Privacy Policy

Last updated: 20 May 2026

This Policy explains what personal data we collect, why we collect it, and what we do with it. We collect only what we need to operate Pwnkemon, and we don't sell your data to third parties.

Who we are

Pwnkemon is operated from the United Kingdom. For questions about this Policy or data requests, contact [email protected].

What we collect

Account data — your email address and authentication identifiers from Clerk (our sign-in provider). If you sign in with Google, Clerk provides your verified email; we do not see your Google password.

Verified targets — domains or IPs you've proven ownership of, plus the challenge tokens used to verify them.

Scan data — your scan requests, status, findings, agent tool calls and decisions, and the final reports.

Usage data — token counts, costs per scan, API call timestamps, IPs and User-Agents recorded when you use API tokens, for billing and abuse detection.

Billing data — payment is processed by Stripe. We receive metadata (customer ID, plan, period) but never your card number.

What we do with it

• Provide and operate the Service.
• Authenticate and authorise you to perform actions on your account.
• Enforce plan quotas and rate limits.
• Bill you correctly and produce invoices.
• Investigate security incidents and abuse.
• Communicate operational notices (scan completion, billing failures, planned maintenance).

We do not use your scan data to train AI models. We do not sell or rent your data to third parties.

Third-party processors

We share the minimum data necessary with these processors to operate the Service. Each is bound by a Data Processing Agreement and, for processors based outside the UK, by Standard Contractual Clauses (SCCs) covering international transfers:

• Clerk (US) — authentication. Receives login identifiers and session data.
• Anthropic (US) — large-language-model inference for the scanning agent. Receives scan inputs (target URL, tool outputs) during the scan run. Anthropic does not retain prompts for training.
• Stripe (US / Ireland) — payment processing. Receives customer email, subscription metadata, and card data (which never touches our systems).
• Railway (US) — application hosting and managed PostgreSQL.
• GitHub (US) — when you install the Pwnkemon GitHub App for code scans, GitHub mediates repository access and (optionally) container-image registry pulls. GitHub receives no data from us beyond the installation token requests for repositories you've already granted us.
• Sentry (US) — error-tracking. Receives anonymised exception traces; PII is filtered out by default (send_default_pii=False).
• Better Stack (if enabled) — uptime monitoring against the public health endpoint. No personal data.

Where data is stored

Production data is currently stored in Railway's US-West (California) region in their managed PostgreSQL. This is an international transfer for UK and EU customers; we rely on Standard Contractual Clauses with Railway and on each downstream processor's published SCCs for legitimisation under UK GDPR Article 46.

Backups may transit briefly to other Railway regions for redundancy. We'll notify customers in writing if the production region changes.

How long we keep it

• Scan reports (Free plan) are hard-deleted after 7 days by an automated retention sweep — not just hidden from the read endpoint, the underlying rows are gone.
• Scan reports (paid plans) are retained until you delete the scan or close your account.
• Customer-supplied authentication credentials (the encrypted blob you attach when scanning an authenticated endpoint) are nulled out automatically once the scan reaches a terminal state — never persisted beyond the scan run.
• Account & billing data is retained while your account is active and for up to 7 years after closure to meet UK tax and accounting requirements.
• Backups may contain deleted data for up to 30 days before being purged.

Your rights

Under UK GDPR and equivalent regulations you have the right to:

• access the personal data we hold about you;
• request correction of inaccurate data;
• request deletion of your data (subject to legal retention obligations);
• request a portable export of your data;
• object to certain uses of your data;
• complain to the Information Commissioner's Office (ICO) if you believe your rights have been breached.

Account deletion can be self-served via the Dashboard → Settings → Delete account, or by sendingDELETE /auth/me?confirm_email=<your-email> with your API token. This hard-deletes your User row and cascades through every related table (scans, findings, agent step logs, verified targets, API tokens, credit ledger, one-off purchases). The Stripe customer record is unlinked from our side; Stripe retains its own copy for tax compliance, contact them directly if you want that removed.

For any right we can't self-serve (access export, rectification, objection), email [email protected]. We'll respond within 30 days.

Security

All traffic in and out of Pwnkemon is TLS 1.2+. API tokens are stored as SHA-256 hashes, never in plain text. Sensitive credentials (Clerk, Stripe, Anthropic) are stored as environment variables on Railway with access restricted to the operations team.

If you believe you've found a security issue in Pwnkemon, please email [email protected] rather than the general support channel.

Cookies & tracking

We use the minimum cookies required to keep you signed in (managed by Clerk). We do not use third-party analytics or advertising cookies.

Children

Pwnkemon is not directed at people under 18 (consistent with our Terms of Service). If you believe we hold data about anyone under 18 without parental consent, contact us and we will delete it.

Changes to this Policy

We may update this Policy. Material changes will be notified by email or in-app at least 14 days before they take effect.

This Policy is a working baseline that has not yet been reviewed by a solicitor. We expect to make changes before general availability. Existing users will be notified of any substantive amendment ahead of the effective date.