ScriptPatrol is a security monitoring service that helps businesses detect unauthorized JavaScript changes on their websites. This policy explains what data we collect, why we collect it, and how we protect it. We believe in minimal data collection and maximum transparency.
Privacy at a Glance
Contents
1. What We Collect
We collect the minimum data necessary to provide our security monitoring service. Here is a complete list of everything we store:
Account Data
| Data | Purpose | Stored As |
|---|---|---|
| Email address | Authentication, alerts, account recovery | Plain text (required for email delivery) |
| Password | Authentication | Bcrypt hash (irreversible) |
| Company name | Account identification (optional) | Plain text |
| Subscription status | Feature access control | Plan tier and billing period |
Site and Scan Data
| Data | Purpose | Stored As |
|---|---|---|
| Domain names and URLs | Identify which pages to monitor | Plain text |
| Script inventory | Baseline for change detection | URLs and SHA-256 content hashes |
| Security headers | Header tamper detection | Header name-value pairs |
| Scan results and snapshots | Change history and compliance evidence | Structured records with timestamps |
Technical Data
| Data | Purpose | Retention |
|---|---|---|
| IP address | Server access logs, rate limiting | 30 days in server logs |
| JWT authentication token | Session management | Browser localStorage (client-side only) |
What We Do Not Collect
- No tracking cookies or advertising identifiers
- No third-party analytics (no Google Analytics, Hotjar, or similar)
- No personal data of your website visitors
- No credit card numbers (payments handled entirely by Stripe)
- No browser fingerprinting of our users
- No data sharing with data brokers or advertisers
2. How We Use Your Data
We process your data exclusively to provide and improve our security monitoring service. We have a lawful basis for each processing activity under GDPR:
Scanning your websites, detecting changes, sending alerts
Authentication, subscription management, customer support
Rate limiting, fraud detection, protecting our infrastructure
Analyzing scan success rates and system performance (aggregated, non-personal)
Responding to lawful requests, maintaining required records
Alert notifications, scan reports, account security notices
3. Website Scanning
ScriptPatrol scans the public-facing pages of websites you register in your account. It is important to understand what this involves:
- 1We only scan URLs you explicitly add to your account. We never scan pages you have not authorized.
- 2Our automated scanning technology visits your pages like a regular browser, loading the page and recording which scripts and security headers are present.
- 3We store script URLs and content hashes (SHA-256). We do not store the full content of third-party scripts.
- 4We do not collect, process, or store any personal data belonging to your website visitors. Our scanner does not interact with forms, submit data, or capture user sessions.
- 5If you provide authentication credentials for pages behind a login (such as admin panels), those credentials are encrypted at rest using AES-256 and used solely to access the pages you specified.
4. Cookies and Local Storage
We use only the minimum browser storage required for our application to function. We do not use any tracking or advertising cookies.
| Name | Type | Purpose | Duration |
|---|---|---|---|
| _csrf | Strictly necessary cookie | Cross-site request forgery protection | Session |
| token | localStorage | JWT authentication token | Until logout or expiry |
Because we only use strictly necessary cookies, no cookie consent banner is required under GDPR. We do not use cookies for analytics, advertising, or tracking of any kind.
5. Third-Party Processors
We use a limited number of third-party services to operate ScriptPatrol. Each processor has been selected for their strong privacy and security practices. We have Data Processing Agreements (DPAs) with each processor where required.
Stripe
United States (EU SCCs in place)Purpose: Payment processing
Data shared: Email address, subscription details, payment method (card details are never sent to our servers)
View their privacy policy →Hetzner
Germany (EU)Purpose: Infrastructure hosting
Data shared: All application data (stored on servers in Germany)
View their privacy policy →Self-hosted email server
Germany (EU), same infrastructurePurpose: Transactional emails (alerts, reports)
Data shared: Email addresses, notification content
6. Data Retention
We retain your data only as long as necessary to provide our service and meet our legal obligations.
| Data Type | Retention Period | After Deletion |
|---|---|---|
| Account data | Until you delete your account | Permanently deleted within 30 days |
| Site and scan data | Duration of your subscription | Deleted 30 days after subscription ends |
| Compliance evidence | Duration of your subscription | Deleted 30 days after subscription ends |
| Server logs (IP addresses) | 30 days | Automatically purged |
| Payment records | As required by tax law (typically 7 years) | Retained by Stripe per their policy |
7. Data Security
We implement technical and organizational measures to protect your data:
Encryption in transit
All connections use TLS 1.2 or higher. Our API and dashboard are only accessible over HTTPS.
Encryption at rest
Sensitive data (site credentials, API keys) is encrypted with AES-256 before storage.
