Privacy Policy

Xcloak is a penetration testing and security intelligence platform operated independently. When this policy refers to "we", "us", or "our", it means Xcloakand its operators. For privacy enquiries, contact admin@xcloak.tech.

Account data (when you register)

• ✓Email address and username
• ✓Hashed password (we never store plaintext passwords)
• ✓Account creation date and tier (free/pro/enterprise)

Scan data (when you run a scan)

• ✓Target hostname or IP address
• ✓Scan goal (your plain-English description)
• ✓Tool output, parsed findings, risk scores
• ✓AI-generated analysis and reports
• ✓Scan timestamp, duration, and status

Payment data (when you subscribe)

• ✓Payment ID and order ID from Razorpay
• ✓Subscription tier and payment date
• ✓We do NOT store card numbers, CVVs, or bank details — these are handled entirely by Razorpay

Technical data (automatically collected)

• ✓IP address at time of login and scan initiation
• ✓Browser/client user agent
• ✓API request logs (for rate limiting and abuse prevention)

• ✓To provide and operate the Service — running scans, storing results, generating reports
• ✓To authenticate you and maintain your session
• ✓To enforce scan quotas and tier limits
• ✓To process payments and manage subscriptions via Razorpay
• ✓To send transactional emails (account confirmation, payment receipts)
• ✓To investigate abuse and respond to legal requests
• ✓To improve the platform based on aggregated, anonymized usage patterns

We do not use your scan data to train AI models. We do not serve advertising. We do not sell or rent your personal data to any third party.

We share data only in these specific circumstances:

• ✓Razorpay — payment processing. Razorpay receives your payment details and is subject to their own privacy policy.
• ✓AI providers (Anthropic/OpenAI) — scan findings are sent to AI APIs for analysis. We send only structured finding data, not your personal details. These providers process data under their own policies.
• ✓Law enforcement — we may disclose data when required by a valid court order, subpoena, or legal obligation. We will notify you unless prohibited by law.

We have no advertising partners and do not share data for marketing purposes.

• ✓Account data: retained until you delete your account
• ✓Scan history and findings: retained for 1 year, then automatically purged
• ✓Payment records: retained for 7 years as required by Indian tax law
• ✓Audit logs (IP, timestamps): retained for 90 days
• ✓Deleted accounts: all personal data removed within 30 days of deletion request

We protect your data using industry-standard measures:

• ✓Passwords are hashed using bcrypt — never stored in plaintext
• ✓All API communication uses HTTPS/TLS encryption
• ✓JWT tokens expire after 8 hours; refresh tokens after 7 days
• ✓Database access is restricted to the application server only
• ✓Scan data is isolated per user — you cannot access other users' scans

No system is perfectly secure. If you discover a security issue, please report it responsibly to admin@xcloak.tech.

You have the following rights regarding your personal data:

• ✓Access — request a copy of the personal data we hold about you
• ✓Correction — update inaccurate account information via Settings
• ✓Deletion — request deletion of your account and associated data
• ✓Export — download your scan history and findings in JSON or PDF format
• ✓Objection — object to processing for purposes other than service delivery

To exercise any of these rights, email admin@xcloak.tech. We will respond within 30 days.

We use minimal storage:

• ✓eso_token (cookie) — your authentication token, expires after 1 day
• ✓eso_user (localStorage) — cached profile data for the sidebar; cleared on logout
• ✓No advertising cookies. No tracking pixels. No analytics scripts.

The Service is not directed at children under 18. We do not knowingly collect personal data from minors. If you believe a minor has registered, contact us immediately at admin@xcloak.tech and we will delete the account.

Our servers are currently located in Germany (Hetzner). Your data may be processed by AI providers whose infrastructure is in the United States. By using the Service, you consent to this transfer. We ensure adequate safeguards are in place with all international processors.

We may update this Privacy Policy from time to time. We will notify registered users by email at least 14 days before material changes take effect. The "Last updated" date at the top of this page always reflects the most recent version.

For privacy questions, data requests, or concerns: