Privacy Policy

• Provide the Service: Perform security scans, generate findings, produce compliance reports, and deliver notifications.
• Improve the Platform: Train and refine our AI models for false positive detection, risk scoring, and remediation generation using aggregated, de-identified data.
• Security Notifications: Send email alerts for critical vulnerabilities, scan completions, and account security events.
• Compliance: Respond to legal requests and comply with applicable laws and regulations.

• Findings and Reports: Retained indefinitely while your account is active. You may request deletion at any time.
• Raw Scan Artifacts: Raw scan data (Nuclei output, raw HTTP responses, raw DNS records) is retained for 90 days, then automatically purged.
• Account Data: Deleted within 30 days of account closure. You will receive a confirmation email when deletion is complete.

We implement industry-standard security measures to protect your data:

• Encryption at Rest: AES-256 encryption for all stored data.
• Encryption in Transit: TLS 1.2+ for all network communications.
• Multi-Tenant Isolation: Row-level security (RLS) policies ensure strict data isolation between organizations.
• Infrastructure: Hosted on Google Cloud Platform with private networking, distroless containers, and no public database endpoints.

For users in the European Economic Area (EEA), we process your data under the following lawful bases:

• Contract Performance: Processing necessary to provide the Service you have subscribed to.
• Legitimate Interest: Improving our platform and ensuring the security of our Service.
• Consent: For optional marketing communications (you may opt out at any time).

You have the following rights under GDPR:

• Right to Access: Request a copy of all personal data we hold about you.
• Right to Erasure: Request deletion of your personal data (subject to legal retention requirements).
• Right to Portability: Receive your data in a structured, machine-readable format.
• Right to Rectification: Correct inaccurate personal data.
• Right to Object: Object to processing based on legitimate interest.

To exercise these rights, contact privacy@redwipe.com. We will respond within 30 days.

California residents have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You may request the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You may request that we delete the personal information we have collected from you.
• No Sale of Personal Information: We do not sell your personal information to third parties. We have not sold personal information in the preceding 12 months.

We use only strictly necessary session cookies for authentication purposes. We do not use advertising, analytics, or tracking cookies. For full details, see our Cookie Policy.

We use the following third-party services to deliver and support the platform:

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting the updated policy on this page with a revised "Last updated" date. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

For privacy-related inquiries or to exercise your data rights, contact us at:

We use the following sub-processors to deliver the Service:

REDWIPE is based in the United States. If you are located outside the United States, your data will be transferred to and processed in the United States. For users in the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection for your data during transfer.

In the event of a data breach that affects your personal information, we will:

• Notify affected users within 72 hours of discovery, as required by GDPR.
• Notify relevant supervisory authorities as required by applicable law.
• Provide a description of the breach, the data affected, and the measures taken to address it.
• For users in jurisdictions with state breach notification laws (e.g., California), we will comply with applicable notification timelines.

We do not track users across third-party websites. Our analytics solution (Plausible) is cookieless and privacy-preserving — it does not use cookies, local storage, or any form of cross-site tracking. We honor Do Not Track (DNT) browser signals by default.

Under California Civil Code Section 1798.83, California residents may request information regarding the disclosure of their personal information to third parties for direct marketing purposes. REDWIPE does not disclose personal information to third parties for their direct marketing purposes. For questions, contact privacy@redwipe.com.