Privacy Policy
This Privacy Policy explains how autoprocess-fz, a free zone company incorporated in the Ras Al Khaimah Economic Zone, United Arab Emirates ("we", "us", "our"), collects, uses, retains, and shares your personal data when you use Securli, the automated security-scanning service at securli.ai (the "Service").
We are the data controller for the personal data described below. By using the Service you consent to the processing described here. If you do not consent, do not use the Service.
1. What we collect
| Category | What | Why | Retention |
|---|---|---|---|
| Account identifiers | Email address, hashed password (bcrypt), optional display name, country code (from payment), account creation timestamp. | To create and authenticate your account; to contact you about the Service. | Until account deletion + 30 days for backups. |
| Session metadata | Session token hash (SHA-256), IP address, user-agent string, session creation and expiry timestamps. | To maintain your login; to detect fraud and abuse. | 30 days from last use; then automatically deleted by a daily cron job. |
| Payment metadata | Transaction ID, amount, currency, status, payment timestamps, and the full payload Paddle sends us. We never see or store card details. Card data is handled exclusively by Paddle. | To reconcile payments with scans you've purchased; to handle disputes; to satisfy accounting and tax obligations. | 7 years (UAE accounting record retention). |
| Scan targets and findings | The domain you verified, the verification method used, raw scanner output, generated findings (severity, title, target, explanation, remediation prompt), and the events you logged on those findings (viewed, prompt-copied, marked-fixed). | To deliver and re-display the report you paid for; to compute "fixed since last time" on rescans. | Raw scanner output: 90 days. Generated reports: 365 days. Then automatically deleted. |
| Audit log | Sensitive actions (admin views, refund issuance, scan downloads, configuration changes), with actor, target, IP, and timestamp. | Security, compliance, and incident response. | Retained indefinitely, per security best practice. |
| Diagnostic logs | Structured server logs containing request IDs, customer IDs, scan IDs, error messages, and timing data. Passwords, tokens, and secrets are redacted. | To operate, debug, and improve the Service. | 30 days in CloudWatch; then permanently deleted. |
2. What we do not collect
- Card numbers, CVVs, expiry dates, or any other payment instrument data. Paddle handles all of that.
- The contents of your source code or your customers' data. The repo-scan engine downloads code to an ephemeral container, scans it for findings metadata, and deletes the working copy. Only the metadata of findings (file path, rule, snippet line range) is retained.
- Behavioural tracking beyond the diagnostic logs above. We do not run third-party advertising or marketing trackers on the Service. The Cloudflare-managed analytics on the marketing site is privacy-preserving and cookieless.
3. Legal basis for processing (GDPR / UK GDPR / UAE PDPL)
- Contract performance for account, session, payment, and scan data — we cannot deliver the Service without processing this data.
- Legitimate interest for diagnostic logs and audit logs — we have a legitimate interest in operating a reliable, secure service.
- Legal obligation for payment metadata retained under UAE accounting law.
- Consent where required, e.g. transactional emails about your account — withdrawable by closing the account.
4. Who we share data with — subprocessors
We use the following third parties to operate the Service. They process your data on our instructions and under contractual data-protection terms.
| Subprocessor | What they do | Where |
|---|---|---|
| Paddle.com Market Limited | Merchant of Record — processes payments, handles tax, manages chargebacks. They are the controller for card data. | UK / EU / global |
| Cloudflare, Inc. | DNS, CDN, WAF, Zero Trust Access, Pages hosting for the marketing site. | Global edge |
| Amazon Web Services, Inc. | Compute (EC2, Fargate), database (PostgreSQL), storage (S3), secrets (Secrets Manager), queue (SQS), KMS encryption. | London, UK (eu-west-2) |
| Anthropic, PBC | LLM API for converting raw scanner output into plain-English explanations and remediation prompts. | USA |
| OpenAI, L.L.C. | LLM API fallback when Anthropic is unavailable. | USA |
| Have I Been Pwned (Troy Hunt) | Public breach-data lookup for scanning targets. | USA |
| GitHub, Inc. | Source code repository and CI/CD for our deployment pipeline. Not a recipient of customer scan data. | USA |
| Sentry, Inc. | Application error monitoring (errors and stack traces, with PII scrubbed). | USA |
We do not sell or rent your personal data. We do not share it with advertisers, data brokers, or analytics resellers.
5. International data transfers
The Service operates primarily from the United Kingdom (AWS London, eu-west-2). Some subprocessors are based in the United States. Where personal data is transferred outside your jurisdiction, we rely on:
- Standard Contractual Clauses where the destination is not covered by an adequacy decision, including the UK International Data Transfer Addendum where applicable.
- The recipient subprocessor's own certifications (e.g., the EU-US Data Privacy Framework) where applicable.
6. Your rights
Depending on your jurisdiction, you have some or all of the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — ask us to delete data we no longer need to retain by law.
- Restriction — ask us to limit how we process your data.
- Portability — receive your data in a machine-readable format.
- Objection — object to processing based on legitimate interest.
- Withdrawal of consent — where processing is based on consent, withdraw it at any time.
- Lodge a complaint with the supervisory authority in your jurisdiction (e.g., the UAE Data Office, the UK ICO, your EU country's DPA).
To exercise any of these rights, email [email protected] from the address on your account, or from an address where you can otherwise prove your identity. We respond within 30 days. We may need to verify your identity before acting.
Where data is retained because of a legal obligation (e.g., payment records under UAE accounting law), we will tell you and continue to retain only what we are required to retain.
7. Security
We protect your data with industry-standard controls, including:
- Encryption in transit (TLS 1.2+ everywhere; TLS 1.3 preferred).
- Encryption at rest using customer-managed AWS KMS keys with annual rotation.
- Passwords hashed with bcrypt (cost 12); session tokens stored only as SHA-256 hashes.
- Defence-in-depth at the network edge via Cloudflare WAF, rate limiting, and Zero Trust gating for administrative paths.
- Least-privilege IAM for every service.
- Continuous security-finding triage; see our public SECURITY.md.
No system is perfectly secure. We commit to investigating reports of vulnerabilities promptly. To report one, email [email protected] with "Security" in the subject.
8. Cookies and tracking
We use exactly one cookie:
securli_session— strictly necessary for keeping you logged in. HttpOnly, Secure, SameSite=Lax, 30-day expiry. Contains an opaque session token, not your account data.
We do not use advertising cookies, marketing pixels, third-party analytics trackers, or fingerprinting. Cloudflare Web Analytics on the marketing site is cookieless and aggregates only.
9. Children
The Service is not directed to children under 16, and we do not knowingly collect personal data from anyone under 16. If you believe we have collected data from a child, please contact us and we will delete it.
10. Data breach
In the event of a personal data breach that is likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours where required, and notify affected users without undue delay where the breach is likely to result in a high risk.
11. Changes to this Policy
We may update this Policy. We will publish the updated version at this URL with a new effective date. Material changes will be notified by email to your account address at least 14 days before they take effect. Your continued use after the effective date constitutes acceptance.
12. Contact
For any privacy-related question, request, or complaint, contact:
autoprocess-fz (data controller)
Ras Al Khaimah Economic Zone (RAKEZ)
Ras Al Khaimah, United Arab Emirates
Email: [email protected] (subject line: "Privacy")