Privacy Policy

Controller: ShadowTrackr Ltd, registered in Cyprus (HE 488421), Kalymnou 1, “Q Merito” 4th Floor, Agios Nikolaos, 6037 Larnaca, Cyprus.

Contact:

Last updated: May 2026 — Version: 2.0

1. Who We Are and What This Policy Covers

ShadowTrackr Ltd (“ShadowTrackr”, “we”, “us”) operates the ShadowTrackr attack surface management platform at shadowtrackr.com. This Privacy Policy explains how we collect, use, store and protect personal data in connection with our website, platform and related services.

We are subject to the EU General Data Protection Regulation (GDPR) and the Cyprus data protection law implementing it. Whether your organisation is established in the EEA, the UK, Switzerland or anywhere else, the same protections apply to your data.

2. The Data We Collect and Why

2.1 Account and billing data

When you register for ShadowTrackr we collect your name, email address, company name and billing details (handled partly by Stripe — see Section 5). We use this data to create and manage your account, send you service notifications and process payments.

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

2.2 Service usage data

We log authentication events (login/logout timestamps, IP address) and API usage to operate the platform securely, detect abuse and provide support.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — specifically, operating a secure service.

2.3 Customer asset data

The core function of ShadowTrackr is to scan and monitor internet-facing assets that you define. The results of those scans — IP addresses, hostnames, certificates, DNS records, vulnerability findings and so on — belong to you. We process this data solely to deliver the service. We do not analyse, sell or otherwise use your asset data for any purpose other than providing ShadowTrackr to you.

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

2.4 Email addresses discovered during scanning

ShadowTrackr may discover publicly exposed email addresses on the assets you monitor and check them against the Have I Been Pwned (HIBP) breach database. These addresses are part of your asset data and are handled under the same terms.

2.5 Cookies

We use only functional cookies, strictly necessary to manage your login session and maintain platform state. We do not use advertising cookies, tracking pixels, Google Analytics or any other third-party analytics or tracking technology. No consent banner is required for strictly necessary cookies, but we still tell you clearly: the only cookies we set are the ones that make your login work.

3. Where Your Data Is Stored and Processed

All account data and asset data are stored exclusively in Germany, at Hetzner Online GmbH (Nuremberg), a fully German-owned company operating under German and EU law. No US-owned cloud providers sit in the data path for stored data.

Scanner nodes are deployed globally to provide realistic external-perspective scanning — the same view an attacker has. When a scan is performed on a scanner node outside Europe, the minimal technical data needed for that scan (IP address, URL, open ports) is sent to that node for processing. This is limited to publicly available internet-facing data that anyone can discover. Customer-specific metadata such as tags, labels, team assignments or internal notes is never sent to scanner nodes.

Scanner nodes:

Do not store any data — results are transmitted encrypted (TLS) to our German infrastructure immediately after each scan
Use full-disk encryption for the OS volume even though no customer data persists on them
Are architecturally isolated from core infrastructure — a compromised scanner node cannot affect the platform or other customers

ShadowTrackr does not operate any AI agents, large language model processing or automated profiling on your data. Your data is not used to train machine learning models.

4. Data Transfers Outside the EEA

All personal data and asset data are stored and processed within the EEA. The following limited, well-defined transfers may occur:

Recipient	What is shared	Why	Safeguards
Scanner nodes outside Europe	IP addresses, URLs and open ports required for the scan	External-perspective scanning from global vantage points	Only publicly available internet data is transmitted; no customer metadata, tags or internal notes leave the EEA. Data is encrypted in transit and never stored on the node.
Stripe, Inc. (US)	Billing details only	Payment processing	Standard Contractual Clauses (SCCs) and Stripe’s GDPR programme. Stripe does not receive your asset data.
Have I Been Pwned (Australia)	Anonymised k-anonymity hash prefixes of email addresses	Breach checking	The full email address is never transmitted. Consistent with HIBP’s privacy model.
Third-party integrations (e.g. Shodan, Censys)	IP addresses, URLs and domains for the assets you have enrolled	Enrichment services you explicitly enable	Data is shared only when you activate an integration. Only the minimal asset identifiers needed for the integration to function are transmitted — no tags, labels or internal customer data.

No other third parties receive your data.

5. Sub-processors

Sub-processor	Location	Purpose	Data category
Hetzner Online GmbH	Germany	Infrastructure hosting	All account and asset data
Stripe, Inc.	US (EU DPA in place)	Payment processing	Billing details only
Have I Been Pwned	Australia	Breach checking	Anonymised email hash prefixes only
Shodan / Censys (if enabled)	US	Asset enrichment	IP addresses, URLs and domains only

We will update this list and notify customers of any material changes before they take effect.

6. How Long We Keep Your Data

Data type	Retention period
Account data	Duration of your subscription + 30 days after deletion request
Asset scan data	Duration of your subscription, or the retention period set in your plan
Billing records	7 years (legal obligation under Cyprus and EU tax law)
Authentication logs	90 days

When you request deletion of your account, all your personal data and asset data is deleted within 30 days. Billing records are retained only to the extent required by law.

7. Your Rights Under GDPR

You have the right to:

Access a copy of the personal data we hold about you (Art. 15)
Rectification of inaccurate data (Art. 16)
Erasure (“right to be forgotten”) — request deletion of your data at any time by emailing or using the in-platform delete function (Art. 17)
Restriction of processing in certain circumstances (Art. 18)
Data portability — receive your data in a machine-readable format (Art. 20)
Object to processing based on legitimate interest (Art. 21)
Withdraw consent at any time where processing is based on consent

To exercise any of these rights, email . We will respond within one month. You also have the right to lodge a complaint with your national data protection authority or the Cyprus Commissioner for Personal Data Protection (www.dataprotection.gov.cy).

8. Security

We apply technical and organisational measures appropriate to the risk, including:

Encryption of data in transit (TLS 1.2 minimum, TLS 1.3 preferred)
Encryption at rest (AES-256) for all storage infrastructure
Access control limiting personnel access to customer data
Regular vulnerability assessments of our own infrastructure
Incident response procedures with notification obligations under Art. 33–34 GDPR

See our Security & Trust page for full details.

9. MSSP and Multi-Tenant Use

Managed Security Service Providers (MSSPs) and organisations managing multiple subsidiaries or clients can use ShadowTrackr in a multi-tenant configuration. In this context:

Each tenant’s asset data is logically separated and not accessible to other tenants
The MSSP acts as a processor or joint controller depending on the arrangement with their end-client — we support both models
We can issue separate DPAs per end-client relationship if required
Data residency guarantees (Germany / EEA) apply equally to all tenants

10. Data Processing Agreements

Customers using ShadowTrackr in a business context where we process personal data on their behalf (for example, email addresses found in their asset scans) may request a Data Processing Agreement (DPA) consistent with Art. 28 GDPR. This includes enterprise customers, government agencies and MSSPs managing client data.

Contact to request a DPA.

11. Changes to This Policy

We will post updates here and notify registered users by email for any material changes. The version number and “last updated” date at the top of this page always reflect the current version.

12. Contact

Privacy enquiries:
General contact:
Postal address: ShadowTrackr Ltd, Kalymnou 1, “Q Merito” 4th Floor, Agios Nikolaos, 6037 Larnaca, Cyprus