Privacy Policy

Last Updated: March 25, 2026

1. Introduction

CyberShield, operated by techPause ("we," "us," or "our"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal information when you use our security scanning and penetration testing platform ("the Service").

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use the Service.

2. Data Controller

techPause is the data controller for personal data processed through the Service. For all privacy-related inquiries, you can reach us at:

• Email: cybershield@techpause.org
• Website: techpause.org

3. Information We Collect

3.1 Information You Provide

• Account information — Name, email address, company name, and password when you register for an account. If you use OAuth (Google or GitHub), we receive your name and email from the identity provider.
• Contact form submissions — Name, email address, company name, phone number, and message content when you submit our contact or scoping forms.
• Engagement data — Target domains, IP addresses, scope definitions, testing requirements, and authorization documentation provided for penetration testing engagements.
• Payment information — Billing details processed through Stripe. We do not store full credit card numbers on our servers.

3.2 Information Collected Automatically

• Usage data — Pages visited, features used, scan frequency, and interaction patterns collected through Vercel Analytics. This data is aggregated and does not include personal identifiers.
• Device information — Browser type, operating system, and device type for compatibility and performance optimization.
• Log data — IP addresses, request timestamps, and HTTP request metadata for security monitoring and abuse prevention.

3.3 Scan & Testing Data

• Domain scan data — Domain names submitted for security posture scanning, along with the results of those scans (DNS records, TLS configurations, email authentication settings, HTTP headers, open ports).
• Penetration testing data — Vulnerability findings, evidence, remediation recommendations, and agent execution logs generated during engagements.

4. How We Use Your Information

We use your information for the following purposes:

• Service delivery — To perform security scans, execute penetration testing engagements, generate reports, and deliver findings.
• Account management — To create and manage your account, authenticate your identity, and enforce two-factor authentication.
• Communication — To respond to your inquiries, send security alerts you have configured, deliver engagement notifications, and provide service updates.
• Service improvement — To analyze aggregate usage patterns, improve detection accuracy, and develop new features.
• Security & compliance — To detect abuse, prevent unauthorized access, enforce rate limits, and comply with legal obligations.
• Billing — To process payments, manage subscriptions, and send invoices.

We do not use your data for advertising, profiling, or automated decision-making that produces legal effects.

5. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data under the following legal bases:

• Contractual necessity — Processing required to deliver the Service you have subscribed to, including scanning, testing, and reporting.
• Legitimate interest — Processing for security monitoring, fraud prevention, service improvement, and business operations, balanced against your rights and interests.
• Consent — Where you have given explicit consent, such as for marketing communications. You may withdraw consent at any time.
• Legal obligation — Processing required to comply with applicable laws, regulations, or legal proceedings.

6. Third-Party Data Sharing

We do not sell, trade, or rent your personal information. We share data only with the following categories of third parties, and only as necessary to operate the Service:

6.1 Service Providers

• Vercel — Hosting, deployment, and anonymous usage analytics.
• Stripe — Payment processing and billing management.
• Resend — Transactional email delivery (account verification, security alerts, notifications).
• Turso — Database hosting for account and engagement data.
• Sentry — Error monitoring and performance tracking (no personal data is intentionally sent; error context may include anonymized request metadata).
• Render — Backend service hosting for scanning and testing infrastructure.

All service providers are contractually obligated to process data only on our behalf and in accordance with our instructions.

6.2 Legal & Safety Disclosures

We may disclose your information if required to:

• Comply with a legal obligation, court order, or government request.
• Protect the rights, property, or safety of techPause, our users, or the public.
• Investigate potential violations of our Terms of Service.

7. Cookie Policy

7.1 Essential Cookies

We use strictly necessary cookies to provide core Service functionality:

• Authentication cookies — Session tokens to keep you signed in and manage your authenticated state across the platform.
• CSRF tokens — Security tokens to prevent cross-site request forgery attacks.
• Theme preference — Your selected light/dark mode preference for a consistent experience.

7.2 Analytics

Vercel Analytics collects anonymous, aggregated usage data (page views, performance metrics) without using cookies and without tracking individual users. No advertising or marketing cookies are used.

7.3 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using authenticated features of the Service.

8. Data Retention

We retain your data according to the following schedule:

• Account data — Retained for the duration of your active account plus 90 days after account deletion to allow for reactivation.
• Scan results & findings — Retained for the duration of your active subscription plus 90 days. Real-time posture scans not saved to your account are not stored beyond the session.
• Engagement data — Penetration testing findings and reports are retained for 12 months after engagement completion, or longer if required by your compliance framework.
• Contact form submissions — Retained for 24 months or until you request deletion.
• Server logs — Retained for 30 days for security monitoring, then automatically purged.
• Payment records — Retained as required by applicable tax and financial regulations.

You may request early deletion of your data at any time by contacting us.

9. Data Security

We implement technical and organizational measures to protect your data, including:

• Encryption in transit using TLS 1.2 or higher for all connections.
• Encrypted storage for sensitive credentials and authentication tokens.
• Access controls limiting data access to authorized personnel and systems.
• Two-factor authentication (TOTP) available for all user accounts.
• Rate limiting and abuse detection on all API endpoints.
• Regular security monitoring via Sentry and structured logging.

While we take reasonable measures to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

10.1 GDPR Rights (EEA, UK, Switzerland)

• Right of access — Request a copy of the personal data we hold about you.
• Right to rectification — Request correction of inaccurate or incomplete data.
• Right to erasure— Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
• Right to restrict processing — Request that we limit how we use your data.
• Right to data portability — Receive your data in a structured, commonly used, machine-readable format (JSON or CSV).
• Right to object — Object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent — Withdraw consent at any time where processing is based on consent.

10.2 CCPA Rights (California Residents)

• Right to know what personal information is collected and how it is used.
• Right to request deletion of personal information.
• Right to opt out of the sale of personal information (we do not sell data).
• Right to non-discrimination for exercising privacy rights.

10.3 Exercising Your Rights

To exercise any of these rights, contact us at cybershield@techpause.org. We will respond to verified requests within 30 days. We may ask you to verify your identity before processing your request.

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority.

11. International Data Transfers

Our Service infrastructure is hosted in the United States. If you access the Service from outside the United States, your data may be transferred to and processed in the United States.

For users in the EEA, UK, or Switzerland, we rely on standard contractual clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms, to ensure that your data receives an adequate level of protection.

12. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at cybershield@techpause.org.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated via email to the address associated with your account at least 30 days before they take effect.

The "Last Updated" date at the top of this page indicates when this policy was most recently revised. We encourage you to review this policy periodically.

14. Contact Information

For questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:

• Email: cybershield@techpause.org
• Website: techpause.org

We aim to respond to all privacy inquiries within 2 business days.