legal

Privacy Policy

Last updated: December 28, 2025

Introduction

Website Defender ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website security scanning service.

By using Website Defender, you agree to the collection and use of information in accordance with this policy.

Data Controller

Website Defender is operated by Jack Dwyer trading as Dwyer Labs.

For data protection matters, contact: privacy@websitedefender.io

Information We Collect

Account Information

When you create an account, we collect:

  • Email address
  • Password (stored securely using industry-standard hashing)
  • Notification preferences (e.g., weekly digest enabled, preferred delivery day)
  • Timezone preference

Free Scan Data

When you use our free scan feature without an account, we collect:

  • Email address (for sending results and marketing with your permission)
  • Domain name scanned
  • IP address (retained for 48 hours for abuse prevention)

Free scan results and associated data are automatically deleted after 48 hours.

Scan Data

When you scan websites, we collect:

  • Domain names you scan
  • Scan results and security findings
  • Risk scores (automatically calculated)
  • Timestamps of scan activity

Session Data

When you log in, we collect:

  • IP address (retained for 7 days for session security)
  • User agent (browser and device information)

Usage Data

We automatically collect certain information when you use our service:

  • Pages visited and features used
  • Time and date of visits
  • Time spent on pages
  • Performance metrics

Payment Information

Payment processing is handled by Stripe. We do not store your full credit card number or payment details on our servers. We store only:

  • Stripe customer ID (to link your account to your subscription)

Stripe may provide us with the last 4 digits of your card and billing address for display purposes. See Stripe's Privacy Policy.

Why We Can Use Your Data (Legal Basis)

Data protection law requires us to have a valid reason for processing your data. Here's why we process each type of data:

To Provide Our Service (Contract)

When you sign up, we need to process certain data to deliver the service you've requested:

  • Your email and password — to create and secure your account
  • Domains and scan results — to run security scans and show you findings
  • Billing information — to process your subscription payments

To Protect Our Service (Legitimate Interests)

We have a legitimate business interest in keeping our service secure and improving it:

  • IP addresses — to prevent abuse and block attackers
  • Login sessions — to detect suspicious activity on your account
  • Usage analytics — to understand how people use the site so we can make it better

With Your Permission (Consent)

Some processing only happens with your explicit permission:

  • Weekly Security Digest — opt-in email summarizing your security status (can unsubscribe anytime)
  • Marketing emails — you choose whether to receive them, and can unsubscribe anytime
  • Analytics cookies — controlled via the cookie banner

Because the Law Requires It (Legal Obligation)

Some data must be kept for legal reasons:

  • Billing records — kept for 7 years as required by UK tax law
  • Law enforcement requests — we must comply with valid legal orders

How We Use Your Information

We use the collected information to:

  • Provide and maintain our security scanning service
  • Process your transactions and subscriptions
  • Send scan results and security alerts
  • Send weekly security digest emails (with your consent)
  • Generate AI-powered security recommendations
  • Respond to your inquiries and support requests
  • Improve our service and develop new features
  • Send marketing communications (with your consent)
  • Comply with legal obligations

Automated Decision-Making

Our service uses automated processing to calculate security risk scores based on scan findings. This score (0-100) is calculated automatically based on the severity and quantity of security issues found:

  • Critical findings contribute more to the score
  • High, medium, and low findings contribute proportionally less

This automated scoring helps prioritize security issues. You can review all findings and their details in your dashboard. The risk score does not affect your account access or subscription.

Data Retention

We retain your data as follows:

  • Account data: Retained while your account is active, plus 90 days after deletion request
  • Scan history: Retained for the duration of your subscription, plus 90 days after cancellation
  • Free scan results: Automatically deleted after 48 hours
  • Session data (IP, user agent): 7 days
  • Payment records: Retained for 7 years for tax and legal compliance

Data Sharing and Third-Party Services

We work with trusted companies to provide our service. Below is exactly what data each company receives and why. We never sell your data.

Payment Processing — Stripe

What Stripe receives:

  • Your email address
  • Your payment card details
  • Your billing address (if provided)

What Stripe does NOT receive:

  • Your password
  • Your scan results or domain names

Why: Stripe handles all payment processing so we never see your full card number. Stripe's Privacy Policy →

AI Security Analysis — Anthropic (via OpenRouter)

What the AI receives:

  • Domain names you scan
  • Security finding titles and severity (e.g., "Missing HTTPS - High")
  • Brief technical details (up to 150 characters per finding)
  • Your risk score

What the AI does NOT receive:

  • Your email address or account details
  • Your password
  • Payment information

Why: We use AI to generate plain-English summaries and fix recommendations for your security findings. OpenRouter's Privacy Policy → Anthropic's Privacy Policy →

Email Delivery — Resend

What Resend receives:

  • Your email address
  • Email content (scan alerts, verification links, etc.)

What Resend does NOT receive:

  • Your password
  • Payment information

Why: Resend delivers all our emails including scan alerts, verification emails, and account notifications. Resend's Privacy Policy →

Bot Protection — Google reCAPTCHA

What Google receives:

  • Your IP address
  • Browser and device information
  • Cookies set by Google

When this happens:

  • Only when you use the free scan or contact form

Why: reCAPTCHA protects our forms from spam and automated abuse. Google's Privacy Policy →

Analytics — Vercel

What Vercel collects:

  • Pages you visit
  • How long you spend on pages
  • Your browser type and device
  • General location (country/region from IP)
  • Page load times

What Vercel does NOT receive:

  • Your email or account information
  • Scan results

Why: Analytics help us understand how people use the site so we can make it better. Vercel's Privacy Policy →

Error Tracking — Sentry

What Sentry collects:

  • JavaScript errors and stack traces
  • Browser and device information
  • Page URL where error occurred
  • Performance metrics (page load times)
  • Session replays when errors occur (screen recordings to help us debug)

What Sentry does NOT receive:

  • Your password
  • Payment information

Why: Sentry helps us identify and fix bugs quickly so you have a better experience. Sentry's Privacy Policy →

Cloud Hosting — DigitalOcean

What DigitalOcean hosts:

  • All Website Defender data and infrastructure
  • PDF reports (stored securely in DigitalOcean Spaces)

Why: DigitalOcean provides the servers and storage that run our entire service. DigitalOcean's Privacy Policy →

Legal Requirements

We may share your information if required by law, court order, or government request, or to protect our rights and the safety of our users.

Cookies

We use the following cookies and similar technologies:

Essential Cookies

CookiePurposeDuration
refresh_tokenAuthentication session (HTTP-only, secure)7 days

Functional Cookies

CookiePurposeDuration
sidebar_stateRemember sidebar open/closed preference7 days

Third-Party Cookies

  • Vercel Analytics: Usage tracking (see Analytics section above)
  • Google reCAPTCHA: Bot protection on forms (see Bot Protection section above)

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using certain features such as staying logged in.

Your Rights

Under GDPR and UK data protection law, you have several rights over your personal data. Here's how to exercise each one:

Right to Access

Get a copy of all personal data we hold about you.

How to request:

  1. Email privacy@websitedefender.io with subject "Data Access Request"
  2. Include your account email address
  3. We'll verify your identity and respond within 30 days

Right to Rectification

Correct any inaccurate personal data.

How to update your data:

  1. Log in to your account
  2. Go to Settings → Account
  3. Update your email address or other details

For other corrections, email privacy@websitedefender.io

Right to Erasure (Right to be Forgotten)

Request deletion of your account and personal data.

How to delete your account:

  1. Log in to your account
  2. Go to Settings → Account
  3. Scroll down and click "Delete Account"
  4. Confirm deletion

We'll delete your data within 90 days. Some billing records are kept for 7 years as required by tax law.

Right to Restrict Processing

Ask us to limit how we use your data while you dispute accuracy or object to processing.

How to request:

  1. Email privacy@websitedefender.io
  2. Explain which data and why you want processing restricted
  3. We'll respond within 30 days

Right to Data Portability

Receive your data in a format you can take to another service.

How to request:

  1. Email privacy@websitedefender.io with subject "Data Export Request"
  2. We'll send you a JSON file with your account and scan data
  3. Delivery within 30 days

Right to Object

Object to processing based on legitimate interests.

How to object:

  1. Email privacy@websitedefender.io
  2. Specify which processing you object to and your reasons
  3. We'll review and respond within 30 days

Right to Withdraw Consent

Stop promotional emails or the weekly security digest at any time.

How to unsubscribe:

  1. Click the "Unsubscribe" or "Manage preferences" link at the bottom of any email
  2. Or go to Settings → Account → Notifications in your dashboard

Note: You'll still receive essential emails about your account (e.g., password resets, payment receipts, critical security alerts).

Right to Complain

Not happy with how we've handled your data? You can complain to the UK's data protection authority:

Information Commissioner's Office (ICO)

  • Website: ico.org.uk/make-a-complaint
  • Telephone: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Security

We protect your data using:

  • TLS encryption for all data in transit
  • Encryption at rest for sensitive data
  • Secure password hashing (bcrypt)
  • Access controls and monitoring
  • HTTP-only, secure cookies for authentication

While we implement strong security measures, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

Where Your Data Goes (International Transfers)

Some of our service providers are based in the United States. When your data is sent to these companies, we ensure it's protected:

  • Stripe (US) — handles payments
  • Anthropic/OpenRouter (US) — provides AI analysis
  • Google (US) — provides bot protection
  • Vercel (US) — hosts our website and analytics
  • DigitalOcean (US) — hosts our servers and databases

How we protect your data in transit: These transfers are covered by legal agreements that require US companies to protect your data to UK/EU standards. This includes Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA), and the EU-US Data Privacy Framework where the company is certified.

Children's Privacy

Our service is not intended for individuals under 16 years of age. We do not knowingly collect personal information from children.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by posting a notice on our website.

Contact Us

If you have questions about this Privacy Policy, please contact us: