueezy.com/privacy

Note on data transfer to the USA: Lemon Squeezy is the only provider in our stack outside the EU. They declare GDPR compliance and rely on Standard Contractual Clauses (SCCs) as the legal basis for EU-to-US data transfers. If you prefer that your data not pass through the USA, do not purchase a Pro plan — the free tier remains entirely EU-only.

All other providers are chosen to primarily store data in the EU/EEA region. If you have specific questions about data transfers, contact us.

8. Your rights under GDPR

If you are located in the European Economic Area, you have the following rights:

• Art. 15 — right of access: to request a copy of the data we hold about you
• Art. 16 — right to rectification of inaccurate data
• Art. 17 — right to erasure: the "right to be forgotten"
• Art. 18 — right to restriction of processing
• Art. 20 — right to data portability
• Art. 21 — right to object to processing based on legitimate interest
• Right to file a complaint with the data protection authority in your country

How to exercise your rights: because we store only pseudonymized (hashed) identifiers, we cannot identify "your" rows in the database without your help. To submit a request, contact us and provide:

• The IP address you used at the time of scanning
• An approximate time (day and hour)
• Optionally, the domain you scanned, if you remember

With that information we can compute your hash and find matching rows in the scans and audit_log tables. Deletion is performed within 30 days of receiving the request (GDPR Art. 12). Note about audit_log: the audit log is intentionally append-only and retained for 90 days as a forensic trail under the legal basis of legitimate interest (GDPR Art. 6(1)(f) — documenting potential security incidents). Your entries will not be physically deleted from audit_log but will be marked as "excluded from operational statistics" and will in any case be automatically pruned after 90 days unless flagged.

9. Rights of scanned site owners (abuse report)

If you are the owner of a domain that someone has scanned through our service without your permission, you can file a report via the "Report abuse" link in the footer or directly at ./index.html#abuse. We review every report within 72 hours. If we confirm abuse:

• We add your domain to the block list — all future scans of that domain will be refused with HTTP 403
• Related audit_log entries are flagged as legal evidence and retained indefinitely (instead of 90 days)
• If you left an email, we notify you of the outcome

For more details on how the terms of service and ownership verification work, see the Terms of Service.

10. Policy changes, children, and contact

Current policy version: 2026-04-12-v3 — this is the same version recorded in the system when you run a scan. We reserve the right to update this policy. The version changes with each update and every new scan will ask you to confirm the current version. Your prior consents remain valid in the audit_log but do not retroactively apply to new terms.

Children: this service is not intended for persons under 16 years of age. We do not knowingly collect data from minors. If we learn that a minor has involuntarily submitted data, we delete it.

Controller contact (Art. 23 ZZPL):

• General inquiries: kontakt@gradovi.rs
• Security vulnerabilities: security@gradovi.rs
• Abuse reports: abuse@gradovi.rs or online form
• Pro plan and refunds: pro@gradovi.rs
• Response time: within 30 days of receiving the request (Art. 21 ZZPL / GDPR Art. 12)

11. Automated decision-making (Art. 38 ZZPL)

This service does NOT use automated decision-making that produces legal effects or significantly affects the user. Scanning is a technical analysis that does not make decisions about users. The risk score (A-F grade) is an informational tool, not an automated decision.

12. Legal basis — legitimate interest (Art. 12(1)(6) ZZPL)

The legal basis for processing data in the audit_log table is the controller's legitimate interest in:

• Forensic audit — protecting the service from abuse
• Legal defense — proving that the user gave consent before scanning
• Security — detecting malicious patterns (mass-scanning, SSRF attempts)

Assessment: the controller's interest (protecting a free service from abuse) outweighs the rights of data subjects because only pseudonymized data is processed (SHA-256 hash of IP and User-Agent), never raw data. Users have the right to object to this processing (Art. 37 ZZPL) via the email above.

13. Personal data breach (Art. 52 ZZPL)

In the event of a personal data breach, the controller will:

• Notify the Commissioner within 72 hours of becoming aware of the breach
• Notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights
• Document every breach in an internal register

Commissioner contact: poverenik.rs

14. Privacy policy version history

Each version is permanently recorded in the audit_log table — the consent you gave applies to the version that was active at that moment.