Privacy Policy

We do not collect passwords, government-issued identifiers, or any personal data beyond what is listed above. We do not require account creation to use the Service.

We process your data under the following legal bases:

• Contract performance: Processing your Target URL, email address, and scan results is necessary to perform the service you requested when submitting a scan.
• Legitimate interest: We process IP addresses and bot verification data to prevent abuse of the Service, detect unauthorized usage, and maintain platform security and integrity.
• Legal obligation: We may process and retain data as required to comply with applicable laws, respond to valid legal process, or cooperate with law enforcement investigations (see Section 9).
• Consent: By submitting a scan request and accepting our Terms of Service, you consent to the collection and processing of data as described in this Privacy Policy.

We use the information we collect solely for the following purposes:

• To perform automated vulnerability scans against the Target URL you submitted
• To generate a PDF report and deliver it to your email address
• To make your report available via a unique, non-guessable shareable link
• To detect, prevent, and investigate abuse, fraud, and unauthorized use of the Service
• To comply with legal obligations and respond to lawful requests from authorities
• To maintain, protect, and improve the security and reliability of the Service

We do not use your data for advertising, user profiling, behavioral tracking, or any purpose beyond delivering and protecting the Service.

We do not sell, rent, or trade your personal data. We share data only as strictly necessary to operate the Service:

• Email delivery provider: Receives your email address and the PDF report attachment solely for the purpose of delivering your scan report.
• Bot prevention provider: Processes browser signals and IP address to verify that scan requests originate from humans, not automated bots.
• Payment processor: For paid scan tiers, processes payment card data directly. We do not receive, access, or store your card details.
• Infrastructure providers: Cloud hosting and database services process your data on our behalf under confidentiality and data processing agreements.
• Public data sources: Your Target URL may be passively queried against public security databases and threat intelligence feeds as part of the scanning process. We do not share your email address, IP address, or any personal details with these sources.
• Law enforcement and legal process: We may disclose data as described in Section 9 of this Privacy Policy and Section 8 of our Terms of Service.

All third-party service providers are selected based on their security practices and are contractually bound to process your data only for the purposes we specify.

The Service is operated from infrastructure located in multiple regions. Your data may be processed in jurisdictions outside your country of residence, including the United States and European Union.

Where data is transferred across borders, we rely on appropriate safeguards such as standard contractual clauses, data processing agreements, or the adequacy decisions of relevant data protection authorities to ensure your data receives an equivalent level of protection.

By using the Service, you acknowledge and consent to the transfer and processing of your data in these jurisdictions.

We do not use tracking cookies, advertising pixels, or analytics services that profile individual users.

We use only the following technologies:

• Session cookies: Essential cookies required for the Service to function. These are temporary and are deleted when you close your browser.
• Bot verification: Our bot prevention system may use cookies and JavaScript-based browser analysis to distinguish legitimate users from automated abuse. This data is processed in real time and is not used for tracking or profiling.

We do not use any third-party analytics, remarketing, or advertising technologies.

We implement technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS) and at rest
• Access controls restricting data to authorized systems and processes only
• Unique, non-guessable identifiers (UUIDs) for report access links
• Automated data deletion at the end of the retention period
• Regular review of security practices and infrastructure configuration

While we strive to protect your data using industry-standard practices, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your information.

In the event of a data breach that poses a risk to your rights, we will notify affected individuals and relevant data protection authorities as required by applicable law, without undue delay.

We retain your data only for as long as necessary to fulfill the purposes described in this Privacy Policy:

• Scan data (Target URL, email, scan results, reports): 90 days from the date of the scan, then automatically deleted
• Server logs (IP addresses): 30 days, then automatically deleted
• Bot verification data: Session duration only, not persisted

You may request early deletion of your data at any time by contacting us (see Section 12).

Legal hold exception: If we receive a valid legal request to preserve data (such as a litigation hold, law enforcement preservation request, or court order), we may retain relevant data beyond the standard retention period as required by law. We will notify you of such retention where legally permitted to do so.

As described in Section 8 of our Terms of Service, C metrics will fully cooperate with law enforcement agencies, regulatory bodies, and judicial authorities investigating suspected abuse, unauthorized scanning, or illegal activity facilitated through the Service.

We may disclose your information, including email address, IP address, Target URLs, scan results, and associated metadata, in the following circumstances:

• In response to valid legal process, including subpoenas, court orders, and search warrants
• At the request of law enforcement agencies investigating suspected criminal activity
• To protect the rights, property, or safety of C metrics, our users, or the public
• As otherwise required by applicable law or regulation

Where legally permitted, we will make reasonable efforts to notify you before disclosing your data in response to legal process.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Under GDPR (EU/EEA/UK residents):

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate data
• Right to erasure: Request deletion of your data before the automatic retention period expires
• Right to restrict processing: Request that we limit how we use your data
• Right to data portability: Request your data in a structured, machine-readable format
• Right to object: Object to processing based on legitimate interest
• Right to withdraw consent: Withdraw your consent at any time, without affecting the lawfulness of prior processing

Under CCPA (California residents):

• Right to know: Request disclosure of the categories and specific pieces of personal information collected
• Right to delete: Request deletion of your personal information
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights
• Right to opt out of sale: We do not sell personal information. No opt-out is necessary.

To exercise any of these rights, contact us at hello@cmetrics.info. We will respond to verified requests within 30 days, or as required by applicable law.

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe that a child has submitted data to us, please contact us immediately and we will delete the data promptly.

We may update this Privacy Policy as the Service evolves or as required by changes in applicable law. The “Last updated” date at the top of this page reflects the most recent revision.

Continued use of the Service after changes are posted constitutes your acceptance of the revised Privacy Policy. We encourage you to review this page periodically. For material changes, we will update the revision date prominently.

Questions, concerns, or requests regarding your data or this Privacy Policy? Contact us at hello@cmetrics.info.

To report a data protection concern or submit a rights request, please include “Privacy Request” in your email subject line so we can prioritize your inquiry.