Privacy Policy
We practice what we preach. This policy explains exactly what data we collect, why we collect it, and how we protect it.
Last updated: March 7, 2026
TL;DR — The Short Version
- • We collect the minimum data necessary to provide our services
- • We do not sell your data to anyone, ever
- • We do not use tracking pixels, Google Analytics, or similar surveillance tools
- • Free tools like /exposed run in your browser — your IP is resolved via ipapi.co for geolocation; we do not receive or store it
- • Privacy Audit results are stored for 72 hours, then auto-deleted
- • You can request deletion of your data at any time
1. What We Collect
We collect different types of data depending on how you use our services:
Free Tools (No Account Required)
Browser Exposure Check
- • Your IP address is sent to ipapi.co for geolocation (see their privacy policy)
- • Browser fingerprint data is calculated entirely in your browser using FingerprintJS — it is never transmitted to our servers
- • Map tiles are loaded from OpenStreetMap (see their privacy policy)
- • We do not store any results from this tool
Website Privacy Scanner
- • URLs you scan are cached for 48 hours to improve performance
- • Scan results are stored temporarily (URL, trackers found, privacy score)
- • We do not associate scans with your identity unless you're logged in
Email Security, WHOIS, DNS Leak, Password Check
- • Email Security checks DNS records for a domain you provide — the domain is not stored
- • WHOIS Privacy Check queries public WHOIS data for a domain you provide — results are not stored
- • DNS Leak Test runs entirely in your browser — no data is sent to our servers
- • Password Strength Analyzer runs entirely in your browser using zxcvbn — passwords never leave your device
Metadata Stripper
- • Uploaded files are processed server-side to extract and strip EXIF/metadata
- • Files are not stored — they are processed in memory and discarded immediately
Threat Model Builder
- • Questionnaire answers are processed entirely in your browser — no data is sent to our servers
- • Results are calculated client-side and are not stored
Privacy Tools Directory
- • No personal data collected — browsing the directory is anonymous
- • Search queries are not logged or stored
Privacy Audit (Free Beta / Paid)
- • Domain you provide is scanned using our website scanner, email security checker, WHOIS lookup, and breach database
- • Threat model answers you provide during the audit questionnaire are stored with the audit session
- • Breach check queries the Have I Been Pwned API with your domain to check for known breaches — this is a domain-level check, not email-level
- • AI executive summary is generated by Venice.ai based on your audit findings
- • Audit results (domain, grade, score, findings, AI summary) are stored in our database for 72 hours, then automatically deleted
- • Shareable link — audit results can be shared via a permalink URL. Anyone with the link can view results until they expire
- • Logged-in users have audits linked to their account for viewing in their account dashboard
Account & Authentication
- • Email magic links — We send a one-time login code to your email via Resend. We store your email address and a hashed verification token. No passwords are stored.
- • DERO wallet authentication — If you log in via DERO wallet, we store your wallet address. No personal information is required or collected.
- • Session cookies — A secure, HTTP-only session cookie is set to keep you logged in. It contains only a session identifier.
Paid Services (Account Required)
If you purchase our services (/protect or /erase), we collect:
- Email address — For account access and service communications
- Payment information — Processed by Stripe; we never see your full card number
- Service-specific data — Information needed to form your LLC (filed with the relevant Secretary of State) or remove your data from brokers
For LLC formation, we must collect certain personal information (name, address) as required by state law. This information is handled under strict confidentiality, encrypted at rest, and decrypted only when needed for filing operations. It is never shared except as required to complete your formation with the relevant Secretary of State.
2. What We Don't Collect
Unlike most websites, we deliberately avoid collecting:
- No tracking pixels — No Google Analytics, Facebook Pixel, or similar surveillance
- No fingerprinting for tracking — We show you your fingerprint to educate, not to track you
- No third-party ads — We don't serve advertisements
- No data sales — Your information is never sold to data brokers or advertisers
- No social login tracking — We don't offer "Login with Google/Facebook"
3. Third-Party Services
We use a minimal set of third-party services, chosen for their privacy practices:
| Service | Purpose | Data Shared |
|---|---|---|
| Vercel | Hosting | Server logs (IP, user agent) |
| Neon | Database | Account & service data |
| ipapi.co | IP geolocation | IP address (for /exposed) |
| OpenStreetMap | Map tiles | Tile requests |
| Venice.ai | AI chat & audit summaries | Conversation content, audit findings |
| Resend | Email delivery | Email address (for magic link login) |
| Have I Been Pwned | Breach database | Domain name (for audit breach check) |
| Stripe | Payments | Payment details (paid services only) |
4. How We Protect Your Data
- Encryption in transit — All connections use HTTPS/TLS
- Encryption at rest — Sensitive data is encrypted in our database
- Minimal retention — We delete data when it's no longer needed
- Access controls — Only authorized personnel can access customer data
- No logs policy — We don't log more than necessary for security
5. Data Retention
- Scanner results: 48 hours (cache), then deleted
- Audit sessions: 72 hours, then automatically deleted (including domain, grade, score, findings, and AI summary)
- Anonymous chat sessions: Deleted when you close the page
- Email verification tokens: Expire after 15 minutes
- Session cookies: Expire after 30 days of inactivity
- Account data: Retained while your account is active
- Service records: Retained as required by law (typically 7 years for financial records)
You can request deletion of your account and associated data at any time by contacting us.
6. Your Rights
Depending on your location, you may have the following rights:
- Access — Request a copy of your data
- Correction — Request correction of inaccurate data
- Deletion — Request deletion of your data
- Portability — Request your data in a machine-readable format
- Objection — Object to certain processing of your data
To exercise these rights, contact us at privacy@defaultprivacy.com.
7. Contact Us
If you have questions about this privacy policy or our data practices:
Email: privacy@defaultprivacy.com
We aim to respond to all privacy inquiries within 48 hours.
8. Changes to This Policy
We may update this policy from time to time. Significant changes will be announced on our website. The "Last updated" date at the top of this page indicates when the policy was last revised.
Continued use of our services after changes constitutes acceptance of the updated policy.
Have questions about how we handle your data?