Privacy Policy

Last Updated: January 16, 2026 | Effective Date: January 1, 2024 | Version: 2.1

🔒 Our Commitment: SmartScan is built by security professionals who understand the sensitivity of forensic data. We collect only what's necessary, encrypt everything, and delete data promptly. Your privacy is not just a policy—it's our core value.

1. Who We Are

SECURE PATH LTD ("we", "us", "our") operates the SmartScan forensic spyware detection platform at smartscan.securepath.es.

Detail	Information
Company Name	Secure Path Ltd
Registration	England & Wales
Data Protection Officer	dpo@securepath.biz
ICO Registration	ZB123456 (pending)

2. Data We Collect

2.1 Account Data

When you register, we collect:

Email address - For account identification and communication
Name - For personalization and reports
Organization (optional) - For enterprise features
Password - Stored as bcrypt hash, never in plaintext

2.2 Analysis Data (PCAP Files)

⚠️ Important: PCAP files may contain sensitive network traffic. We analyze them for spyware indicators only. We do NOT access, store, or analyze payload content beyond what's necessary for threat detection.

PCAP/PCAPNG files - Uploaded for analysis
Metadata - File size, upload timestamp, analysis duration
Results - Detected threats, confidence scores, IOCs

2.3 Technical Data

IP address - For security and abuse prevention
Browser/device info - User-Agent for compatibility
Access logs - Timestamps of platform usage

2.4 Data We Do NOT Collect

❌ Payment card details (processed by Stripe)
❌ Social media profiles
❌ Location tracking beyond IP geolocation
❌ Content of communications in PCAP files

3. How We Use Your Data

Purpose	Data Used	Legal Basis
Provide analysis service	PCAP files, account data	Contract performance
Generate forensic reports	Analysis results, metadata	Contract performance
Account management	Email, password hash	Contract performance
Security monitoring	IP, access logs	Legitimate interest
Service improvement	Anonymized usage stats	Legitimate interest
Legal compliance	All relevant data	Legal obligation

4. Legal Basis for Processing (GDPR)

We process your data under the following legal bases:

Contract Performance (Art. 6(1)(b)) - Necessary to provide the service you requested
Legitimate Interest (Art. 6(1)(f)) - Security, fraud prevention, service improvement
Legal Obligation (Art. 6(1)(c)) - Compliance with law enforcement requests, tax records
Consent (Art. 6(1)(a)) - Marketing emails (opt-in only)

5. Data Retention

Data Type	Retention Period	Deletion Method
PCAP files (Free tier)	24 hours after analysis	Secure overwrite (DoD 5220.22-M)
PCAP files (Professional)	30 days (configurable)	Secure overwrite
PCAP files (Enterprise)	90 days (configurable)	Secure overwrite
Analysis reports	1 year or account deletion	Database deletion
Account data	Until account deletion + 30 days	Database deletion
Access logs	90 days	Automatic rotation

🗑️ Immediate Deletion Option: Enterprise customers can request immediate deletion of PCAP files after analysis completion. A deletion certificate is provided for chain of custody documentation.

6. Data Security

We implement industry-leading security measures:

6.1 Encryption

In Transit: TLS 1.3 for all connections
At Rest: AES-256 encryption for stored files
Passwords: bcrypt with cost factor 12

6.2 Infrastructure

ISO 27001 certified data centers (EU)
Air-gapped analysis environments
No third-party cloud storage for PCAP files
Regular penetration testing

6.3 Access Control

Role-based access control (RBAC)
Multi-factor authentication available
Employee access logged and audited
Background checks for all staff

7. Your Rights (GDPR)

Under GDPR, you have the following rights:

Right	Description	How to Exercise
Access	Request a copy of your data	Account settings or email DPO
Rectification	Correct inaccurate data	Account settings
Erasure	Delete your account and data	Account settings or email DPO
Portability	Export your data in machine-readable format	Account settings (JSON export)
Restriction	Limit how we process your data	Email DPO
Objection	Object to processing based on legitimate interest	Email DPO
Withdraw Consent	Withdraw marketing consent anytime	Unsubscribe link or account settings

To exercise your rights, contact: dpo@securepath.biz

We respond within 30 days as required by GDPR.

8. International Data Transfers

Your data is processed in the European Union. If transfer outside the EU is necessary:

We use Standard Contractual Clauses (SCCs)
We verify adequacy decisions where applicable
We apply supplementary measures as per EDPB guidance

9. Cookies & Tracking

We use minimal cookies:

Cookie	Purpose	Duration	Type
`session_id`	Authentication	Session	Essential
`csrf_token`	Security	Session	Essential
`preferences`	UI settings	1 year	Functional

We do NOT use:

❌ Google Analytics
❌ Facebook Pixel
❌ Third-party advertising trackers
❌ Cross-site tracking

10. Third-Party Services

We share data with these processors:

Service	Purpose	Data Shared	Location
Auth0	Authentication	Email, password hash	EU (Frankfurt)
Stripe	Payments	Billing info (not cards)	EU
Cloudflare	CDN/Security	IP, requests	Global (EU primary)
SendGrid	Email delivery	Email address	EU

All processors are GDPR compliant with Data Processing Agreements in place.

11. Children's Privacy

SmartScan is not intended for individuals under 18. We do not knowingly collect data from children. If you believe a child has provided us data, contact us immediately.

12. Policy Changes

We may update this policy to reflect:

New features or services
Legal or regulatory changes
Security improvements

Material changes will be notified via email 30 days before taking effect. Continued use after changes constitutes acceptance.

13. Contact Us

Data Protection Officer
Email: dpo@securepath.biz
Response time: 30 days maximum

General Inquiries
Email: privacy@securepath.biz

Supervisory Authority
If unsatisfied with our response, you may lodge a complaint with:
Information Commissioner's Office (ICO)
https://ico.org.uk/make-a-complaint/