Privacy Policy

Last updated: March 2026

1. Data We Collect

GuardHound collects the following categories of data:

• Account data: Email address and hashed password when you register. We never store plaintext passwords.
• Scan data: Domain names you scan, security scores, and findings. For monitored domains, scan history is retained according to your plan tier.
• WHOIS/RDAP data: Registrar name, nameserver lists, and domain expiry dates. We do not store personal registrant contact details (name, address, phone).
• Scan leads: If you provide your email during a free scan, we store it alongside the scanned domain and score to deliver your results.
• Payment data: Stripe handles all payment processing. We store only your Stripe customer ID and subscription ID — never credit card numbers.
• Server logs: IP addresses, timestamps, and request metadata for security and debugging. Logs are purged after 90 days.

2. How We Use Your Data

• To perform domain security scans and deliver results
• To send security alerts when issues are detected on your monitored domains
• To process payments and manage your subscription
• To improve the service and fix bugs

3. Third-Party Data Sources

GuardHound queries the following external services during scans:

• NVD (National Vulnerability Database): CVE vulnerability data provided by NIST. See nvd.nist.gov.
• RDAP (Registration Data Access Protocol): Public domain registration data via rdap.org. We only extract registrar, nameservers, and expiry — no personal data.
• Google DNS: DNSSEC validation and Safe Browsing status via Google Public DNS.
• CISA KEV: Known Exploited Vulnerabilities catalog from CISA.
• XposedOrNot: Public data breach records via the XposedOrNot free API. We query domain-level breach data only — no individual email addresses or passwords are transmitted or stored.
• crt.sh: Certificate Transparency logs for subdomain discovery via crt.sh.

4. Data Retention

• Account data: Retained until you delete your account.
• Scan results: Free & Starter: 30 days. Pro & Unlimited: full history.
• Scan leads: Retained for 12 months, then automatically purged.
• WHOIS snapshots: Retained for 1 year per domain, then purged.
• Alerts: Retained for 90 days after acknowledgment.
• Server logs: 90 days.

5. Lawful Basis for Processing (GDPR Article 6)

We process your personal data under the following lawful bases:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the GuardHound service you signed up for, including domain scanning, monitoring, and alert delivery.
• Legitimate interest (Art. 6(1)(f)): Security logging, fraud prevention, and service improvement. We balance our interests against your rights and do not process sensitive data under this basis.
• Consent (Art. 6(1)(a)): Marketing emails and scan lead capture. You may withdraw consent at any time by unsubscribing or contacting us.
• Legal obligation (Art. 6(1)(c)): Where we are required to retain data for tax, fraud prevention, or regulatory compliance.

6. Data Controller

The data controller responsible for your personal data is:

• Entity: GuardHound, operated by Ennis Studio LLC
• Contact: privacy@guardhound.io
• Website: https://guardhound.io

If you are located in the EEA and have concerns about our data practices that we cannot resolve, you have the right to lodge a complaint with your local Data Protection Authority.

7. International Data Transfers

Your data may be processed in the United States or other countries where our infrastructure providers operate. When transferring data outside the EEA, we rely on:

• Standard Contractual Clauses (SCCs): Approved by the European Commission for transfers to third countries.
• Adequacy decisions: Where the European Commission has determined that a country provides adequate data protection.
• Service provider agreements: Our infrastructure providers (database hosting, email delivery, payment processing) maintain appropriate safeguards for international transfers.

8. Your Rights (GDPR / CCPA)

You have the right to:

• Access: Request a copy of your data at any time.
• Deletion: Request deletion of your account and all associated data.
• Portability: Export your scan data in a machine-readable format.
• Correction: Update your email or account information.
• Opt-out: Unsubscribe from marketing emails at any time.

If you are in the European Economic Area, you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not complied with applicable data protection laws.

To exercise any of these rights, contact us at privacy@guardhound.io.

9. Cookies & Tracking

GuardHound does not use tracking cookies, analytics scripts, or third-party advertising pixels. We use only essential browser storage (localStorage) for authentication tokens.

10. Security

All data is transmitted over TLS. Passwords are hashed with bcrypt (12 rounds). Database access is restricted to the application server. We follow security best practices including input validation, rate limiting, and JWT token invalidation.

11. Children's Privacy

GuardHound is not intended for use by anyone under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without verified parental consent, we will take steps to promptly delete that information. If you believe we have collected data from a child under 16, please contact us at privacy@guardhound.io.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to registered users. The "last updated" date at the top reflects the most recent revision.

13. Contact

For privacy inquiries: privacy@guardhound.io