Your data, handled simply.

1. Who we are

RiskMeter Cybersecurity (“RiskMeter”, “we”, “our”) operates the website at www.riskmetercybersecurity.com (the “Site”) and the related free-scan service described on this Site. For privacy inquiries: privacy@riskmetercybersecurity.com. For security vulnerability reports about this Site: security@riskmetercybersecurity.com.

For purposes of GDPR and similar laws, RiskMeter is the controller of the personal data described below.

2. What we collect through this website

2.1 Information you submit

When you submit a free-scan application, we collect:

• Your full name
• Your work email address
• Your company name
• The website or application you are requesting we scan
• Your role or title
• A short description of the asset you're applying for
• Whether the asset has login-protected areas (yes / no / unsure)
• Your authorization and contact-consent confirmations

We do not collect passwords, credentials, payment information, social security numbers, financial account numbers, government identifiers, biometric data, or special-category personal data on this Site.

2.2 Information collected automatically

When you visit the Site, our hosting provider may log standard request metadata such as IP address, user-agent, request path, and timestamp. We use this only for security, abuse prevention, and operational purposes (debugging, capacity planning).

When you submit an application, we additionally store a hashed identifier derived from your IP address and a secret salt. This identifier is one-way and cannot be reversed to recover the original IP. We use it solely for rate-limiting and abuse triage. It is automatically deleted from our records 30 days after your submission.

2.3 Cookies & analytics

This Site does not use advertising cookies, cross-site tracking, or third-party analytics that profile you across websites. We do not sell access to ad networks.

We use Vercel Analytics and Vercel Speed Insightsto understand which pages are visited and how the Site performs. These services are operated by Vercel Inc. on our behalf and do not set cookies, do not collect personally identifiable information, and do not fingerprint you across sites. Aggregated, anonymous metrics (page paths, country, approximate device type) are returned to us. See Vercel's analytics privacy policy for details.

2.4 Information collected during a website security scan

If your application is accepted and we perform a scan against your authorized assets, we will incidentally observe technical data emitted by your application (HTTP responses, headers, error pages, public content, certificate metadata, banner strings). We treat all such material as confidential. We do not retain unnecessary response bodies, and we redact any inadvertently captured sensitive content (e.g., personal data appearing in error pages) before storage.

3. Why we use your data

We use the information described above to:

• Evaluate your eligibility for the free-scan launch offer
• Communicate with you about the status of your application and any follow-up questions
• If accepted, scope and perform the website security scan and deliver the resulting report
• Maintain a minimal record of your written authorization to test, as a defense against any later dispute
• Operate, secure, and improve the Site (rate limiting, abuse prevention, performance monitoring)
• Comply with applicable legal obligations (e.g., responding to lawful requests)

4. Lawful basis for processing

Where GDPR or similar laws apply, we process your information on the following lawful bases:

• Consent — for sending you communications about your application and the scan offer (you provide this when you tick the consent checkbox at submission). You can withdraw consent at any time by contacting privacy@riskmetercybersecurity.com.
• Performance of a contract or pre-contractual steps — to evaluate your application and, if accepted, to deliver the scan and report.
• Legitimate interest — to operate and protect the Site (security, abuse prevention, fraud detection) and to administer the launch program.
• Legal obligation — where we must process data to comply with applicable law.

5. Sharing & subprocessors

We do not sell, rent, or share your personal data with third parties for marketing purposes. We share limited information only with the infrastructure providers listed below, strictly as needed to operate the service. Each provider is contractually bound to protect your data and to use it only on our instructions.

We may engage additional subprocessors as the service grows. Material changes will be reflected on this page; in some jurisdictions you may have a right to object before such changes take effect.

We may also disclose your information when required by law (e.g., valid subpoena) or when necessary to investigate or prevent fraud, abuse, or a credible threat to safety. We will challenge requests we believe are overbroad or unlawful.

6. Retention

We keep different categories of data for different periods:

• Application records (name, work email, company, asset, role, description, consent timestamps): retained for 24 months from the date of submission, then deleted. Records linked to an accepted scan may be retained longer as part of our authorization records (see below).
• Scan authorization records (scope confirmation, your written approval, scan window, source IPs used): retained for seven (7) years from the date of the scan, as evidence of lawful authorization.
• Scan technical findings and the delivered report: retained for 12 months after delivery, then deleted or de-identified, unless you ask us to delete sooner.
• Hashed IP for rate-limiting: deleted 30 days after creation.
• Server access logsfrom our hosting provider: retained per the provider's standard retention (typically 30 days), then deleted.
• Backup records may persist past these dates due to rolling backup cycles, but are inaccessible for normal use and age out per the relevant backup retention schedule.

7. Security

We protect your data with the following technical and organizational measures:

• All traffic to the Site is served over TLS (HTTPS-only).
• Application form submissions are validated server-side and stored in an access-controlled Postgres database with the principle of least privilege.
• Production secrets (database connection strings, webhook URLs, the IP-hashing salt) are stored as encrypted environment variables in our hosting provider's secrets manager — they are never committed to source control.
• Inbound IP rate-limiting and a hidden honeypot field protect the form against automated abuse.
• We do not collect passwords, credentials, or payment information on this Site.
• We maintain a published security disclosure channel at /.well-known/security.txt and a Vulnerability Disclosure Policy at /vulnerability-disclosure.

No system is perfectly secure. If we become aware of a security incident affecting your personal data, we will notify you and any relevant supervisory authority in accordance with applicable law.

8. Your rights

Depending on your jurisdiction (e.g., the EU/UK GDPR, the California Consumer Privacy Act, or similar laws), you may have the right to:

• Access the personal data we hold about you and receive a copy in a portable format
• Correct inaccurate personal data
• Delete your personal data, subject to limited exceptions (e.g., data we are required to retain for legal or accounting purposes)
• Restrict or object to certain processing, including processing based on legitimate interest
• Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal
• Data portability — receive your data in a machine-readable format
• Lodge a complaint with your local supervisory authority. EU/UK residents can also contact us first to attempt resolution.
• Non-discrimination — we will not deny services or treat you differently for exercising any of these rights.

To exercise any of these rights, email privacy@riskmetercybersecurity.com from the email address you used to apply, or otherwise allow us to verify your identity. We will respond within 30 days, or as required by applicable law.

9. International transfers

RiskMeter operates from the United States. If you are accessing the Site from outside the United States, your information will be transferred to, processed, and stored in the United States, where privacy laws may differ from those of your country.

For transfers from the EU/UK to the United States, we rely on the EU Standard Contractual Clauses (and the UK International Data Transfer Addendum) with our subprocessors, supplemented by the technical measures described above.

10. Children

The Site is intended for use by businesses and is not directed to children under the age of 16. We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child, we will promptly delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be reflected by the “last updated” date at the top of this page; for substantial changes (such as new categories of data collection or new subprocessors handling sensitive data), we will provide additional notice via email to applicants and customers affected.

12. Contact

For privacy questions or to exercise any of the rights above: privacy@riskmetercybersecurity.com. For general inquiries: hello@riskmetercybersecurity.com. For security vulnerability reports about this Site: security@riskmetercybersecurity.com.