Privacy Policy
π Our Commitment: SmartScan is built by security professionals who understand the sensitivity of forensic data. We collect only what's necessary, encrypt everything, and delete data promptly. Your privacy is not just a policyβit's our core value.
1. Who We Are
SECURE PATH LTD ("we", "us", "our") operates the SmartScan forensic spyware detection platform
at omnivisix.co.uk.
| Detail | Information |
|---|---|
| Company Name | Secure Path Ltd |
| Registration | England & Wales |
| Data Protection Officer | dpo@securepath.biz |
| ICO Registration | C1895044 |
2. Data We Collect
2.1 Account & Identity Data
How we identify you depends on the platform:
2.1(a) Web Portal (omnivisix.co.uk)
Authentication is handled by Auth0 (a third-party identity provider). When you register on the web portal:
- Email address and password are collected and managed by Auth0
- During the OAuth authentication flow (scope:
openid profile email), Auth0 transmits to our server your email, name, nickname, and an opaque user identifier (user_sub) - This data is stored in our database (table
sessions) to establish your session - Your password is never transmitted to or stored by our servers β it remains exclusively within Auth0
Additionally, when you complete your user profile on the web portal, you may provide:
- Given name and family name
- Email address (synced from Auth0 or updated manually)
- Nickname
- Phone number (optional)
- User type (private individual or company)
- Company name, country, VAT number, company address, company email (optional β for enterprise/invoicing features)
- Language and country preferences
- Privacy policy acceptance timestamp
This profile data is stored in our database (table account) and is used for service delivery, billing, and user support.
2.1(b) Mobile Apps (SmartScan for iOS / Android)
The mobile apps support two authentication methods:
Device-based authentication (default):
- A random device UID is generated locally on your device at first launch
- A synthetic, non-deliverable email address (
{device_id}@poc.quantel.com) is created automatically β this is not a real email and cannot receive messages - No personal email, name, phone number, or any personally identifiable information is collected
- No account registration is required
- The device UID cannot be linked back to your identity
Auth0 login (optional):
- If you choose to log in via Auth0 within the mobile app, the same data as Section 2.1(a) applies β your email, name, and user_sub are transmitted to our server
- This enables cross-device access to your scan history and credits
2.2 Analysis Data (PCAP Files)
β οΈ Important: PCAP files may contain sensitive network traffic. We analyze them for spyware indicators only. We do NOT access, store, or analyze payload content beyond what's necessary for threat detection.
- PCAP/PCAPNG files - Uploaded for analysis
- Metadata - File size, upload timestamp, analysis duration
- Results - Detected threats, confidence scores, IOCs
2.3 Network Anonymization Architecture
SmartScan captures network traffic through a WireGuard VPN tunnel operating at Layer 3 (Network Layer) of the OSI model. Understanding this architecture is critical to evaluating the privacy characteristics of captured data:
| OSI Layer | What SmartScan Sees | What SmartScan CANNOT See |
|---|---|---|
| Layer 1 (Physical) | Nothing β no access to radio/cellular/Wi-Fi physical layer | Carrier signal, cell tower ID, IMEI, IMSI, SIM/eSIM ICCID |
| Layer 2 (Data Link) | Nothing β WireGuard operates above this layer | MAC addresses, ARP tables, Ethernet frames, Wi-Fi BSSID |
| Layer 3 (Network) | Only the WireGuard tunnel IP (e.g. 10.x.x.x) assigned by our server |
Real device IP, ISP-assigned public IP, NAT gateway IP, GeoIP location |
| Layer 4 (Transport) | TCP/UDP ports and session metadata (within the tunnel) | Source port mappings from the ISP's NAT/CGNAT |
| Layer 5-7 (Session/Application) | DNS queries, TLS handshakes (SNI), HTTP metadata β all routed through tunnel | Any traffic that does not traverse the WireGuard tunnel |
WireGuard encapsulation process:
- The device establishes a WireGuard tunnel to our capture server
- All device traffic is encapsulated in WireGuard's ChaCha20-Poly1305 encrypted UDP packets
- Upon arrival at the capture server, traffic is decapsulated β the outer (real IP) headers are discarded
- The PCAP records only the inner packet with the tunnel-assigned private IP as source
- The original device IP, ISP identity, and geographic location never enter the PCAP file
π Forensic-Legal Implications: The packet capture files ("PCAP") generated during a SmartScan analysis contain exclusively traffic from within the WireGuard tunnel interface, bearing only the ephemeral private IP address assigned by the SmartScan capture server. No Internet Service Provider ("ISP") assigned IP address, Mobile Network Operator ("MNO") identifier, International Mobile Subscriber Identity ("IMSI"), Integrated Circuit Card Identifier ("ICCID"), International Mobile Equipment Identity ("IMEI"), Subscriber Identity Module ("SIM" or "eSIM") metadata, or any network-layer information capable of identifying the originating device's physical location, carrier, or subscriber identity is present in, or derivable from, the captured data.
Consequently, even in the event of a lawful interception order, data breach, or unauthorized access to stored PCAP files, it is technically impossible to:
- Determine the geographic location of the scanned device
- Identify the ISP, carrier, or mobile network operator
- Associate the captured traffic with a specific subscriber or SIM/eSIM
- Perform reverse GeoIP lookup to the device's real IP address
This architecture provides analysis anonymity by design β not as a policy choice, but as an inherent technical constraint of the Layer 3 tunnel encapsulation model.
2.4 Technical Data
- IP address - For security and abuse prevention
- Browser/device info - User-Agent for compatibility
- Access logs - Timestamps of platform usage
2.5 Data We Do NOT Collect
- β Payment card details (processed by Stripe)
- β Social media profiles
- β Location tracking beyond IP geolocation
- β Content of communications in PCAP files
3. How We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Provide analysis service | PCAP files, account data | Contract performance |
| Generate forensic reports | Analysis results, metadata | Contract performance |
| Account management | User identifier (user_sub or device UID), email, name, nickname, phone (if provided), user type, company details (if provided) |
Contract performance |
| Payment processing | Email, user identifier (passed to Stripe / NOWPayments) | Contract performance |
| Transactional emails | Email address (temporary access links, support replies) | Contract performance |
| Security monitoring | IP, access logs | Legitimate interest |
| Service improvement | Anonymized usage stats | Legitimate interest |
| Legal compliance | All relevant data | Legal obligation |
4. Legal Basis for Processing (GDPR)
We process your data under the following legal bases:
- Contract Performance (Art. 6(1)(b)) - Necessary to provide the service you requested
- Legitimate Interest (Art. 6(1)(f)) - Security, fraud prevention, service improvement
- Legal Obligation (Art. 6(1)(c)) - Compliance with law enforcement requests, tax records
- Consent (Art. 6(1)(a)) - Marketing emails (opt-in only)
5. Data Retention
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| PCAP files (all tiers) | 24 hours after report delivery (automated scheduled job) | Secure overwrite (DoD 5220.22-M) |
| Analysis reports | 1 year or account deletion | Database deletion |
| Account data | Until account deletion + 30 days | Database deletion |
| Access logs | 90 days | Automatic rotation |
ποΈ Automatic Deletion: All PCAP files are automatically and permanently deleted by a scheduled cleanup job 24 hours after report delivery. This retention window allows you to request an extended in-depth analysis by our Network Senior Division if the initial report warrants further investigation. After 24 hours, the PCAP is irrecoverably destroyed. No manual deletion request is needed. A deletion certificate is available upon request for chain of custody documentation.
6. Data Security
We implement industry-leading security measures:
6.1 Encryption
- In Transit: TLS 1.3 for all connections
- At Rest: AES-256 encryption for stored files
- Passwords: bcrypt with cost factor 12
6.2 Infrastructure
- ISO 27001 certified data centers (EU)
- Air-gapped analysis environments
- No third-party cloud storage for PCAP files
- Regular penetration testing
6.3 Access Control
- Role-based access control (RBAC)
- Multi-factor authentication available
- Employee access logged and audited
- Background checks for all staff
7. Your Rights (GDPR)
Under GDPR, you have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Request a copy of your data | Account settings or email DPO |
| Rectification | Correct inaccurate data | Account settings |
| Erasure | Delete your account and data | Account settings or email DPO |
| Portability | Export your data in machine-readable format | Account settings (JSON export) |
| Restriction | Limit how we process your data | Email DPO |
| Objection | Object to processing based on legitimate interest | Email DPO |
| Withdraw Consent | Withdraw marketing consent anytime | Unsubscribe link or account settings |
To exercise your rights, contact: dpo@securepath.biz
We respond within 30 days as required by GDPR.
