Privacy Policy

Last Updated: April 4, 2026

This Privacy Policy describes how Sekrd ("we," "us," or "our") collects, uses, stores, and shares your personal data when you use our platform at sekrd.com (the "Service"). We process your data in alignment with the principles set out in the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use the Service.

1. Data Controller

Sekrd is operated by WIT.KZ LLP (ТОО "WIT.KZ"), a limited liability partnership registered in the Republic of Kazakhstan, which acts as the data controller responsible for the processing of your personal data as described in this Privacy Policy. For all privacy-related inquiries, you may contact our data protection team at:

• Email: privacy@sekrd.com
• Website: sekrd.com
• Legal address: Kazakhstan, Astana, Nura District, Korgalzhyn Highway, Building 13B, Office 402, Postal Code 010000

2. Data We Collect

We collect the following categories of personal data:

2.1 Data You Provide

• Account information: Name, email address, and profile information obtained from your OAuth provider (Google, GitHub, or GitLab) when you create an Account.
• Scan targets: URLs and application addresses you submit for security scanning.
• Integration credentials: Third-party service keys (e.g., Supabase, Firebase) you optionally provide for deep scanning. These are encrypted at rest and retained during your active plan period to enable automated re-scans, then automatically deleted. You may delete them at any time from your dashboard settings.
• Communications: Any information you provide when contacting our support team.

2.2 Data Collected Automatically

• IP address: Collected for rate limiting, abuse prevention, and security purposes.
• User agent: Browser type and version, operating system information.
• Usage data: Pages visited, features used, scan frequency, and interaction patterns within the Service.
• Scan results: Findings, severity assessments, trust scores, and generated reports.

2.3 Incidental Data Access

During the automated security auditing process, the Service may incidentally interact with or retrieve payload data from your application to verify vulnerability existence (e.g., bypassing a misconfigured Row Level Security policy). Sekrd processes such incidental data strictly in volatile memory, does not persist, log, or store this data, and immediately discards it. You remain the sole Data Controller of any Protected Health Information (PHI), Payment Card Industry (PCI) data, or Personally Identifiable Information (PII) residing in your databases.

2.4 Data We Do Not Collect

• We do not collect voice or audio data.
• We do not collect precise geolocation or GPS data.
• We do not collect financial information directly (payments are handled entirely by Paddle).
• We do not store the contents of your databases or application source code.

3. How We Use Your Data

We process your personal data for the following purposes:

• Service delivery: To perform security scans, generate reports, produce fix prompts, and display results.
• Account management: To create and maintain your Account, authenticate your identity, and manage your subscription.
• Payment processing: To facilitate transactions through our Merchant of Record, Paddle.
• Security and abuse prevention: To enforce rate limits, detect and prevent fraudulent or unauthorized use, and protect the integrity of our infrastructure.
• Communications: To send you scan completion notifications, security alerts, account-related messages, and, where you have opted in, marketing communications.
• Service improvement: To analyze usage patterns, diagnose technical issues, and improve the features, reliability, and performance of the Service.
• Legal compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

4. Legal Basis for Processing (GDPR)

For Users in the European Economic Area (EEA) and United Kingdom (UK), we process personal data on the following legal bases:

• Performance of a contract (Art. 6(1)(b) GDPR): Processing necessary to provide the Service you have requested, including account creation, scan execution, and report generation.
• Legitimate interest (Art. 6(1)(f) GDPR): Processing necessary for our legitimate business interests, including security monitoring, fraud prevention, service improvement, and analytics, where such interests are not overridden by your rights and freedoms.
• Consent (Art. 6(1)(a) GDPR): Where you have given explicit consent for specific processing activities, such as receiving marketing communications. You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c) GDPR): Processing necessary to comply with a legal obligation to which we are subject.

5. Third-Party Data Sharing

We share your personal data only with the following categories of third parties, and only to the extent necessary for the stated purposes:

• Paddle.com (Merchant of Record): Handles all payment processing, tax collection, invoicing, and refunds. Paddle receives your email address and transaction data necessary to process payments. Paddle acts as an independent data controller for payment data. See Paddle's Privacy Policy.
• Amazon Web Services (AWS): Provides hosting, compute, storage, and email delivery infrastructure. Data is processed in the US region (us-east-1). AWS acts as a data processor under our instructions.
• OAuth Providers (Google, GitHub, GitLab): Facilitate authentication. We receive your name, email, and profile information from these providers when you sign in. We do not share your Scan Data with OAuth providers.

