Privacy Policy

01 Who We Are

SwarmHawk is a cybersecurity intelligence platform operated by SwarmHawk s.r.o., a company registered in the Czech Republic. Our platform provides domain security scanning, threat intelligence, and compliance monitoring services for businesses across the European Union and beyond.

For the purposes of EU data protection law, SwarmHawk s.r.o. is the data controller for personal data collected through this website and its services.

02 Data We Collect

We collect different categories of data depending on how you interact with SwarmHawk:

Account Data

• Email address (required to create an account)
• Name or display name (optional)
• Organisation name (optional, for business plans)
• Password stored as a bcrypt hash (we never store plaintext passwords)

Usage & Scan Data

• Domain names you submit for scanning
• Scan results, risk scores, and generated intelligence reports
• Timestamps and frequency of scans
• API key identifiers (not the raw key value after creation)

Technical Data

• IP address and approximate geographic location (country level)
• Browser type and version
• Device type (desktop / mobile)
• Session identifiers (stored server-side, referenced via a cookie)

Communication Data

• Messages sent to us via the contact form or email
• Support ticket content

Data We Do NOT Collect

• Payment card numbers (payments processed by Stripe; we receive only a transaction token)
• Government ID or passport information
• Biometric data
• Data from children under 16

03 How We Use Your Data

We use collected data for the following purposes:

• Service delivery — Running domain security scans, generating reports, and returning intelligence results to you
• Account management — Authenticating you, managing your subscription, and providing customer support
• Security & fraud prevention — Detecting abuse, rate-limiting, and protecting the integrity of the platform
• Service improvement — Aggregated, anonymised analytics on feature usage to improve the product
• Legal compliance — Maintaining audit logs where required by law (NIS2, GDPR record-keeping obligations)
• Communications — Sending transactional emails (scan results, account notices) and, with your consent, product updates

We do not sell your personal data, use it for advertising profiling, or share it with data brokers.

04 Legal Basis for Processing (GDPR Art. 6)

• Contract performance (Art. 6(1)(b)) — Processing necessary to provide the scanning and intelligence services you signed up for
• Legitimate interests (Art. 6(1)(f)) — Security monitoring, fraud prevention, and aggregated product analytics (interests balanced against your rights)
• Legal obligation (Art. 6(1)(c)) — Retaining audit logs and billing records as required by Czech and EU law
• Consent (Art. 6(1)(a)) — Marketing emails and optional analytics cookies (you can withdraw consent at any time)

05 Data Sharing & Third Parties

We share data with the following categories of trusted sub-processors only to the extent necessary to provide the service:

• Supabase Inc. — Database hosting (PostgreSQL) in EU data centres (Frankfurt)
• Render Inc. — Backend application hosting (US-based; Standard Contractual Clauses in place)
• Anthropic PBC / Portkey AI — AI analysis of domain risk (domain name + scan result only; no personal data in prompts)
• Stripe Inc. — Payment processing (we share only order amounts and a billing email)
• Cloudflare Inc. — DDoS protection and CDN (processes IP addresses transiently)

We may disclose data to law enforcement or regulatory bodies if required by a legally binding court order or equivalent legal process. We will notify you unless prohibited by law.

06 Data Retention

• Account data — Retained for the lifetime of your account plus 30 days after deletion
• Scan results — Retained for 12 months; older records are archived or deleted
• Audit logs — Retained for 36 months to comply with NIS2 incident logging requirements
• Billing records — Retained for 10 years as required by Czech accounting law
• Support communications — Retained for 24 months after ticket closure

You can request early deletion of your personal data by contacting us (see Section 12), subject to legal retention obligations.

07 Your Rights

Under the GDPR (and applicable national law), you have the following rights:

• Right of access (Art. 15) — Request a copy of the personal data we hold about you
• Right to rectification (Art. 16) — Ask us to correct inaccurate data
• Right to erasure (Art. 17) — Request deletion of your data ("right to be forgotten"), subject to legal retention needs
• Right to restriction (Art. 18) — Ask us to pause processing while a dispute is resolved
• Right to data portability (Art. 20) — Receive your data in a machine-readable format (JSON export available in account settings)
• Right to object (Art. 21) — Object to processing based on legitimate interests (e.g. analytics)
• Right to withdraw consent — Revoke marketing consent at any time via the unsubscribe link in any email or via account settings

To exercise any right, email hello@swarmhawk.com. We will respond within 30 days. If you are unsatisfied with our response, you may lodge a complaint with the Czech Office for Personal Data Protection (ÚOOÚ) at uoou.cz.

08 Cookies & Tracking

We use a minimal set of cookies:

• Session cookie (strictly necessary) — Keeps you logged in; expires when you close the browser or after 7 days of inactivity
• Preference cookie (functional) — Remembers your UI settings (e.g. dark mode, selected country)
• Analytics cookie (with consent) — Aggregated, anonymised page-view tracking via a self-hosted instance; no cross-site tracking

We do not use third-party advertising cookies, Google Analytics, Facebook Pixel, or similar tracking technologies.

You can manage cookie preferences in your browser settings or via the cookie banner shown on first visit.

09 International Data Transfers

Some of our sub-processors are based outside the EU/EEA (notably Render and Anthropic in the United States). Where this occurs, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), or
• Adequacy decisions where applicable

You can request a copy of the applicable transfer mechanism by contacting us.

10 Security

We implement industry-standard security measures including:

• TLS 1.3 encryption for all data in transit
• AES-256 encryption for data at rest in the database
• bcrypt password hashing with a cost factor of 12
• Role-based access controls with principle of least privilege
• Regular automated vulnerability scanning (we use SwarmHawk on ourselves)
• No plain-text API keys stored; only hashed representations are retained

In the event of a personal data breach affecting your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay, in accordance with GDPR Art. 33–34.

11 Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via an in-app banner and, where required by law, by email at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.

Continued use of the service after the effective date of changes constitutes acceptance of the revised policy.

12 Contact Us

For any privacy-related questions, data subject requests, or concerns: