Privacy Policy

ScanOrbit is a trade name of Maria Elina, registered as a sole proprietorship (eenmanszaak) at the Dutch Chamber of Commerce (KVK) under number 99611252, with BTW-ID NL005398711B41. Our registered address is Keizersgracht 241, Amsterdam, 1016EA Netherlands.

This Privacy Policy explains how we collect, use, store, and protect your information when you use our website (scanorbit.cloud) and services.

1. Information We Collect

1.1 Information You Provide

Account Registration:

Email address
Full name
Password (hashed with bcrypt; not stored for OAuth-only users)
Company or organization name (optional)
Organization role (admin or member)
Job title or function (optional, e.g., DevOps, CTO, Developer)

OAuth Sign-In (if used):

OAuth provider ID (Google or GitHub)
Email address and profile name from the OAuth provider
OAuth access and refresh tokens (AES-256-GCM encrypted at rest)
A minimized version of your OAuth provider profile containing the fields listed above

Two-Factor Authentication (if enabled):

TOTP secret (AES-256-GCM encrypted)
Recovery codes (bcrypt hashed)

Billing:

Stripe customer ID and subscription ID
Subscription tier and status
Billing name and address (processed by Stripe)

AWS Connection:

AWS Account ID (12-digit identifier)
IAM Role ARN (for read-only access)
External ID (optional security parameter)

Communication:

Messages sent through contact forms or support requests
Email correspondence
Bug reports: title, description, category, page context, and optional screenshots (linked to your account for follow-up)

1.2 Information We Collect Automatically

Scan Data:

AWS resource metadata (EC2 instances, EBS volumes, S3 buckets, RDS databases, load balancers, certificates, Lambda functions, IAM entities, KMS keys, Secrets Manager metadata, security groups, CloudWatch configuration)
Resource attributes: names, tags, regions, states, estimated costs
Security findings generated by our analyzers
Scan timestamps and duration

Usage Data:

Login timestamps
Pages visited and API endpoints accessed within the application
Scan frequency and history
IP address (used for security logging only, not analytics)

Technical Data:

Browser type and version
Device type and operating system
Application error logs

2. How We Use Your Information

To provide the service:

Scanning and analyzing your AWS infrastructure
Generating security findings and compliance reports
Displaying resources, findings, and infrastructure maps in your dashboard
Processing and storing scan results

To manage your account:

Creating and authenticating your account
Sending transactional notifications (password resets, security alerts, scan completion)
Processing subscriptions and billing through Stripe

To communicate with you:

Responding to support requests
Sending service announcements when necessary (e.g., downtime, security issues)
Sending product and marketing emails only if you gave explicit consent

To maintain and improve the service:

Identifying bugs and performance issues
Analyzing aggregated usage patterns to improve features
Using aggregated, fully anonymized statistics derived from scan data to improve our detection rules (for example, understanding how commonly certain misconfigurations occur across all scans). This data cannot be linked back to any individual or organization.
Monitoring for security threats and unauthorized access

To comply with legal obligations:

Maintaining audit logs
Responding to lawful requests from authorities
Fulfilling GDPR obligations

We do not:

Sell or rent your personal data to anyone
Use your data for third-party advertising or behavioral profiling
Use your data to train machine learning models
Share your AWS scan data with any third party

Marketing communications are only sent with your explicit opt-in consent. If you opt in, you may receive automated email sequences relevant to your account status and subscription tier. You can withdraw consent and unsubscribe at any time through your account settings, the unsubscribe link in any email, or by emailing support@scanorbit.cloud. Withdrawing consent does not affect the lawfulness of processing that occurred before withdrawal.

3. Data Storage and Location

3.1 Where Your Data Is Stored

All primary application data is stored in the European Union:

Application servers and database: Amsterdam, Netherlands (Scaleway)
Encrypted backups: Amsterdam, Netherlands (Scaleway Object Storage)

Certain third-party services we use to operate ScanOrbit are based in the United States. These services process limited categories of data as described in Section 5.2 and operate under EU-approved data transfer mechanisms (Standard Contractual Clauses as adopted by the European Commission in Implementing Decision (EU) 2021/914, and Data Processing Agreements). See Section 5.2 for the full list.

3.2 Encryption

At rest: AES-256 encryption for stored data, encrypted database backups, encrypted OAuth tokens and TOTP secrets.

