Last updated: 05/06/2026
1. Data Controller
PatchPulse ("we", "the Service"), based in Italy. For any privacy-related request: [email protected].
2. Data Collected
2.1 Registration Data
When you create an account we collect: username, email address and password (stored only as an irreversible cryptographic hash with bcrypt). We never store the password in plaintext.
2.2 Scan Data
When you use the Website Vulnerability Scanner we collect: the scanned domain, the associated DNS verification record, the scan results (open ports, SSL/TLS information, DNS records, Nikto results). This information is associated with your account and visible only to you.
2.3 Browser Scanner Data
The Browser Scanner gathers technical information about your browser (user agent, screen resolution, web-technology support, etc.). If you are signed in, this data can be saved to your account. If you are not signed in, the data is processed client-side only and is not transmitted to our servers.
2.4 Browsing Data
For each request to the Service, the server automatically receives: IP address (via Cloudflare), country of origin, request date and time. This data is used for security, abuse prevention and recording in your account activity logs.
2.5 Cookies
We use exclusively technical session cookies necessary for authentication. These cookies are configured with HttpOnly, Secure and SameSite=Strict flags. We do not use profiling cookies, marketing cookies or third-party advertising cookies.
3. Legal Basis for Processing
We process your personal data on the basis of: contract performance (provision of the Service), consent (acceptance of the Terms of Service at registration), legitimate interest (Service security and abuse prevention), legal obligation (where applicable).
4. Purposes of Processing
Collected data is used to: provide the Service and its features, authenticate users and manage accounts, verify domain ownership via DNS, generate and display scan results, ensure security and prevent abuse (rate limiting, brute force protection), send transactional emails (registration confirmation, security notifications).
5. Data Sharing
We do not sell, rent or share your personal data with third parties for commercial purposes. Data may be shared with: Cloudflare (CDN and DDoS protection — your data transits through their network), Brevo/Sendinblue (transactional email — receives your email address), Google DNS and Cloudflare DNS (DNS resolution for domain verification — no personal data shared).
6. International Transfers
Some of the third-party services mentioned above may process data outside the European Economic Area (EEA). In such cases, transfers occur on the basis of Standard Contractual Clauses approved by the European Commission or other adequate safeguards provided by the GDPR.
7. Data Retention
We retain your data for as long as necessary to provide the Service. Specifically: account data (name, email): until account deletion; scan results: until deleted by the user or with the account; activity logs: until deleted by the user; verified domains: until the verification DNS record is removed. Upon account deletion, all associated data is permanently deleted within 30 days.
8. Security
We adopt technical and organizational measures to protect your data: passwords hashed with bcrypt (cost factor 12), HTTPS-only connections, session cookies with security flags, CSRF protection on all state-changing operations, rate limiting and brute force protection, isolated Docker containers with least privilege, scans executed through the Tor network to protect the target's privacy.
9. Your Rights (GDPR)
Under Regulation (EU) 2016/679 (GDPR), you have the right to: access your personal data, rectify inaccurate data, erase data ("right to be forgotten"), restrict processing, data portability, object to processing. To exercise these rights, write to [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).
10. Minors
The Service is not intended for minors under 16. We do not knowingly collect data from minors under 16. If we learn we have collected data from a minor, we will delete it immediately.
11. Changes
We reserve the right to update this Privacy Policy. In case of material changes, we will notify you through the Service. Continued use of the Service after the changes are published constitutes acceptance of them.
12. Contact
For privacy questions: [email protected]