1. Information We Collect

We collect the following categories of information:

• Account Information: Username, email address, full name, organization, and hashed password provided during registration.
• Registration Metadata: IP address at registration time, browser user agent, and stated purpose of use — used for admin review and fraud prevention.
• Scan Data: Target URLs you submit for scanning, scan results, vulnerability findings, and associated metadata.
• Credentials: Authentication credentials you optionally provide for authenticated scanning. These are stored in our database and used only to perform scans you initiate.
• Payment Information: UPI transaction reference IDs (UTR numbers) and plan selection. We do not store full card numbers or UPI PINs.
• Usage Logs: Request logs, security event logs (attack detection), and scan activity for platform security and abuse prevention.
• Email Subscriptions: Email addresses voluntarily submitted for newsletter/update subscriptions.

2. How We Use Your Information

• To provide, operate, and improve the RTS Scanner platform and its features.
• To authenticate your identity and protect your account from unauthorized access.
• To process plan upgrades and verify UPI payments.
• To execute security scans on targets you authorize and return results to you.
• To detect, investigate, and prevent fraudulent, abusive, or illegal activity.
• To send platform updates, security advisories, and feature announcements (only if subscribed).
• To comply with legal obligations and respond to lawful requests from authorities.

3. Data Security

We implement multiple layers of security to protect your data:

• Password Hashing: All passwords are hashed using Werkzeug's PBKDF2-SHA256 algorithm. We never store plaintext passwords.
• IDOR Protection: Scan results are accessible only via non-guessable UUID tokens. Direct ID enumeration is blocked.
• Security Headers: All responses include X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, and Referrer-Policy headers.
• Attack Detection: Our middleware monitors for SQL injection, XSS, path traversal, and other attack patterns in real time.
• Rate Limiting: Requests are rate-monitored to detect and block brute-force and fuzzing attempts.
• Sensitive File Blocking: Direct access to source code, database files, logs, and configuration files is blocked at the application level.

4. Data Sharing

We do not sell, rent, or trade your personal information to third parties. We may share data only in the following limited circumstances:

• Legal Compliance: When required by law, court order, or government authority.
• Security Incidents: To investigate or prevent fraud, abuse, or security threats to the platform or its users.
• Service Providers: Trusted infrastructure providers (hosting, database) who process data on our behalf under strict confidentiality agreements.

5. Data Retention

• Account Data: Retained for the lifetime of your account. Deleted upon account deletion.
• Scan Results: Retained until you manually delete them from your dashboard.
• Security Logs: Attack logs are retained for up to 90 days for security analysis.
• Payment Records: Retained for 7 years for financial compliance purposes.
• Email Subscriptions: Retained until you unsubscribe.

6. Your Rights

You have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your account and associated data (subject to legal retention requirements).
• Portability: Request your scan data in a machine-readable format.
• Objection: Object to processing of your data for specific purposes.

To exercise any of these rights, contact us at support@rudrasec.in.

7. Cookies & Sessions

RTS Scanner uses session cookies strictly for authentication purposes. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. Session data is stored server-side and expires when you log out or after a period of inactivity.

8. Children's Privacy

RTS Scanner is intended for use by security professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has registered, please contact us immediately.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of significant changes via the platform's notification system. Continued use of RTS Scanner after changes constitutes acceptance of the updated policy.

10. Contact Us

For privacy-related questions, data requests, or concerns, contact us at: