Privacy Policy

Last updated: April 6, 2026 · Effective: April 6, 2026

Summary: Strix Security collects only the data necessary to provide our network security scanning service. We do not sell your data. You can delete your account and all associated data at any time.

1. Who we are

Strix Security ("Strix", "we", "us", or "our") provides a SaaS network vulnerability scanning platform accessible at strixsecurity.org. We are committed to protecting your privacy and handling your data with transparency.

For privacy-related inquiries, contact us at: [email protected]

2. Data we collect

We collect the following categories of data:

Account data: Email address, hashed password, account creation date, subscription plan
Scan data: Network topology, IP addresses, open ports, discovered services, and CVE findings from scans you run on your own networks
Agent data: Hostname, operating system, local IP address, and last-seen timestamp of agents you deploy
Usage data: Login events, scan triggers, remediation approvals, and other actions logged for security auditing
Technical data: IP addresses of dashboard access, browser user agent strings

We do not collect payment card data directly — payments are processed by Stripe, which has its own privacy policy.

3. How we use your data

To provide and operate the Strix scanning service
To send scan completion notifications and security alerts via email
To maintain security audit logs for SOC 2 compliance
To detect and prevent unauthorized access or abuse
To improve the service based on aggregate usage patterns

We do not use your data for advertising, we do not sell your data to third parties, and we do not share your scan results with any third party without your explicit consent.

4. Data storage and retention

Scan data: Retained for 90 days, then automatically purged
Audit logs: Retained for 1 year for compliance purposes
Account data: Retained until account deletion
Backups: Encrypted backups may retain data for up to 30 days after deletion

All data is stored on servers located in the United States (DigitalOcean, New York region) and in Supabase's managed database infrastructure.

5. Data security

All data in transit is encrypted via TLS 1.2+
Passwords are hashed using bcrypt with salt
API keys are stored as SHA-256 hashes — the raw key is never stored
Agent credentials are encrypted using AES-128 (Fernet) on the client machine
Access to production systems is restricted and logged
We maintain a structured security audit log of all access and actions

6. Your rights (GDPR)

If you are located in the European Economic Area, you have the following rights:

Right of access: Request a copy of your personal data
Right to rectification: Correct inaccurate personal data
Right to erasure: Delete your account and all associated data via Settings → Danger Zone → Delete Account
Right to restriction: Request we limit processing of your data
Right to data portability: Request your data in a machine-readable format
Right to object: Object to processing of your personal data

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

7. Right to erasure

You can permanently delete your account and all associated data at any time by going to your dashboard → Settings → Danger Zone → Delete Account. This will immediately erase your account credentials, all scan results, agent records, and remove your data from our database. Audit log entries may be retained for up to 1 year as required for security compliance, but will be anonymized.

8. Cookies

We use only essential cookies and browser localStorage for session management (storing your authentication token). We do not use tracking cookies or third-party analytics cookies.

9. Third-party services

We use the following third-party services:

Supabase: Database hosting — Privacy Policy
Stripe: Payment processing — Privacy Policy
Resend: Email delivery — Privacy Policy
Cloudflare: DNS and CDN — Privacy Policy
NVD (NIST): CVE data source — no personal data shared

10. Children's privacy

Strix Security is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe we have collected data from a child, please contact us immediately.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on our website. Continued use of the service after changes constitutes acceptance of the updated policy.

12. Contact

For privacy-related questions or to exercise your rights, contact us at:
[email protected]
Strix Security — strixsecurity.org