Back to ReScanFlow

Privacy Policy

Last updated: 2026-05-01

Overview

This Privacy Policy explains what information ReScanFlow ("we", "us", "the service") collects when you use our website and scanning services, how we use it, and the rights you have over your data.

Information we collect

  • Account information. When you sign in via Google OAuth, we receive your email address, name, and profile picture URL.
  • Scan data. URLs you submit for scanning, the scan results, screenshots of public-facing pages, and timestamps.
  • Usage data. Standard server logs (IP address, user agent, request paths) for security and abuse prevention. We retain logs for up to 90 days.
  • Payment data. Processed by PayPal — we never see or store your card details. We retain payment IDs and amounts for accounting and refund purposes.
  • Cookies. A session cookie (JSESSIONID) for authentication. We do not use third-party tracking cookies.

How we use it

  • To provide and improve the scanning service.
  • To send transactional emails (scan reports, receipts, security alerts).
  • To send the weekly digest, only if you opt in.
  • To investigate abuse, debug issues, and prevent fraud.
  • To meet legal and accounting obligations.

Sharing

We do not sell your data. We share it only with the following processors strictly to operate the service:

  • Google. OAuth login.
  • Amazon Web Services (AWS). Database hosting (RDS), email delivery (SES), image analysis (Rekognition).
  • OpenAI. AI-powered security insights (only the scan findings are sent — never your account info).
  • PayPal. Payment processing.
  • Webhook destinations you configure. If you set up Slack, Discord, or custom webhooks, scan results are sent to those endpoints — you control which.

We may also disclose data to comply with valid legal process (subpoena, court order) and notify you when legally permitted.

Retention

Scan results are retained for the lifetime of your account. Server logs: 90 days. Payment records: 7 years (tax/accounting). On account deletion request, all personal data is removed within 30 days except where retention is required by law.

Your rights

You can:

  • Access a copy of the data we hold about you.
  • Correct inaccurate information.
  • Delete your account and associated data.
  • Export your scan history.
  • Opt out of newsletters and digests in Settings.
  • Withdraw consent at any time (we'll stop processing within reasonable time).

To exercise any of these, email privacy@rescanflow.com. EU/UK residents have additional rights under GDPR / UK GDPR.

Security

We use HTTPS for all traffic, encrypt sensitive secrets at rest, hash passwords and API keys with SHA-256, and follow industry best practices for access control. No system is perfectly secure, but we work to protect your data and disclose breaches per applicable law.

Children

ReScanFlow is not directed to children under 13 (or 16 in the EEA/UK). We do not knowingly collect data from minors. If you believe we have, contact us and we'll delete it.

Changes to this policy

We may update this policy from time to time. Material changes will be announced via email and a banner on the dashboard at least 14 days before they take effect.

Contact

Questions, requests, or complaints: privacy@rescanflow.com.