In transit: TLS 1.2+ for all connections. HTTPS only; HTTP is not accepted. All internal service-to-service communication is also encrypted.

Passwords: bcrypt hashing with salt. We never store plaintext passwords.

4. How Long We Keep Your Data

Data Type	Retention Period	Reason
Account information	Until account deletion requested	Required to operate your account
AWS resource data	Free: 7 days, Pro: 90 days, Team: 180 days after resource is no longer detected	Enables comparison across scans based on subscription features
Scan results	Free: 30 days, Pro: 365 days, Team: 730 days	Historical comparison and trend analysis based on subscription features
Resolved security findings	Free: 14 days, Pro: 180 days, Team: 365 days	Track resolution progress over time
Open security findings	Until resolved or account deleted	Active issue tracking
Audit logs	730 days (2 years)	Security monitoring and compliance
Consent records	Retained for as long as necessary to demonstrate consent under GDPR Article 7(1) and to comply with legal obligations; retained for up to 3 years after account deletion or consent withdrawal, then permanently deleted	Required as proof of consent under GDPR
Free tier inactive accounts	12 months of inactivity + 30-day notice before deletion	Account and data deleted if no activity; see Terms of Service Section 13.3
Backups containing deleted data	30 days after deletion completes	Disaster recovery; then permanently purged. During this period, your data may exist in encrypted backup archives. Individual records cannot be selectively removed from backups; instead, the entire backup set is retired on schedule.

Account deletion process:

You request deletion through your account settings or by emailing support@scanorbit.cloud
A 30-day grace period begins. During this time you can cancel the request and restore your account.
After 30 days, your account and personal data are permanently deleted from the live database.
Backups containing your data are purged within 30 days after deletion.
Audit logs are anonymized (user identifiers removed) but retained for their full retention period for compliance purposes.

5. Who Has Access to Your Data

5.1 Internal Access

ScanOrbit is operated by a single person (the business owner). Access to personal data by the operator is limited to:

The business owner: Account administration, support, and debugging when necessary
Automated monitoring systems: Security alerts and error detection (no human review unless triggered)

No employees or contractors currently have access to user data. If this changes, this policy will be updated and affected users notified.

5.2 Access by Other Users Within Your Organization (Team Tier)

If you are a member of an organization on ScanOrbit’s Team tier, other members of that organization can see:

Your name and email address
The organization name
AWS accounts connected to the organization
Resources, findings, and scan results for those AWS accounts

This sharing is necessary to provide the multi-user collaboration features of the Team tier. The organization administrator controls who is invited to the organization and can remove members at any time.

If you are invited to an organization, this visibility is part of the Team collaboration functionality. If you leave or are removed from an organization, other members can no longer see your personal information.

Legal basis: Performance of a contract (GDPR Article 6(1)(b)) — multi-user access is a core feature of the Team subscription.

5.3 Third-Party Services (Sub-processors)

We use the following third-party services. Each processes only the data categories listed and has a GDPR-compliant Data Processing Agreement in place.

Service	Purpose	Data Processed	Location
Scaleway	Infrastructure hosting	All application data	EU (Amsterdam)
AWS	Scanning customer infrastructure	AWS account metadata during scans	EU (Frankfurt)
Stripe	Payment processing	Email, name, billing address, subscription data	USA (SCCs + DPA)
Resend	Transactional and marketing email delivery	Email addresses, email content	USA (SCCs + DPA)
Google OAuth	Authentication (optional)	OAuth tokens, email, profile name	USA (SCCs + DPA)
GitHub OAuth	Authentication (optional)	OAuth tokens, email, profile name	USA (SCCs + DPA)

Self-hosted on our EU infrastructure (not third-party sub-processors):

Service	Purpose	Data Processed
Umami	Privacy-first web analytics	Anonymous page views only (no cookies, no personal data)

Scope limits for sub-processors:

US-based sub-processors (Stripe, Resend, Google OAuth, GitHub OAuth) do not process your AWS scan data, security findings, or infrastructure inventory
We do not store long-term AWS access keys or secret keys; scans use temporary credentials obtained through role assumption
Hosting and cloud infrastructure providers (such as Scaleway and AWS) may process data required to operate the service under our instructions and contractual safeguards

5.4 Legal Disclosure

We may disclose your information when required by:

A court order or binding legal process
A lawful request from a government authority
The need to protect the rights, safety, or property of our users or the public

We will notify you of such requests unless we are legally prohibited from doing so.

