Privacy Policy

1. Overview

This Privacy Policy explains how misconfigs (“we,” “us,” or “our”) collects, uses, and protects information when you use our website, scanners, and API (the “Service”). By using the Service, you agree to the practices described here.

2. Information we collect

Account information

When you sign in with Google or GitHub, we receive your name, email address, profile picture, and account identifier from that provider. We store this to authenticate you and manage your account.

Uploaded files

When you run a scan, you upload configuration files or archives. These are written to temporary storage on our servers, analyzed, and typically deleted shortly after processing completes (usually within seconds to minutes). We do not retain raw upload contents in a long-term file archive separate from scan results.

Scan results & history

For signed-in users, we store scan metadata and result payloads (findings, severity counts, attack paths, and related summaries) in your account scan history so you can review past scans, download exports, and use comparison features. Anonymous or unauthenticated scans are not saved to your account history.

Usage & billing records

We record scan type (manual UI vs API), product, scanner slug, timestamps, and aggregate counts for quota enforcement, billing, analytics, and abuse prevention.

Payment information

Subscriptions are processed by Stripe. We receive your Stripe customer ID, subscription status, and plan tier — not your full payment card number. Stripe’s handling of payment data is governed by Stripe’s Privacy Policy.

Technical data

We may collect standard server logs (IP address, browser type, request timestamps) for security, debugging, and abuse prevention. Session cookies keep you signed in.

Contact form

If you use our contact form, we receive your name, email address, and message so we can respond. Messages are emailed to us via Resend and are used only to handle your inquiry.

3. How we use information

• Provide, operate, and improve the Service
• Authenticate users and enforce scan quotas
• Store scan history and exports you request
• Process subscriptions and send billing-related communications
• Detect abuse, fraud, and security incidents
• Comply with legal obligations

We do not sell your personal information. We do not use uploaded configs to train our own machine learning models. Optional AI features (see Section 6) send selected data to Google Gemini as described below; that processing is governed by Google’s terms and policies as well as this Policy.

4. Sensitive content in uploads

Configuration files may inadvertently contain secrets, credentials, or personal data. You are responsible for redacting sensitive values before upload where possible. Our scanners may flag exposed secrets as findings. Treat reports and scan history as confidential if they contain such material.

5. Third-party services

We use third-party services to operate the Service. They process data on our behalf under their own privacy policies and our agreements with them. We may add or change providers over time.

• Google — OAuth sign-in (Google Privacy Policy)
• GitHub — OAuth sign-in and optional repository integration (GitHub Privacy Statement)
• Stripe — payment processing (Stripe Privacy Policy)
• Resend — transactional email (Resend Privacy Policy)
• Google Gemini — optional scan assistant and finding explanations (Gemini API Terms, Google Privacy Policy). See Section 6.
• Cloud infrastructure providers — hosting, networking, and database services (e.g. Google Cloud) that process data on our behalf under contractual safeguards

Other third-party applications or services may be used for analytics, support, security, or product features. When we integrate a new provider that materially affects how your data is handled, we will update this policy.

We are not responsible for the privacy practices, security, availability, or actions of third-party providers. Your relationship with those providers is governed by their policies.

6. AI assistant & generative AI

When you use the scan assistant, Explain on a finding, or related AI features, we send data to Google Gemini (Google’s generative AI API) to produce responses. This is optional — core scanning does not require AI.

What we send to Gemini

• Your chat messages and prompts
• Finding and scan context (e.g. titles, severities, rule IDs, file paths, line numbers, impact text, suggested fixes)
• Attack paths, intent gaps, and scan history summaries shown in the assistant panel
• High-level account and product context (e.g. plan name, usage counts) to answer billing or how-to questions
• Summaries of our Terms and Privacy — not the full legal text

Do not paste passwords, API keys, tokens, or other secrets into the assistant. Finding context may already include sensitive file paths or configuration excerpts from your scans.

What we do not do

• We do not use your uploads or chats to train misconfigs-owned models
• We do not guarantee that Google will not use API data per its own policies — review Gemini API Terms and Google’s Privacy Policy

Retention

Assistant conversations are processed in real time. We do not maintain a permanent chat log in our database for general product use. Standard server logs may briefly record request metadata for security and abuse prevention.

Accuracy & privacy risks

AI responses can be wrong, outdated, or misleading — including about your findings, our pricing, or legal obligations. They are not a substitute for reading our official Terms, Privacy Policy, and other published pages. You use AI features at your own risk.

7. Cookies & sessions

We use essential session cookies to maintain your login state. These are required for the Service to function and are not used for cross-site advertising.

8. Data retention

• Uploaded files: deleted after scan processing (typically seconds to minutes)
• Scan history: retained while your account is active unless you delete scans or close your account
• Account data: retained while your account is active
• Usage/billing records: retained as needed for quotas, tax, and legal compliance
• Server logs: rotated on a limited schedule

You may request deletion of your account and associated scan history by contacting misconfigs@gmail.com.

9. Security

We implement reasonable technical and organizational measures to protect data. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

10. Your rights

Depending on your location, you may have rights to access, correct, delete, or export personal data, or to object to certain processing. To exercise these rights, contact us at misconfigs@gmail.com. California residents may have additional rights under the CCPA; we do not sell personal information as defined by that law.

11. International users

The Service is operated from the United States. If you access the Service from other regions, your information may be transferred to and processed in the U.S.

12. Children

The Service is not directed to individuals under 18. We do not knowingly collect data from children.

13. Changes

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated date.

14. Contact

Privacy questions: misconfigs@gmail.com