1 Information We Collect
We collect the minimum information necessary to provide the PhantomRed service:
- Account information: Your name, email address, and hashed password when you register.
- Scan data: Target domains/IPs you submit for scanning, scan results, and findings — stored securely in our database and associated with your account.
- Usage data: Number of scans performed, plan type, and timestamps of activity.
- Payment data: When you upgrade, payment is processed by Razorpay. We receive a confirmation of payment and your plan level — we never store your card details.
- Error logs: Technical error data collected by Sentry for debugging purposes, which may include request metadata.
We do not collect IP addresses for marketing purposes, and we do not use tracking pixels or third-party ad networks.
2 How We Use Your Information
Your information is used solely to provide and improve the PhantomRed service:
- To authenticate you and manage your account
- To run security scans on targets you explicitly authorize
- To store and display your scan history and findings
- To process payments and manage your subscription plan
- To send transactional emails (email verification, password reset, payment confirmation)
- To detect and fix bugs using anonymized error reports
- To enforce our acceptable use policy and prevent abuse
We will never use your scan data, findings, or target information for any purpose other than delivering your results to you.
3 Data Storage & Retention
Your data is stored in a PostgreSQL database hosted on Railway's infrastructure, located in the United States. We retain different categories of data for different periods based on operational and legal requirements.
Retention Schedule
- Account data (name, email, password hash, API key): Retained for as long as your account is active. Permanently deleted within 30 days of account deletion.
- Scan results & findings: Retained indefinitely while your account is active. Permanently deleted within 30 days of account deletion.
- Payment records: Retained for 7 years from the date of transaction to comply with applicable financial regulations. Payment records contain plan type and amount only — no card details are ever stored by PhantomRed.
- API keys: Invalidated immediately upon regeneration or account deletion. Old keys are not retained.
- Password reset tokens: Automatically expire after 1 hour and are deleted upon use.
- Error logs (Sentry): Retained for 30 days by Sentry, then automatically purged.
- Analytics data (Google Analytics): Retained for 14 months per Google's default retention policy. No personally identifiable information is sent to Google Analytics.
Account Deletion
You may delete your account at any time from the Dashboard. Upon deletion:
- Your account, scan history, and all associated data are permanently removed within 30 days.
- Payment records are retained for 7 years as required by financial regulations, but are disassociated from your personal identity where possible.
- Deletion is irreversible. Exported reports should be saved before deletion.
Data Export & Deletion Requests
To request a copy of your data or to request deletion outside of the in-app flow, email privacy@phantomred.com. We will respond within 30 days. Include the email address associated with your account.
4 Data Sharing
We share data only with the following service providers, and only to the extent necessary to operate the service:
- Railway — cloud infrastructure and database hosting
- Vercel — frontend hosting
- Resend — transactional email delivery
- Razorpay — payment processing
- Sentry — error monitoring
- Groq — AI inference for scan analysis (findings data only, not personal information)
We may disclose information if required by law or to protect the rights, property, or safety of PhredSec™, our users, or the public.
5 Security
We take security seriously — it's literally what we do:
- All data in transit is encrypted via HTTPS/TLS
- Passwords are hashed using bcrypt — never stored in plain text
- API keys are generated with cryptographic randomness
- Rate limiting is enforced on all endpoints to prevent abuse
- All scan inputs are validated and scope-checked before execution
No system is 100% secure. If you discover a security vulnerability in PhantomRed, please disclose it responsibly to security@phantomred.com.
6 Your Rights (GDPR / CCPA)
Depending on your location, you may have the following rights regarding your personal data:
- Right to access: Request a copy of all data we hold about you
- Right to rectification: Correct inaccurate or incomplete data
- Right to erasure: Request deletion of your account and all associated data
- Right to portability: Receive your data in a machine-readable format
- Right to object: Object to processing of your data
- Right to withdraw consent: Withdraw consent at any time where processing is based on consent
To exercise any of these rights, contact us at privacy@phantomred.com. We will respond within 30 days.
7 Cookies
PhantomRed uses minimal browser storage:
- localStorage: We store your API key in
localStorageto keep you signed in between sessions. This is never transmitted to third parties. - We do not use advertising cookies, tracking pixels, or cross-site analytics.
You can clear your browser's local storage at any time to sign out of PhantomRed on that device.
8 Children's Privacy
We do not knowingly collect personal information from anyone under 18. If we become aware that a minor has registered, we will delete their account immediately.
9 Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and notify registered users via email for material changes.
Your continued use of PhantomRed after any changes constitutes acceptance of the updated policy.
10 Contact Us
For any privacy-related questions, requests, or concerns:
- Email: privacy@phantomred.com
- General: support@phantomred.com
- Grievance Officer (India — DPDP Act 2023): Aditya Machiraju — grievance@phantomred.com
- Company: PhredSec™ (Trademark No: 14093540, Class 42)