Privacy Policy

What We Collect

When you use TestHawk, we collect the following:

• URLs you submit for scanning — the website addresses you enter for analysis. This is the core input for our service.
• Scan results — the output of our automated analysis, including discovered pages, detected issues, accessibility findings, security results, and health scores.
• Screenshots captured during scans — visual captures of pages examined during automated testing, stored to assist with issue reporting.
• Email addresses — provided when signing up for a trial, creating an account, or entering your email to receive scan results.
• IP addresses — logged for rate limiting and abuse prevention on free scan tiers.
• Browser and device information — user agent strings and basic device context, collected automatically to help us optimize scan quality.

How We Use Your Data

• Generating scan reports — URLs and scan results are processed to produce your audit report and health score.
• Delivering scheduled scan results — if you set up recurring scans, we use your email to send reports on schedule.
• Rate limiting — IP addresses are used to enforce fair use limits on free scans.
• Account management — your email is used for account authentication, billing notifications, and service communications.
• Service improvement — aggregated, anonymized scan data helps us improve detection accuracy and scan quality over time.

We will never sell your personal data to third parties or use it for advertising purposes.

Data Retention

• Free scan data — URLs and scan results are retained for 30 days, then automatically deleted.
• Paid accounts — scan data is retained for the duration of your subscription. After cancellation, data is retained for an additional 30 days before deletion.
• Email addresses — retained as long as your account is active. Deleted within 30 days of account closure.
• Screenshots — retained alongside scan data and deleted on the same schedule.
• IP address logs — anonymized and retained for up to 90 days for security and rate limiting purposes.

Third-Party Services

We use the following service providers to operate TestHawk:

• Stripe — payment processing. Stripe handles your payment details directly; we never store card numbers. Stripe Privacy Policy →
• Postmark — transactional email delivery (scan results, account notifications). Postmark Privacy Policy →
• Neon (Supabase) — our primary database provider. All user and scan data is stored on Neon PostgreSQL infrastructure. Neon Privacy Policy →
• GitHub — webhook integration for CI/CD workflows. Connecting your GitHub account is optional. GitHub Privacy Policy →
• Browserbase / Stagehand — browser automation infrastructure used to run scans. Any data processed through this infrastructure is subject to Browserbase's data processing terms.

Each of these providers is contractually bound to process your data only to provide the services we contract them for.

Cookies & Tracking

TestHawk uses minimal cookies:

• Session cookies — required for authentication when you log into your account. These are deleted when you log out.
• Functional cookies — optional cookies to remember your preferences (e.g., chosen report format) between visits.

We do not use advertising cookies, cross-site tracking, or third-party analytics trackers (Google Analytics, Mixpanel, etc.) on TestHawk properties.

Data Security

We take data security seriously:

• All data is transmitted over TLS 1.2+ encryption.
• Database credentials are stored in environment variables and are never committed to code repositories.
• OAuth tokens and API keys are encrypted at rest using AES-256-GCM.
• Access to production systems is restricted to authorized personnel.
• Scan data is segmented by account — each user's data is isolated from others.

While we implement robust security measures, no internet-based service can guarantee 100% security. If you become aware of a security vulnerability in TestHawk, please contact us immediately at security@testhawk-2.polsia.app.

Your Rights

You have full control over your data. You can:

• Delete your data — delete your account and all associated scan data from your dashboard settings, or by emailing privacy@testhawk-2.polsia.app.
• Export your data — download your scan history and reports at any time from your dashboard.
• Request a data report — request a full export of all personal data we hold about you.
• Revoke integrations — disconnect your GitHub account or revoke webhook permissions at any time.

We will respond to all data requests within 30 days. Deletion requests are processed immediately and completed within 30 days.

GDPR & CCPA Compliance

For EU/EEA users (GDPR):

• We act as a data processor for the scan data you submit. You control what URLs are scanned.
• Our legal basis for processing is legitimate interest (providing the scan service) and contract performance (for account holders).
• You have the right to access, rectify, erase, restrict processing, and port your data.
• We do not transfer your data outside the EEA without adequate safeguards.

For California residents (CCPA/CPRA):

• We do not sell or share your personal information with third parties for advertising.
• You have the right to know what data we collect, request deletion, and opt out of the sale of your information (though we do not sell data).
• We do not discriminate against you for exercising your privacy rights.

Contact

Questions, data requests, or concerns? Reach us at: