
ShadowTrackr is a cybersecurity product. Our customers trust us with visibility into their most sensitive infrastructure. We hold ourselves to the same standard we help them achieve.
This page explains how we protect your data and our platform. If you have questions not answered here, contact us at .
All customer data is stored in Germany.
Our core infrastructure runs on servers operated by Hetzner Online GmbH, a fully German-owned company headquartered in Gunzenhausen, Germany. Hetzner operates data centres under German law and EU regulation.
Scanner nodes are placed globally to perform external-perspective scanning — the same view an attacker has. These nodes:
| Context | Standard |
|---|---|
| Data in transit (web, API) | TLS 1.2 minimum, TLS 1.3 preferred |
| Data in transit (scanner nodes → core) | TLS with certificate pinning |
| Data at rest (core infrastructure) | AES-256 |
| Scanner node storage | AES-256 full-disk encryption |
| Backups | Encrypted with AES-256, stored in Germany |
We score ourselves on the same SSL Labs / TLS grading criteria we use to grade your certificates. We aim for an A+ on all endpoints.
Customer authentication
Internal access controls
ShadowTrackr staff may access customer data for support and development purposes. Because ShadowTrackr works exclusively with data found on or derived from the external attack surface, this data does not typically contain privacy-sensitive information. Access to customer account details and financial data is restricted to authorised internal staff on a need-to-know basis.
ShadowTrackr does not use AI agents, large language models or automated profiling on your data. Your asset data is not used to train machine learning models, fed to third-party AI APIs or processed for any purpose other than delivering the ShadowTrackr service to you.
We use only functional cookies — strictly necessary to manage your login session. We do not use Google Analytics, Meta Pixel, advertising networks or any third-party tracking technology. You can verify this with any browser developer tools or network inspector.
We practice what we preach:
We welcome reports from security researchers. If you find a vulnerability in any ShadowTrackr system, please email with:
Scope:
Out of scope: social engineering, physical attacks, denial-of-service testing.
Safe harbour: researchers who follow responsible disclosure and do not access, modify or exfiltrate user data will not face legal action. We will acknowledge your report within 3 business days and keep you updated on our remediation progress.
We do not currently operate a paid bug bounty programme, but we will thank you publicly (if you want) and may offer account credit for significant findings.
Enterprise and government customers can request our current compliance documentation by emailing .
Built on certified infrastructure
ShadowTrackr runs on EU-based infrastructure operated by providers independently audited to the highest security standards. Our core platform runs on Hetzner (ISO 27001:2022, BSI C5 Type 2, KRITIS §8a), and our distributed scanner network runs on Akamai Cloud (ISO 27001, SOC 2 Type 2, BSI C5). This means the physical, network, and hypervisor layers of our platform meet standards required by EU government and critical infrastructure procurement frameworks.
ShadowTrackr itself does not have an ISO 27001 certificate yet, we're building toward that. Our infrastructure providers are already certified, and we're implementing ISO-aligned controls internally. We expect to pursue certification as the business scales.
We offer Data Processing Agreements (DPAs) under Art. 28 GDPR for customers who need them for their own compliance obligations. Contact to request a DPA.
Customer data is retained for the duration of the active subscription and used solely to deliver the ShadowTrackr service.
After account closure, customer data enters a 30-day grace period. All data remains accessible for export via the dashboard or API. After 30 days, all customer data is permanently deleted from production systems, backups, and scanner nodes. Deletion is irreversible.
After deletion: Invoices, billing records, and associated account details are retained for 7 years (Art. 52 EU VAT Directive)
No asset data, scan results, alerts, reports, or API keys are retained after deletion.
Deletion on request — customers may request immediate deletion at any time by contacting privacy@shadowtrackr.com. We confirm deletion in writing within 5 business days (GDPR Art. 17).
Backups are retained on a 30-day rolling basis. Deleted data is fully purged from all backups within 30 days of deletion.
Scanner nodes do not retain customer data. Results are transmitted immediately to core infrastructure — there is no secondary copy to delete.
In the event of a security incident affecting customer data, we will:
for security questions.
for data protection and GDPR questions.
for everything else.