Scantra ("we", "us") provides an AI compliance monitor at scantra.ai. This policy explains what personal information we collect, how we use it, and what choices you have. We wrote it to be readable, not to bury you in legalese.
Scantra is a 501(c)(3) non-profit organization (EIN __-_______). We do not sell personal data, we do not run advertising, and we do not share information with third parties except where strictly required to provide the service (e.g. our payment processor, email sender, and infrastructure host — listed in section 4).
1. What we collect
When you sign up and use Scantra, we collect:
- Account info: your name, email, and the organization name you enter at signup.
- Authentication: a password (stored as a one-way bcrypt hash — we cannot read your real password).
- Billing info: credit-card details are collected and stored by Stripe, not by us. We only see the last four digits, expiry, and country.
- Monitor data: the URLs you ask us to scan, the page content fetched during scans, and the issues we find. This is yours; we do not share it with anyone.
- Usage data: request logs, IP addresses, and standard server logs (kept for ~30 days).
- Cookies: essential session cookies for keeping you logged in. We do not run third-party analytics or advertising trackers.
2. How we use it
- To provide the Scantra service: run scans, surface issues, draft fixes.
- To bill you (only for paid plans).
- To send you account-critical email (receipts, payment failures, security notices). We do not send marketing email unless you opt in.
- To investigate abuse, fraud, or violations of our Terms.
3. Who we share data with
We do not sell your data. We use a small set of vendors to actually run the service:
- Stripe (payments) — receives card details and billing identifiers.
- Anthropic (AI rule analysis) — receives the text of pages you ask us to scan, used only to detect compliance issues. Anthropic does not train on this data per their API terms.
- Railway (hosting) — receives normal request traffic; stores our database.
- Resend or similar transactional-email provider — receives the email address and the content of account emails we send to you.
Each vendor is bound by their own privacy and security terms. We will update this list as it changes.
4. Your rights (GDPR, CCPA, and similar)
You can ask us to:
- Show you what data we have on you (access).
- Correct anything that's wrong (rectification).
- Delete your account and the data tied to it (erasure).
- Export your data as JSON (portability).
- Restrict or object to specific uses.
To exercise any of these, email privacy@scantra.ai. We respond within 30 days.
5. International transfers
Scantra is operated from the United States; our hosting and third-party vendors may store data in the US, EU, and other regions. By using Scantra, you understand your data may be processed outside your home country.
6. Data retention
We keep account data while your account is active. If you close your account, we delete personal data within 90 days, except where we are required to retain billing records by law (typically 7 years).
7. Security
Passwords are hashed with bcrypt. All traffic to scantra.ai is encrypted with TLS. We never store payment card numbers — Stripe handles that. No system is 100% secure, but we take reasonable measures and will notify affected users within 72 hours if a breach occurs.
8. Children
Scantra is for businesses. We do not knowingly collect information from anyone under 16. If you believe a minor has provided us data, email privacy@scantra.ai and we will delete it.
9. Changes to this policy
We'll update this page when our practices change. The "Last updated" date at the top reflects the most recent change. If the change is material (e.g. we share data with a new category of vendor), we'll email account owners first.
10. Contact
Questions about this policy? Email privacy@scantra.ai.