Privacy Policy
Last updated: April 4, 2026
This Privacy Policy explains how ebats solutions UG (haftungsbeschränkt), Viechtacher Str. 16, 10318 Berlin, Germany, registered at Amtsgericht Charlottenburg (Berlin) HRB 243939 B ("Secureless," "we," "us") processes personal data when you use secureless.ai and related services ("Service").
1. Controller
The data controller within the meaning of the General Data Protection Regulation (GDPR) is:
ebats solutions UG (haftungsbeschränkt)
Viechtacher Str. 16
10318 Berlin, Germany
E-Mail: privacy@secureless.ai
2. What data we collect
2.1 Account data
When you create an account, we collect:
- Email address
- Name (if provided)
- Company name (if provided)
- Authentication data (managed by our authentication provider)
Legal basis: Art. 6(1)(b) GDPR (performance of contract).
2.2 Billing data
When you subscribe to a paid plan, our payment provider collects:
- Payment method details (credit card, SEPA)
- Billing address
- VAT identification number (if provided)
We do not store payment card details. These are processed and stored exclusively by our payment provider (see Section 5).
Legal basis: Art. 6(1)(b) GDPR (performance of contract).
2.3 Usage data
When you use the Service, we collect:
- IP address
- Browser type and version
- Pages visited within the Service
- Actions taken (scans initiated, reports viewed, settings changed)
- Timestamps
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating and improving the Service).
2.4 Scan data
When you initiate a scan, we collect technical data about the target domain. This data is collected from publicly accessible sources and includes DNS records, HTTP headers, SSL/TLS configuration, JavaScript resources, network request logs, cookie data, and screenshots of publicly accessible pages.
Scan data relates to the technical infrastructure of the target domain, not to individuals. To the extent that any personal data is incidentally captured (for example, an email address appearing in a DNS record or HTTP header), we process it under Art. 6(1)(f) GDPR (legitimate interest in providing the contracted security assessment service). We apply data minimization: scan data is processed for assessment purposes only and is not used to identify, profile, or contact individuals.
2.5 Communication data
If you contact us via email, we collect the content of your message, your email address, and any information you voluntarily provide.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures or contract performance) or Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries).
3. How we use your data
We use your data exclusively to:
- Provide the Service (run scans, generate reports, maintain your account)
- Process payments and manage subscriptions
- Send transactional emails (scan completion notifications, account-related notices)
- Improve the Service (aggregate, anonymized usage analysis)
- Comply with legal obligations (tax and commercial record retention)
We do not sell your data. We do not use your data for advertising. We do not profile you for marketing purposes.
4. Cookies and tracking
4.1 Essential cookies
We use strictly necessary cookies for authentication and session management. These are required for the Service to function and cannot be disabled.
4.2 No tracking before consent
We do not load any analytics, advertising, or tracking scripts before or without your explicit consent. We practice what we preach.
4.3 Analytics (if enabled)
If we implement analytics in the future, we will use a privacy-friendly analytics tool hosted in the EU that does not use cookies or process personal data. We will update this section accordingly.
5. Data processors
We use the following third-party service providers to operate the Service:
| Provider | Purpose | Location | Data processed |
|---|---|---|---|
| Clerk | Authentication | United States | Email, name, auth tokens |
| Stripe | Payment processing | United States (EU processing available) | Billing data, payment details |
| Railway | Application hosting, database | European Union | Account data, scan results |
| Hetzner | Scanner processing | Frankfurt, Germany | Scan data (target domain technical data) |
| Resend | Transactional email | Ireland, EU | Email address, email content |
Transfers outside the EU/EEA
Clerk and Stripe are based in the United States. Data transfers to the US are conducted under the EU-U.S. Data Privacy Framework, which provides an adequacy decision by the European Commission. Both providers are certified under the Data Privacy Framework.
Scan data (the technical analysis of target domains) is processed exclusively within the European Union.
6. Data retention
| Data type | Retention period | Reason |
|---|---|---|
| Account data | Duration of account + 30 days | Contract performance |
| Billing records | 10 years after transaction | German commercial and tax law (§ 147 AO, § 257 HGB) |
| Scan results | Duration of account + 30 days | Contract performance |
| Scan results after account deletion | Deleted within 30 days of request | Data minimization |
| Usage data | 90 days | Legitimate interest (service improvement, security) |
| Communication data | Duration of business relationship + 3 years | Legitimate interest (dispute resolution, statute of limitations) |
After the retention period, data is deleted or irreversibly anonymized.
7. Your rights
Right of access (Art. 15 GDPR): You may request confirmation of whether we process your personal data and, if so, request a copy of that data.
Right to rectification (Art. 16 GDPR): You may request correction of inaccurate personal data or completion of incomplete data.
Right to erasure (Art. 17 GDPR): You may request deletion of your personal data where there is no longer a legal basis for processing, subject to legal retention obligations.
Right to restriction (Art. 18 GDPR): You may request restriction of processing in certain circumstances, for example while we verify the accuracy of contested data.
Right to data portability (Art. 20 GDPR): You may request your data in a structured, commonly used, machine-readable format (JSON) and have it transmitted to another controller.
Right to object (Art. 21 GDPR): You may object to processing based on legitimate interest (Art. 6(1)(f)). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
To exercise any of these rights, contact us at: privacy@secureless.ai
We will respond within 30 days. If we need more time (up to an additional 60 days for complex requests), we will inform you within the initial 30-day period.
8. Supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for our company is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219
10969 Berlin
Germany
https://www.datenschutz-berlin.de
9. Security
We implement technical and organizational measures to protect your data, including encryption in transit (TLS), encryption at rest for databases, access controls, and regular security assessments of our own infrastructure.
We process scan data in isolated environments. Scan results from one customer are not accessible to other customers.
10. Data concerning third-party domains
When you scan a domain you do not own (company-side vendor monitoring), we process technical data about that domain. This data is publicly accessible and equivalent to what any web browser observes when visiting the domain.
We do not consider publicly accessible technical infrastructure data (DNS records, HTTP headers, SSL certificates, JavaScript files) to be personal data within the meaning of the GDPR, as it relates to organizational technical configuration, not to identified or identifiable natural persons.
If any personal data is incidentally captured during a scan (for example, an employee name in a WHOIS record or an email address in an HTTP header), we process it under Art. 6(1)(f) GDPR (legitimate interest in providing a security assessment service) and apply data minimization. Such data is not extracted, indexed, or used for any purpose other than the security assessment.
Domain owners who wish to inquire about data we hold relating to their domain may contact us at privacy@secureless.ai.
11. Children
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will delete it promptly.
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when the most recent changes were made.
13. Contact
For privacy-related inquiries and data subject requests:
ebats solutions UG (haftungsbeschränkt)
Viechtacher Str. 16
10318 Berlin, Germany
E-Mail: privacy@secureless.ai