Privacy Policy

Last updated: March 30, 2026

1. Introduction

ContrastCyber ("we", "us") operates ContrastScan at contrastcyber.com and the ContrastAPI at api.contrastcyber.com. This Privacy Policy explains what data we collect and how we use it.

2. Data We Collect

2.1 Scan Data

• Domain names submitted for scanning
• Scan results (security scores, grades, findings)
• Passive recon data (DNS records, WHOIS, certificate transparency logs) — all from public sources

2.2 Technical Data

• Hashed IP addresses — a truncated SHA-256 hash of your IP is stored for aggregate analytics (new vs. returning users). No raw IP address is ever stored in the database.
• Rate limiting — raw IP addresses are stored temporarily in a local database for rate limiting, purged hourly, and never shared.

2.3 What We Do NOT Collect

• No personal information (name, email, phone) — no signup required, no accounts
• No tracking cookies
• No third-party analytics (no Google Analytics, no Facebook Pixel, no fingerprinting)
• No advertising data
• We do not sell, rent, or share any data with third parties
• We do not track users across sites

3. DNT & Global Privacy Control

We respect the Do Not Track (DNT) and Global Privacy Control (Sec-GPC) headers. If your browser sends either signal, we do not store any hashed IP data with your scan. The scan still works normally — we simply skip the analytics hash.

4. How We Use Data

• Rate limiting: IP addresses are used in-memory to enforce fair usage limits (100/hour). This data is purged hourly.
• Analytics: Hashed IPs let us count new vs. returning users in aggregate. IP hashes are irreversible and cannot be traced back to individual users.
• Public statistics: The /stats page shows aggregate data (total scans, grade distribution). No individual scan data is publicly exposed.

5. Data Retention

• Hashed IPs: Automatically anonymized (set to empty) after 90 days. The scan result is kept, but can no longer be linked to any user.
• Scan results: Stored indefinitely for result lookup and historical comparison, but anonymized after 90 days.
• IP rate limit data: In-memory only, purged automatically every hour.
• Server logs: Rotated and deleted after 14 days.

6. Data Sharing

We do not sell, rent, or share any data with third parties. Scan results are accessible only via the unique scan ID URL.

7. Security

All data is transmitted over HTTPS. The server is hardened with fail2ban, Suricata IDS, AIDE file integrity monitoring, and kernel-level security (sysctl hardening). The application is open source and available for audit.

8. Open Source

ContrastScan is fully open source under the MIT License. You can review exactly what data is collected by reading the source code at github.com/UPinar/contrastscan.

9. Your Rights

Since we don't collect personal data, there is generally no personal data to access, correct, or delete. If you have concerns about data associated with your domain, contact us.

10. Changes

We may update this Privacy Policy. Changes will be posted on this page with an updated date.

11. Contact

For privacy questions: [email protected] or visit contrastcyber.com.