You have the following rights regarding your personal data. To exercise any of them, email dpa@scanorbit.cloud. We will respond within 30 days. For complex requests involving large volumes of data, this period may be extended by up to two additional months, as permitted by GDPR Article 12(3). We will inform you of any such extension within the initial 30-day period.

6.1 Right of Access (Article 15)

You can request a copy of all personal data we hold about you.

6.2 Right to Rectification (Article 16)

You can correct inaccurate personal data. You can update your name directly in your account settings. To correct your email address or other data that cannot be changed through the interface, contact dpa@scanorbit.cloud.

6.3 Right to Erasure (Article 17)

You can request deletion of your account and all associated data. The deletion process follows the timeline described in Section 4.

6.4 Right to Data Portability (Article 20)

You can request an export of your data in a structured, commonly used, machine-readable format (JSON). This includes your account information, scan history, findings, and resource data.

6.5 Right to Restrict Processing (Article 18)

You can request that we limit processing of your data while a dispute or request is being resolved.

6.6 Right to Object (Article 21)

You can object to processing based on legitimate interest. You can also opt out of marketing communications at any time.

Where processing is based on your consent (such as marketing emails), you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before you withdrew. You can withdraw consent by:

Clicking the unsubscribe link in any email
Changing your preferences in account settings
Emailing dpa@scanorbit.cloud

6.8 Right to Lodge a Complaint

If you believe your data protection rights have been violated, you can file a complaint with a supervisory authority. For the Netherlands:

Autoriteit Persoonsgegevens (AP) Website: https://autoriteitpersoonsgegevens.nl Phone: +31 70 888 8500

You also have the right to lodge a complaint with the supervisory authority in your own EU member state.

7. Automated Processing

ScanOrbit automatically analyzes your AWS infrastructure and assigns severity ratings (Critical, High, Medium, Low, Trivial) to detected issues. This automated analysis is based on predefined rules (e.g., “an unencrypted EBS volume is a Medium finding”) and does not involve profiling or automated decision-making that produces legal effects or similarly significant effects on you.

You can review, override, or dismiss any finding through the dashboard (snooze, ignore, or resolve).

8. Data Security

8.1 Technical Measures

AES-256 encryption for data at rest
TLS 1.2+ encryption for data in transit
bcrypt password hashing
Parameterized SQL queries (SQL injection prevention)
CORS protection and rate limiting on API endpoints
Encrypted secret storage for OAuth tokens and TOTP secrets
Regular security updates and dependency patching

8.2 Organizational Measures

Principle of least privilege for all access
No AWS credentials stored (temporary role assumption only)
Encrypted automated backups
Incident response procedures documented internally

8.3 Data Breach Notification

To the supervisory authority (GDPR Article 33): In the event of a personal data breach likely to result in a risk to your rights, we will notify the Autoriteit Persoonsgegevens within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, affected data categories, approximate number of affected individuals, likely consequences, and measures taken to address the breach.

To affected individuals (GDPR Article 34): If a breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay by email. The notification will describe the breach in plain language, provide our data protection contact details, describe the likely consequences, and explain the measures taken to mitigate harm.

Internal process: All breaches are documented internally regardless of whether notification is required. Each incident is followed by a review to prevent recurrence.

9. AWS Data and Permissions

9.1 What We Access

We connect to your AWS account using a read-only IAM role that you create and control. We can only view resource metadata and configuration. Specifically:

EC2 instances, EBS volumes, snapshots, and security groups. RDS databases and snapshots (metadata only, not database contents). S3 buckets (configuration and tags only, not object contents). Application Load Balancers and target groups. ACM certificates. Lambda functions and configuration. CloudWatch alarms and log groups. IAM users, roles, access keys (metadata only, no credentials). KMS keys and rotation status. Secrets Manager secrets (metadata only, not secret values). Resource tags across all services.

9.2 What We Cannot Do

We cannot modify, delete, create, or write anything in your AWS account. The IAM role is read-only. We cannot access S3 object contents, database contents, or secret values.

