Privacy Policy

When you use the free scanner, we only collect what you type in: the web address you want us to check. That's it. No name, no email, no account required.

If you sign up for a paid plan or claim your domain, we collect:

• Your email address (so we can send your reports)
• Your business name and the website you're protecting
• Billing information (handled entirely by Stripe — we never see your card number)

If you fill out our contact form, we collect your name, email, and message — only so we can write back.

We don't keep a copy of your scan results sitting on our servers. Free scans run in real time and the results are shown to you in the browser. Once you close the page, they're gone from our side.

For paid plans, we save your weekly scan history so we can show you how things change over time. You can delete this at any time by contacting us.

Your email, your business name, your scan findings — none of it ever gets sold, traded, or shared with marketers, data brokers, or any third party. Ever. That's not how we make money. We make money from people paying for our service. That's the entire business model.

A few specific tools help us run the service:

• Stripe — handles payments. They have their own privacy policy at stripe.com/privacy.
• Resend — sends our emails (like your weekly brief). They only see the email address we're sending to.
• Supabase — stores your account login and the websites you've claimed.
• Vercel — hosts our website. They keep standard server logs (like IP addresses) for security and performance.
• Vercel Analytics — measures anonymous website traffic (such as page views and visitor counts) so we can see how the site is performing. It collects no personal data, does not track you across other websites, and is never used for advertising.
• Meta Pixel — runs only on our public marketing pages to measure how well our Facebook and Instagram ads perform. It helps us understand which ads bring people to our site. You can limit it through your Facebook ad preferences or your browser's privacy settings.

We don't use Google Analytics, and we never use these tools to sell your information or build advertising profiles about you.

When you connect Gmail or Outlook, SecureLayerHQ reads message metadata headers (subject, sender, date, Authentication-Results) to generate your daily security brief — detecting phishing attempts, suspicious senders, and email authentication failures. No message body content is accessed or stored.

You can disconnect your mailbox at any time from your dashboard. Disconnecting revokes our access immediately.

We take the following steps to protect the information you share with us:

• Encryption in transit: All communication between your browser, our servers, and third-party services uses HTTPS/TLS. Your data is never sent over an unencrypted connection.
• Encryption at rest: Account data, email metadata, and OAuth tokens stored in our database (Supabase) are encrypted at rest using industry-standard AES-256 encryption.
• OAuth token security: When you connect Gmail or Outlook, we store only the OAuth access and refresh tokens needed to read your email headers. These tokens are encrypted, never logged in plain text, and scoped to read-only access. We do not store your email password.
• Minimal data retention: We only retain email metadata (subject, sender, date, authentication headers) long enough to generate your daily brief. Raw header data is not stored permanently.
• Access controls: Access to production systems and user data is restricted to authorised personnel only, using role-based permissions. No third party has access to your stored OAuth credentials.
• Breach notification: If a data breach occurs that affects your personal information, we will notify you by email within 72 hours of becoming aware of it.

We check your website from the outside — exactly like a normal visitor would. We don't install any code, scripts, or trackers on your site. Your customers won't notice we exist. Their data stays between you and them.

You can ask us to:

• Show you exactly what information we have about you
• Delete your account and all related data
• Export your data in a portable format
• Correct anything that's wrong

Just email chris@securelayerhq.com and we'll handle it within 30 days. No hoops.

We use one cookie: the one that keeps you logged in to your account. That's it. No tracking cookies, no advertising cookies, no third-party cookies.

If we ever change this policy in a meaningful way, we'll email anyone with a paid plan and put a clear notice on the site. We won't sneak changes in.

Email chris@securelayerhq.com or use our contact form. A real person reads every message.