8. International Data Transfers
Your data is processed in the European Union. If transfer outside the EU is necessary:
- We use Standard Contractual Clauses (SCCs)
- We verify adequacy decisions where applicable
- We apply supplementary measures as per EDPB guidance
9. Cookies & Tracking
We use essential cookies and limited analytics to operate and improve the Service:
9.1 Essential Cookies
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
session_id |
Authentication | Session | Essential |
csrf_token |
Security | Session | Essential |
preferences |
UI settings | 1 year | Functional |
9.2 Analytics & Marketing
| Service | Purpose | Cookies Set | Legal Basis |
|---|---|---|---|
| Google Analytics (G-4ZRDKJFZPX) | Anonymized website usage statistics (page views, traffic sources, session duration) | _ga, _ga_* |
Legitimate interest |
| Meta Pixel (Facebook) | Conversion tracking for advertising campaigns | _fbp, fr |
Legitimate interest |
Google Analytics data is anonymized (IP anonymization enabled). Meta Pixel tracks page views and conversion events only β no custom audiences or lookalike targeting is configured.
You may opt out of analytics tracking by:
- Installing the Google Analytics Opt-out Browser Add-on
- Adjusting your ad preferences at Meta Ad Preferences
- Using browser-level cookie blocking or a tracker blocker extension
We do NOT use:
- β Third-party advertising trackers beyond those listed above
- β Cross-site tracking or fingerprinting
- β Retargeting or custom audience building
10. Third-Party Services
We share data with these processors:
| Service | Purpose | Data Shared | Location |
|---|---|---|---|
| Auth0 (Okta Inc.) | Authentication & identity provider | Email, password (managed by Auth0). During OAuth flow we receive: email, name, nickname, profile picture, user_sub |
EU (Frankfurt) |
| Stripe | Card payment processing | Email (as customer_email and receipt_email), user_sub in metadata, invoice generation |
EU / US (Stripe Inc.) |
| NOWPayments | Cryptocurrency payment processing | user_sub in metadata, scan quantity, amount. No email or name is transmitted |
EU (NOWPayments B.V.) |
| SMTP2Go | Transactional email delivery | Recipient email address, message content (temporary access links, support replies) | EU / NZ (SMTP2Go Ltd) |
| Google Analytics | Website usage analytics | Anonymized IP, page views, session data | EU / US (Google LLC) |
| Meta (Facebook Pixel) | Advertising conversion tracking | Page view events, IP address | EU / US (Meta Platforms Inc.) |
| Cloudflare | CDN / Security | IP, requests | Global (EU primary) |
All processors are GDPR compliant with Data Processing Agreements in place. For US-based processors (Google, Meta, Stripe), data transfers are governed by the EU-US Data Privacy Framework.
11. Children's Privacy
SmartScan is not intended for individuals under 18. We do not knowingly collect data from children. If you believe a child has provided us data, contact us immediately.
12. Policy Changes
We may update this policy to reflect:
- New features or services
- Legal or regulatory changes
- Security improvements
Material changes will be notified via email 30 days before taking effect. Continued use after changes constitutes acceptance.
13. Contact Us
Data Protection Officer
Email: dpo@securepath.biz
Response time: 30 days maximum
General Inquiries
Email: privacy@securepath.biz
Supervisory Authority
If unsatisfied with our response, you may lodge a complaint with:
Information Commissioner's Office (ICO)
https://ico.org.uk/make-a-complaint/
Β© 2026 Secure Path Ltd. All rights reserved.
This privacy policy is provided for informational purposes and does not constitute legal advice.