9.3 Your Control

You create and own the IAM role
You can revoke access at any time by deleting the role
We never store AWS access keys or secret keys
Each scan uses temporary credentials obtained through role assumption

10. Cookies and Analytics

10.1 Essential Cookies

We use essential cookies only:

Authentication session cookie (refresh_token): keeps you logged in securely between requests

These cookies are necessary for the service to function and do not require consent under the ePrivacy Directive.

10.2 Analytics (Umami)

We use Umami, an open-source analytics tool that we self-host on our own EU infrastructure. Umami runs on both the marketing website (scanorbit.cloud) and the ScanOrbit application (app.scanorbit.cloud) to help us understand website traffic and feature usage. Umami is configured to minimize personal data processing:

No cookies are set
No direct identifiers (such as names, email addresses, or account IDs) are intentionally collected for analytics
IP addresses are not stored as part of analytics records (discarded immediately after country-level geolocation)
No cross-site or cross-device tracking
No behavioral profiles are built

We collect only: page URLs, referrer, general browser type, general operating system, device category (desktop/mobile/tablet), and country.

Legal basis: Legitimate interest (GDPR Article 6(1)(f)). Because analytics is configured without cookies and without direct identifiers, we do not request consent for this analytics setup under GDPR and the Dutch Telecommunicatiewet.

You can block analytics using browser extensions such as uBlock Origin or by enabling Do Not Track in your browser settings.

10.3 What We Do Not Use

We do not use Google Analytics, tracking pixels, session recording tools, heatmaps, advertising cookies, retargeting, or any ad network integrations.

See our Cookie Policy for details.

11. Children’s Privacy

ScanOrbit is a business tool and is not directed at children. We do not knowingly collect personal data from anyone under 16 years of age, in accordance with the Dutch Implementation Act (Uitvoeringswet AVG). Users aged 16 or 17 may use the Service with parental or guardian consent as described in our Terms of Service.

If we discover that we have collected personal data from a person under 16, we will delete the account and associated data promptly and notify the parent or guardian if possible.

12. Changes to This Policy

We may update this policy to reflect changes in our practices, legal requirements, or the services we use. When we make changes:

Material changes (new sub-processors, new data categories, changes to your rights): we will notify all registered users by email before the changes take effect.
Minor changes (clarifications, formatting, updated links): we will update the “last updated” date at the top of this page.

We will not reduce your rights under this policy without your explicit consent.

13. Contact

Data protection and GDPR requests: Email: dpa@scanorbit.cloud Response time: within 30 days

General inquiries: Email: hello@scanorbit.cloud

Business address: ScanOrbit Keizersgracht 241, Amsterdam, 1016EA Netherlands KVK: 99611252 BTW-ID: NL005398711B41

Data Type	Legal Basis (GDPR Article 6)
Account information	Performance of a contract (Art. 6(1)(b))
AWS scan data	Performance of a contract (Art. 6(1)(b))
Billing and payment data	Performance of a contract (Art. 6(1)(b))
Audit and security logs	Legitimate interest (Art. 6(1)(f)) — security and fraud prevention
Website analytics (Umami)	Legitimate interest (Art. 6(1)(f)) — no personal data collected
Marketing emails	Consent (Art. 6(1)(a)) — explicit opt-in, withdrawable at any time
Communication and support	Performance of a contract (Art. 6(1)(b)) and/or consent

14.1 Contractual Necessity of Data Provision

Providing account and billing data is necessary to create and maintain your ScanOrbit account and subscription. If you choose not to provide required data, we may be unable to provide the service (or parts of it), including authentication, billing, and account support.

15. Data Processing Agreement

A Data Processing Agreement (DPA) aligned with GDPR Article 28 is available at scanorbit.cloud/dpa and automatically applies when you create an account, as described in our Terms of Service. If you have questions about the DPA, contact dpa@scanorbit.cloud.

16. Data Protection Officer

Under GDPR Article 37, we have assessed whether a Data Protection Officer (DPO) appointment is required. Based on the nature, scope, and scale of our current processing activities, appointment of a DPO is not currently required. This assessment will be reviewed as the product and customer base grow. For data protection inquiries, contact dpa@scanorbit.cloud.

17. Applicable Law

In addition to the GDPR, the Dutch Uitvoeringswet Algemene verordening gegevensbescherming (UAVG) applies to the processing of personal data described in this policy.

Version: 2.0 Effective Date: March 26, 2026