What we collect, what we don't.

This page describes what data Cipherwake and cipherwake.io collect from visitors, what we do with it, and what we won't do. The short version: we collect as little as possible, we don't sell anything, and the only personally-identifying data we hold is the email address you voluntarily give us.

What we collect

• Domain names you scan. When you type a domain into cipherwake.io or run npx pqcheck <domain>, the domain is sent to our servers so we can scan it. We cache scan results by domain (not by user) for ~30 minutes to avoid re-scanning the same domain rapidly.
• Hashed IP for rate-limiting. We compute a salted SHA-256 hash of your IP address to enforce a 60-scans-per-hour cap. The raw IP is never stored. The hash can't be reversed and is used only for counting requests over a rolling hour window.
• Anonymized scan events. Each scan writes one row to a scan_events table containing: domain, score, grade, hashed IP, user-agent string (e.g. Mozilla/... for the web, pqcheck-cli/0.7.6 for the CLI, ext for the browser extension), and a referer hostname if one was sent. These rows let us track aggregate adoption (how many scans, what surface, what sectors), enforce rate limits, and publish public leaderboards for curated-peer domains. We do not link scan events into per-user sessions and there is no client-side cross-scan identifier.
• Email addresses you submit. If you opt in to our update list or domain-change subscriptions, we store the email address and optional context (which domain you were viewing when you signed up). No other personal data is collected.
• Domain observation history. When we scan a domain, we record what the scan saw — the live-served cert fingerprint, the subdomains observed in CT logs, the third-party scripts loaded, the TLS/HTTP posture, DNS records, and the score components that resulted. These observations are stored per domain, not per scanner. Anyone could reproduce them by running a TLS handshake against the same public hostname. Building this history is how we offer change-detection features like the "tracked since" line, the watch card, and the cross-tenant key lookup at /key/<spki>. None of it is personal data about you.
• Optional dispute submissions. If you tell us a finding looks wrong (via the "Dispute this finding" button or a similar form), we store: the domain, the finding ID, your reason, your optional dispute text, a hashed reporter IP, and — if you choose to provide it — an email for follow-up. The email is strictly optional and used only to reply to your specific dispute. You can request deletion at any time.
• Vercel Web Analytics (server-side, cookieless). Vercel's built-in analytics counts pageviews and a small number of custom events (e.g. scan_completed, founding_cta_clicked) on cipherwake.io. It runs server-side without cookies and does not attribute events to identified users. Vercel acts as a sub-processor under their privacy policy.
• Standard server logs. Vercel's edge network logs basic request metadata (URL, status code, response time). These are retained for diagnostics and standard abuse prevention, then discarded per Vercel's standard log retention.

The server-side scan logging and pageview analytics described above are standard industry practice for free public security tools — SSL Labs, Have I Been Pwned, the npm registry, pkg.go.dev, and most comparable services do equivalent server-side logging without per-user identifiers. The defining choice we make is to hash IPs at write time and never store cross-scan or cross-session identifiers, so there is no per-user history to leak or subpoena.

What we don't collect

• We do not use cookies, web beacons, browser fingerprinting, or third-party trackers (Google Analytics, Plausible, Mixpanel, Facebook Pixel, etc.).
• We do not associate scans with users, browsers, or sessions — every scan event is anonymized at write time.
• We do not collect names, addresses, phone numbers, or any other PII beyond email (and only if you submit one).
• We do not sell, rent, or share email addresses with anyone, ever.
• We do not read page contents, cookies, or form data through the browser extension — only hostnames of loaded resources when you explicitly click "Scan dependencies".

Cookies + analytics disclosure

Cipherwake does not set tracking cookies, third-party advertising cookies, or any cross-site tracking pixels. We use Vercel Web Analytics, which stores a session-scoped identifier in your browser's sessionStorage (not a cookie) for the duration of a single browsing session; the identifier is destroyed when you close the tab. This is GDPR-compliant without a cookie banner per Vercel's analytics privacy documentation.

If you sign in to a paid account, Supabase Auth stores a session cookie + a refresh token in your browser's localStorage so we can keep you signed in. This is a strictly-necessary cookie for the authentication functionality and does not require consent under ePrivacy/GDPR. Signing out (or clicking "Sign out everywhere" in /account) clears these values.

Data retention schedule

The retention windows below apply by data category:

• Scan history: 30 days on Free + free-account state, 12 months on Starter, 24 months on Growth, 36 months on Scale.
• Alerts: 90 days on Free, indefinite on paid tiers (subject to subscription period).
• Watched-domain config: retained while the account is active; deleted on account deletion (GDPR Art. 17 cascade).
• API keys: retained while the account is active; revoked keys are kept as metadata (key prefix + last-used date) but the secret is destroyed at rotation.
• Audit log entries (when present): 24 months on paid tiers; 90 days on Free.
• Webhook delivery attempts: 30 days for successful deliveries, 90 days for failed deliveries (for debugging).
• Anonymized scan events (hashed-IP + domain + score): retained indefinitely as aggregate analytics — these are not personal data.
• Server logs (Vercel edge logs): retained per Vercel's standard retention (~30 days), then discarded automatically.
• Account data after soft-deletion (24-month inactivity): hard-deleted after a further 30-day grace period.
• Account data after user-initiated deletion (GDPR Art. 17): immediate hard-delete via the transactional cascade RPC; backups roll off naturally within 30 days.

If you need a specific retention guarantee written into a contract, email legal@cipherwake.io.

How scan data is shared

Scan results for our pre-curated peer set (the domains in our public sector leaderboards) are publicly visible at /leaderboard.html. These domains are major publicly-listed institutions; their TLS configuration is observable on the open internet, and we treat the scan output as public information. If you represent one of these institutions and would like your domain removed from the public leaderboard, email remove@cipherwake.io. We review removal requests case-by-case.

Scans of other domains (anything not on our curated peer list — including domains submitted by users) are cached privately for the requesting user's experience and never publicly listed.

Email use

Email addresses are used only to send updates we promised at signup time:

• A monthly digest of major launches, new sectors, and methodology updates (waitlist signups)
• Per-domain alerts when a tracked domain's score changes materially (subscription signups — note that as of this writing, alert delivery is not yet active and signups go to a list-builder)

Every email we send includes a one-click unsubscribe link. You can also email us at hello@cipherwake.io to be removed.

Where data is stored

Scan cache, rate-limit counters, and email signups are stored in Supabase (Postgres) hosted in the United States (East). Application functions run on Vercel's edge network. We do not transmit or store any data outside these two providers.

Your rights

You may request deletion of any email-tied data we hold for you at any time. Email privacy@cipherwake.io with the email address you used to sign up; we will confirm deletion within 30 days.

EU/UK residents have additional rights under GDPR and UK GDPR (right to access, rectification, erasure, portability, restriction, and objection). California residents have rights under CCPA. All such requests should go to the same address above.

Children's privacy

Cipherwake is not directed at children under 16 and we do not knowingly collect data from anyone under 16. If we learn we have collected such data, we will delete it promptly.

Changes to this policy

Material changes will be reflected here with an updated date at the top. We will not retroactively expand the data we collect or share without explicit re-opt-in.

Contact

Email privacy@cipherwake.io for any privacy concern. For general questions about pqcheck or methodology, see the About page or email hello@cipherwake.io.