We do not sell your personal data. We do not share your data with advertisers, data brokers, or any third parties for their own marketing purposes.

6. International Data Transfers

Our Service is hosted on Amazon Web Services in the United States. If you are accessing the Service from outside the United States, including from the European Economic Area (EEA) or United Kingdom (UK), your personal data will be transferred to and processed in the United States.

For transfers of personal data from the EEA/UK to the US, we rely on:

• The EU-US Data Privacy Framework, where applicable.
• Standard Contractual Clauses (SCCs) approved by the European Commission, as supplemented by additional safeguards where required.

You may request a copy of the safeguards we have in place by contacting privacy@sekrd.com.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

7.1 Rights Under GDPR (EEA/UK Residents)

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete personal data.
• Right to erasure: Request deletion of your personal data, subject to legal retention obligations.
• Right to data portability: Receive your personal data in a structured, commonly used, machine-readable format.
• Right to restrict processing: Request that we limit the processing of your data in certain circumstances.
• Right to object: Object to processing based on legitimate interests, including profiling.
• Right to withdraw consent: Withdraw previously given consent at any time, without affecting the lawfulness of processing performed before withdrawal.
• Right to lodge a complaint: File a complaint with your local data protection supervisory authority.

7.2 Rights Under CCPA (California Residents)

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete: Request deletion of your personal information, subject to certain exceptions.
• Right to opt out of sale: We do not sell personal information. No opt-out is necessary.
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise any of these rights, contact us at privacy@sekrd.com. You may also delete your Account and associated data directly from your Account dashboard. We will respond to verified requests within 30 days (or within the timeframe required by applicable law).

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by law.

• Account data (name, email, OAuth profile): Retained for the duration of your Account. Deleted within 30 days of Account deletion.
• Scan data (URLs, results, findings, reports): Retained for 1 year from the date of the scan. Automatically purged thereafter.
• Integration credentials (Supabase keys, Firebase service accounts): Encrypted at rest and retained during your active plan period for re-scans. Automatically deleted when your plan expires or upon Account deletion. You may delete them at any time from your dashboard settings.
• Server logs (IP addresses, user agents, request metadata): Retained for 30 days and then automatically deleted.
• Payment records: Retained by Paddle in accordance with their retention policy and applicable tax and accounting regulations.

9. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS 1.2 or higher.
• Encryption of sensitive data at rest using AES-256.
• OAuth-based authentication with no storage of passwords.
• Role-based access controls for internal systems.
• Regular security reviews and infrastructure monitoring.
• Immediate deletion of integration credentials after scan completion.

While we take commercially reasonable steps to secure your data, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security.

10. Cookie Policy

We use only essential cookies that are strictly necessary for the operation of the Service:

• Session cookie (NextAuth): Maintains your authenticated session after signing in via OAuth. This cookie is required for the Service to function and cannot be disabled while using the Service.

We do not use tracking cookies, advertising cookies, or any third-party cookies. Because we use only essential cookies required for the basic functionality of the Service, no cookie consent banner is required under GDPR. However, you may configure your browser to block cookies, though this will prevent you from using authenticated features of the Service.

Privacy-first analytics. We use Cloudflare Web Analytics (cookieless, edge-aggregated, GDPR-friendly) for traffic measurement, and may use PostHog product analytics for funnel measurement when explicitly enabled. PostHog is configured in cookieless mode: a stable identifier is stored in your browser's localStorage rather than as a cookie, your IP address is not retained, no session recording is performed, and no automatic event capture is enabled — we record only explicit funnel events (page view, scan submitted, checkout started, purchase completed). You may clear localStorage or set Do Not Track at any time to opt out.

11. Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have collected personal data from a child under 13 without verified parental consent, we will take steps to delete that data promptly.

If you believe that a child under 13 has provided us with personal data, please contact us immediately at privacy@sekrd.com.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or the Service. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page.
• Notify you via the email address associated with your Account or through a prominent notice on the Platform.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Privacy inquiries: privacy@sekrd.com
• General support: support@sekrd.com
• Legal inquiries: legal@sekrd.com

For EEA/UK residents: If you are not satisfied with our response to your privacy concern, you have the right to lodge a complaint with your local data protection supervisory authority.

By using Sekrd, you acknowledge that you have read and understood this Privacy Policy.