Password hashing
Passwords are hashed with bcrypt using a per-application salt. We cannot recover your password.
Access controls
Each user can only access their own sites and data. All API endpoints require JWT authentication.
Infrastructure security
Our servers run in Hetzner data centers in Germany with physical security, redundancy, and ISO 27001 certification.
Audit logging
Security-relevant actions (login, settings changes, data export) are logged with timestamps and IP addresses.
8. Your Rights
Under the GDPR and applicable data protection laws, you have the following rights regarding your personal data. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
9. California Privacy Rights (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:
- Right to know: You may request what personal information we collect, use, and disclose about you.
- Right to delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to opt-out of sale: We do not sell personal information. We have never sold personal information and have no plans to do so.
- Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.
To exercise your CCPA rights, email [email protected] with the subject line “CCPA Request”. We will verify your identity and respond within 45 days.
10. International Data Transfers
Your data is primarily stored and processed in Germany (EU). When data is transferred to processors outside the EU (such as Stripe in the United States), we ensure appropriate safeguards are in place:
- EU Standard Contractual Clauses (SCCs) with all non-EU processors
- Adequacy decisions where applicable
- Verification that processors maintain appropriate security certifications (SOC 2, ISO 27001)
11. Outreach Communication
ScriptPatrol occasionally sends one-time business introduction emails to publicly listed e-commerce shops in EU markets (Czech Republic, Slovakia, Hungary, Romania, Bulgaria, Estonia, Poland). If you received such an email, this section explains what data was processed about your shop, on what legal basis, and how to opt out.
Legal basis
GDPR Article 6(1)(f) — legitimate interest. We process publicly available business contact data to introduce a relevant security-monitoring service. Our interest is balanced against your right to be left alone via a mandatory one-click unsubscribe in every message.
What we process (per GDPR Article 14)
Because we did not collect this data directly from you, the GDPR requires us to disclose where it came from. Below is the complete record:
| Data | Source | Purpose |
|---|---|---|
| Shop domain | Public marketplace catalogues (Heureka.cz/.sk, Árukereső.hu, Compari.ro, Pazaruvaj.com, Hinnavaatlus.ee, Opineo.pl) | Identify the shop |
| Role-based contact email (info@, kontakt@, obchod@) | Public homepage or contact page of the shop | Deliver the one-time introduction |
| Public technical findings (script count, missing security headers) | Automated scan of the public homepage | Personalise the message with a real finding |
| Send / open / click / reply timestamps | Our SMTP logs | Frequency capping, enforce opt-outs, measure response |
What we do NOT process
- No personal email of named individuals (e.g. firstname.lastname@). Only role-based shop addresses.
- No data from behind a login wall — only the public homepage and contact page are read.
- No payment, identity, or credit data of you or your customers.
- No data about your website visitors.
Frequency and opt-out
- 1At most one introduction email per address every 90 days.
- 2Every email includes a one-click unsubscribe link (RFC 8058) and a visible "odhlásit" / "unsubscribe" link in the footer.
- 3Once unsubscribed, the address is added to a permanent suppression list and will never receive another outreach communication from us, even if a new prospect record appears.
- 4A hard bounce from your mail server is treated as a permanent opt-out automatically.
Your rights as a recipient
Even if you never created a ScriptPatrol account, you have the full GDPR rights listed in section 8 over the outreach record we hold about your shop. The most relevant ones:
- Right to object (Art. 21): click the unsubscribe link in any email, or write to [email protected].
- Right to erasure (Art. 17): we will delete the prospect record and add the address to permanent suppression on request.
- Right to access (Art. 15): we will send you a copy of everything we hold about your domain within 30 days.
- Right to lodge a complaint: contact your national supervisory authority — ÚOOÚ (CZ), ÚOOÚ.sk (SK), NAIH (HU), ANSPDCP (RO), CPDP (BG), AKI (EE), UODO (PL).
Retention
Outreach campaign records (which address received what, when) are kept for 24 months to enforce frequency capping and respond to any disputes, then deleted. Unsubscribe records are kept indefinitely — deleting them would risk re-mailing the same address, which is the exact opposite of what you asked us to do when you unsubscribed.
Sender identity
ScriptPatrol is operated by Martin Stach. Contact for any outreach-related question or GDPR request: [email protected].
12. Children's Privacy
ScriptPatrol is a business-to-business service intended for use by organizations and professionals. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify you by email if the changes materially affect how we process your data
- Provide at least 30 days notice before material changes take effect
14. Contact
If you have questions about this Privacy Policy, want to exercise your rights, or have a privacy concern, you can reach us at:
We aim to respond to all privacy-related inquiries within 30 days. For urgent security matters, please include “URGENT” in your subject line.