Privacy Policy

Effective Date: January 1, 2025
Last Updated: January 1, 2025

1. Introduction

Fence ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our security vulnerability scanner and SSL/TLS certificate monitoring service.

We are committed to complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data Use and Access Act 2025.

By using Fence, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Password (encrypted)
  • Name (if provided via SSO)
  • Organization name (for team accounts)

2.2 Domain and Security Scan Data

To provide our service, we collect and store:

  • Domain names you add for monitoring
  • SSL/TLS certificate metadata (expiration dates, issuer, subject)
  • Vulnerability scan results (OWASP Top 10, CVE detections, security headers)
  • Security misconfiguration findings and remediation status
  • Technology fingerprinting data (web servers, frameworks, hosting providers)
  • Certificate scan results and history
  • Alert configurations and notification preferences

2.3 Usage Data

We automatically collect:

  • IP address
  • Browser type and version
  • Pages visited and features used
  • Date and time of visits
  • Referring website addresses

2.4 Payment Information

Payment information is processed securely through Stripe. We do not store your full credit card details on our servers. We only retain:

  • Last 4 digits of your card
  • Card brand (Visa, Mastercard, etc.)
  • Billing address
  • Transaction history

3. How We Use Your Information

We use the collected information to:

  • Provide and maintain our security vulnerability scanning and SSL certificate monitoring service
  • Perform automated vulnerability scans and security assessments
  • Send you alerts about expiring certificates and security vulnerabilities
  • Provide plain English remediation guidance and fix instructions
  • Process your payments and maintain billing records
  • Communicate with you about service updates and security issues
  • Improve our service and develop new features
  • Detect and prevent fraud, abuse, and security issues
  • Comply with legal obligations

4. Data Security

We implement industry-standard security measures to protect your data:

  • HTTPS/TLS encryption for all data in transit
  • Encrypted passwords using bcrypt hashing
  • Regular security audits and vulnerability assessments
  • Secure data center infrastructure
  • Access controls and authentication
  • Regular backups with encryption

While we strive to protect your data, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

5. Data Sharing and Disclosure

We do not sell your personal information. We may share your data with:

5.1 Service Providers

  • Stripe: Payment processing
  • AWS SES: Email delivery
  • Hosting providers: Infrastructure and storage

5.2 Legal Requirements

We may disclose your information if required to:

  • Comply with legal obligations or court orders
  • Protect our rights, property, or safety
  • Prevent fraud or security issues
  • Cooperate with law enforcement

6. Your Rights

Depending on your location, you may have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your personal data
  • Data Portability: Receive your data in a structured format
  • Objection: Object to certain types of data processing
  • Withdraw Consent: Withdraw consent for data processing

To exercise these rights, please contact us at [email protected]

7. Data Retention and Account Deletion

7.1 Standard Data Retention

We retain your personal data for as long as necessary to provide our services and comply with legal obligations:

  • Account data: Until you delete your account, plus 30-day grace period
  • Scan history: 90 days for Hobby tier, 1 year for Startup/Enterprise/Custom tiers
  • Payment records: 7 years (UK tax compliance requirement)
  • Backups: 30 days rolling backup retention

7.2 Account Deletion Process

When you delete your account through our API (DELETE /api/users/me/):

  1. 30-Day Grace Period: Your account is marked for deletion but not immediately deleted. You can cancel the deletion during this 30-day period using the cancellation endpoint (POST /api/users/me/cancel-deletion/).
  2. After Grace Period: Once the 30-day grace period expires, we permanently delete:
    • Your email address and password
    • Your name and profile information
    • Domain names you added for monitoring
    • SSL/TLS certificate data
    • Vulnerability scan results and findings
    • Alert configurations and notification preferences
    • Organization memberships and roles
  3. Data We Anonymize (Not Delete): For legal compliance and fraud prevention, we anonymize but retain:
    • Payment records: Anonymized transaction history (required for UK tax compliance - 7 years)
    • Aggregated analytics: De-identified usage statistics for service improvement
    • Audit logs: Anonymized security event logs (fraud prevention and legal compliance)

    Note: Anonymization means we remove all personally identifiable information (email, name, IP addresses) and replace them with anonymous identifiers. This data cannot be linked back to you.

  4. Backups: Deleted data may persist in encrypted backups for up to 30 days (our backup retention period), after which it is permanently purged.

7.3 Why We Retain Some Data

We are legally required to retain certain anonymized data for:

  • Tax compliance: UK tax law requires 7-year retention of financial transaction records
  • Fraud prevention: Detecting and preventing abuse, chargebacks, and fraudulent activity
  • Legal defense: Protecting against legal claims within the statute of limitations
  • Service improvement: Aggregated, de-identified analytics that cannot identify individuals

Important: All retained data is fully anonymized and cannot be used to identify you personally.

8. Cookies and Tracking

We use essential cookies and tracking technologies:

  • Essential Cookies: Required for authentication and security
  • Analytics: Self-hosted Plausible Analytics (privacy-friendly, no tracking)
  • Session Cookies: Maintain your logged-in state

We do not use third-party tracking cookies or sell your browsing data.

9. Children's Privacy

Our service is not intended for children under 13. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal data, we will delete it immediately.

10. International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy and applicable data protection laws.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by email or through a notice on our website. Continued use of our service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Email: [email protected]
Data Protection Officer: [email protected]
Website: https://fence.dev