Last updated: March 2026 • Effective: March 2026
RETROH4CK, operated by adityasec.com, is the data controller for this platform. For any privacy-related inquiries, concerns, or requests, contact us at [email protected].
Account information: Your email address, display name, and password hash. We never store passwords in plain text — only bcrypt-hashed representations.
Scan targets: Domains and subdomains you submit for reconnaissance. These are the root-level assets you configure for scanning.
Scan results: Discovered subdomains, open ports, identified services, vulnerability findings, screenshot captures, and all tool outputs generated during the scanning process.
Usage data: Page views, feature usage patterns, and interaction data collected to improve platform reliability and user experience.
Session data: IP addresses, browser/device fingerprints, login timestamps, and session tokens used for authentication and security monitoring.
Provide the service: Authenticate your sessions, execute scans against your configured targets, store and display results, and enforce organization-scoped access controls.
Improve the platform: Analyze usage patterns to identify bugs, optimize performance, and prioritize feature development.
Security monitoring: Detect and prevent unauthorized access, brute-force attempts, and abuse of the platform.
Communications: Send OTP codes for two-factor authentication, security notifications, and service-related updates. We do not send marketing emails.
Self-hosted infrastructure: All data is stored exclusively on our own servers. There is no cloud sync, no telemetry, and no phone-home mechanism. Your data never leaves our infrastructure unless you explicitly trigger an external integration.
Password hashing: All passwords are hashed using bcrypt with an adaptive cost factor. Passwords are computationally irreversible — even we cannot recover them.
Two-factor authentication: Available for all accounts via email-based OTP. Codes expire after their TTL and cannot be reused.
Encrypted secrets: External API keys (Shodan, VirusTotal, etc.) are encrypted at rest using AES via Fernet. Keys are decrypted only at the moment of use and are never logged.
Parameterized SQL: All database queries use parameterized statements to prevent SQL injection attacks.
CSRF protection: Cryptographic CSRF tokens are enforced on every state-changing operation.
Session expiry: Sessions automatically expire after 6 hours of inactivity. Session cookies are configured with HttpOnly, Secure, and SameSite=Lax attributes.
Organization-scoped isolation: All scan data and results are strictly scoped to your organization at the database query level. No user from one organization can access another organization's data.
We do not sell, trade, rent, or share your personal data with any third party for advertising, analytics, or profiling purposes.
Third-party integrations: When you initiate scans, the platform makes external API calls to services such as Shodan, VirusTotal, DNS resolvers, and certificate transparency logs. These calls are made using your own API keys and are triggered only by your explicit actions. Target domains and IP addresses are sent to these services as part of the reconnaissance process. We do not control the privacy practices of these third-party services.
Legal requirements: We may disclose data if required by law, court order, or government regulation. We will notify affected users where legally permitted to do so.
You have the right to:
• Access your personal data stored on this platform at any time
• Request deletion of your account and all associated data, including scan results and configurations
• Export your scan data in standard formats for portability
• Opt out of non-essential communications at any time
• Correct inaccurate personal information
• Withdraw consent for data processing at any time
To exercise any of these rights, contact [email protected]. We will respond within 30 days.
We use strictly necessary cookies only:
• Session cookie — HttpOnly, Secure, SameSite=Lax. Used for authentication and session management.
• CSRF token cookie — Secure, SameSite=Lax. Readable by JavaScript (non-HttpOnly by design) so that requests can include the CSRF token for validation.
We do not use any third-party tracking cookies, analytics cookies, or advertising cookies. Zero third-party cookies are set by this platform.
Scan data: Retained on the platform until you explicitly delete it. You may delete individual scans or all scan data at any time through the application interface.
Account data: Retained until you request account deletion. Upon deletion, all associated data — including scan results, configurations, and personal information — is permanently removed.
Logs: Application and access logs are rotated on a regular schedule and do not persist indefinitely.
We may update this privacy policy from time to time to reflect changes in our practices or applicable regulations. Material changes will be communicated to registered users via email prior to taking effect. The "Last updated" date at the top of this page indicates when the most recent revision was made.
For any questions, concerns, or requests regarding this privacy policy or your personal data, contact us at [email protected].