Security & Privacy
Last updated: April 15, 2026
TL;DR (Human Version)
- No passwords. Just one-time codes.
- No ads. No tracking.
- We do not sell your data.
- We only collect what's needed to scan your site.
- You can delete your data anytime.
This is a simple summary. The sections below contain the full legal details.
Our Approach
We built TinScan to be simple and secure by default.
We collect the minimum data needed to operate the service and design our systems to reduce risk wherever possible.
Authentication
- No passwords — we use one-time login codes
- Sessions expire automatically after inactivity
- Sensitive actions may require re-verification
What We Collect (Simple View)
- Email (for login and alerts)
- Scan results (for your domains)
- Basic logs (for security and abuse prevention)
Privacy Policy (Full Legal Details)
Overview
TinScan ("we," "us," or "our") provides website security scanning and related services. This Privacy Policy explains what personal data we collect, how we use it, how we protect it, and the choices you have.
By using TinScan, you agree to the practices described in this Privacy Policy.
What We Collect
We may collect the following categories of data:
- Account information: such as your email address, used for authentication, account access, and security notifications.
- Domain verification data: such as verification tokens, verification records, and related proof-of-control data for domains or subdomains you verify.
- Scan results: such as security assessment results, findings, scan history, and related metadata for domains you scan or verify.
- Usage and security logs: such as IP addresses, timestamps, user agent information, and activity records used for security, abuse prevention, troubleshooting, and service operation.
- Session and cookie data: such as session identifiers and essential security-related cookie data needed to keep you signed in and protect the service.
- Communications: such as messages you send to us when requesting support or exercising your privacy rights.
We do not intentionally collect sensitive personal data unless you voluntarily provide it to us.
Domain Verification & Ownership
When you verify control of a domain:
- We store verification tokens and proof-of-control data to confirm that you were able to verify the domain at a specific point in time.
- Verification records are associated with your account for the purpose of providing scan history and related features.
- If you delete your account, verification records will be disassociated from your account. Limited records may be retained for security, fraud prevention, and operational integrity.
- Domain verification does not grant exclusive rights. Other users may independently verify and scan the same domain.
- Verification confirms control at the time of verification, not ongoing ownership of the domain.
How We Use Your Data
We use your data to:
- authenticate your account access;
- provide security scanning and related services;
- send login codes, security notifications, and service-related communications;
- maintain scan history and related account features;
- detect, prevent, and investigate fraud, abuse, unauthorized access, and other security issues;
- operate, maintain, troubleshoot, and improve the quality, reliability, and security of our service;
- comply with legal obligations and enforce our terms.
Legal Bases for Processing
Where required by applicable law, we rely on one or more of the following legal bases:
- Performance of a contract: to provide the service you request.
- Legitimate interests: to secure, maintain, improve, and protect our service and users.
- Consent: where we ask for and rely on your consent for a specific purpose.
- Legal obligation: where processing is necessary to comply with applicable law.
Data Storage and Security
We use reasonable administrative, technical, and organizational measures designed to protect personal data.
Examples of protections we use may include:
- encryption of sensitive data at rest using industry-standard methods;
- secure transmission of data over encrypted connections;
- authentication and access controls designed to limit internal access to authorized personnel;
- logging and monitoring for abuse prevention, fraud detection, and service security;
- short-lived one-time login codes instead of stored passwords.
We do not store account passwords because TinScan uses one-time login codes for authentication.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
Service Providers
We may use trusted third-party service providers to help operate TinScan, such as providers for:
- hosting and infrastructure;
- email delivery;
- security monitoring;
- analytics limited to service operation and abuse prevention;
- customer support and related operational functions.
These providers may process personal data on our behalf and are permitted to use it only as necessary to provide services to us, subject to appropriate contractual and confidentiality obligations.
Data Retention
We retain data only for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.
Typical retention periods may include:
- Account data: retained until you delete your account, unless we need to retain certain records for legal, security, fraud-prevention, or operational reasons.
- Login codes: retained only briefly for authentication and security purposes, and automatically expire after a short period.
- Session data: retained while your session remains active and for a limited period thereafter as needed for security and operational purposes.
- Usage and security logs: retained for a limited period for security, abuse prevention, troubleshooting, and operational purposes.
- Scan results and history: retained until you delete your account or remove the relevant data, unless retention is necessary for legitimate security, legal, or operational reasons.
When data is no longer needed, we will delete it or de-identify it where reasonably practicable.
Data Sharing
We do not sell or rent your personal data.
We may share data in the following circumstances:
- with trusted service providers that process data on our behalf;
- when required by law, regulation, legal process, or governmental request;
- to protect the rights, property, safety, security, and integrity of TinScan, our users, or others;
- in connection with investigating or preventing fraud, abuse, or security threats;
- with your direction or consent;
- in connection with a merger, acquisition, financing, reorganization, sale of assets, or similar business transaction, subject to appropriate confidentiality measures.
International Data Transfers
TinScan may process and store data in the United States and other jurisdictions where we or our service providers operate.
If you use TinScan from outside the United States, you understand that your data may be transferred to, stored in, and processed in countries outside your own, which may have data protection laws different from those in your jurisdiction.
Where required, we take steps designed to provide appropriate safeguards for such transfers.
Cookies and Similar Technologies
We use essential cookies and similar technologies for purposes such as:
- maintaining your login session;
- protecting the service against fraud and abuse;
- preserving security-related preferences and session integrity;
- operating core site functionality.
We do not use advertising cookies. If we introduce non-essential cookies in the future, we will update this Privacy Policy and, where required, request appropriate consent.
Your Rights and Choices
Depending on your location and applicable law, you may have the right to:
- access the personal data we hold about you;
- correct inaccurate or incomplete data (such as updating your email address);
- delete your account and associated personal data, subject to certain exceptions;
- receive a portable copy of certain data;
- object to or restrict certain processing, where applicable;
- withdraw consent where processing is based on consent.
To exercise these rights, contact us at privacy@tinscan.com.
We may need to verify your identity before fulfilling certain requests.
California Privacy Notice
If you are a California resident, you may have rights under California law, including the right to know, delete, and correct certain personal information, subject to legal exceptions.
TinScan does not sell or share personal information for cross-context behavioral advertising.
European Privacy Notice
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you may have additional rights under applicable data protection laws, including the right to lodge a complaint with your local supervisory authority.
Children's Privacy
TinScan is not directed to children under 13, and we do not knowingly collect personal data from children under 13. If we learn that we have collected such data without appropriate authorization, we will take reasonable steps to delete it.
Changes to This Policy
We may update this Privacy Policy from time to time.
If we make material changes, we may notify you by email, through the service, or by updating the effective date at the top of this page.
Your continued use of TinScan after an update becomes effective means you accept the revised Privacy Policy.
Data Controller
TinScan is an independently operated software service.
Contact
If you have questions about this Privacy Policy or would like to exercise your rights, contact:
privacy@tinscan.com
Back to TinScan