sniffedsniffed

Privacy Policy

Last updated: April 2026

1. Introduction

sniffed (“we”, “us”, or “our”) operates the sniffed platform, an AI-powered penetration testing service. This Privacy Policy explains what information we collect, how we use it, and how we protect it. By using the Service, you agree to the practices described in this policy.

2. Information We Collect

Account information

When you create an account, we collect your name, email address, organisation name, and a hashed password. We do not store your password in plain text.

Target and scan data

We store the domains you add, verification tokens, scan configurations, scan results, and findings. If you provide credentials for authenticated testing (such as session cookies or bearer tokens), they are encrypted at rest using AES-256-GCM and only decrypted inside isolated, ephemeral sandbox containers during scan execution. Credentials are never displayed back in the UI after storage.

Usage and billing data

We track credit consumption, subscription status, and billing events. Payment processing is handled entirely by Stripe; we do not store your credit card number or bank details.

3. How We Use Your Information

  • To provide, maintain, and improve the Service.
  • To run security scans against targets you have verified and authorised.
  • To send transactional emails such as scan alerts and monthly security digests.
  • To process billing and manage your subscription.
  • To respond to support requests and communicate about the Service.

We do not sell your personal information or scan data to third parties. We do not use your scan results for advertising or profiling.

4. Legal Basis for Processing (UK GDPR)

We process your personal data under the following lawful bases:

  • Contractual necessity — processing your account information, target data, and scan results is necessary to provide the Service you have subscribed to.
  • Legitimate interests — we process usage data and technical logs to maintain platform security, detect abuse, improve our detection capabilities, and ensure the reliability of the Service. We balance these interests against your rights and do not use your data in ways you would not reasonably expect.
  • Consent — where we send non-essential communications, such as monthly security digests, you may opt out at any time from your notification settings.

5. Third-Party Services

We use the following third-party services to operate the platform:

  • Stripe — payment processing and subscription management. Stripe receives your payment information directly; see Stripe's Privacy Policy.
  • Resend — transactional email delivery (scan alerts, digests). Resend processes recipient email addresses; see Resend's Privacy Policy.
  • Supabase — managed PostgreSQL database hosting.
  • Vercel — web application hosting and edge delivery.

6. Data Storage and Security

Your data is stored in a managed PostgreSQL database with encrypted connections. Credentials for authenticated testing are encrypted using AES-256-GCM before storage and decrypted only within isolated Docker sandbox containers that are destroyed after each scan. All communication between the client and our servers is encrypted via TLS. We implement industry-standard security practices to protect your data, but no system is 100% secure.

7. International Data Transfers

Some of the third-party services we rely on are based outside the United Kingdom, primarily in the United States. This means your data may be transferred to and processed in countries that may not offer the same level of data protection as UK law. Where such transfers occur, we ensure appropriate safeguards are in place, including the use of providers that comply with recognised data protection frameworks. By using the Service, you acknowledge and consent to these transfers.

8. Data Retention

Your account data, targets, and scan results are retained for as long as your account is active. If you cancel your subscription or request account deletion, your data will be deleted within 30 days unless retention is required by law. Encrypted credentials can be revoked at any time from your target settings page.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you.
  • Request correction of inaccurate information.
  • Request deletion of your account and associated data.
  • Export your scan results and findings.
  • Withdraw consent for non-essential communications.

To exercise any of these rights, contact us at hello@sniffed.ai.

10. Cookies

We use essential session cookies for authentication. We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the platform. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.

12. Contact

If you have questions about this Privacy Policy, contact us at hello@sniffed.ai.