Privacy Policy

Last updated: May 20, 2026

1. Introduction

SiteLeak ("we," "us," "our," or "the Service") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect information when you access or use our website and security scanning service at siteleak.com. It also describes your rights and choices regarding that information.

This policy applies to all users worldwide, including users in the European Economic Area (EEA), United Kingdom (UK), California (USA), and other jurisdictions with specific privacy regulations. Please read this policy carefully before using our Service.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please stop using the Service immediately.

2. Data Controller

SiteLeak operates as the data controller for the personal data processed through this Service. For privacy-related requests or questions, contact us at [email protected].

3. What Data We Collect and Why

We collect the minimum amount of data necessary to operate and improve the Service. Below is a complete description of what we collect:

3.1 Data You Provide Directly

• Domain name submitted for scanning — The domain or URL you enter into the scan tool. This is stored so we can process and display your report, and to generate aggregate, anonymized statistics (e.g., total scans run). We do not collect any data from the target domain itself — only whether specific URL paths return a response.
• Email address — Only collected if you voluntarily submit it (e.g., to receive scan report links or monitoring notifications). We do not require an email to use the free scanner. If submitted, your email is used only to deliver the communication you requested and is never sold or shared with third parties for marketing.
• Messages and inquiries — If you contact us via email or the contact form, we retain those communications to respond to your request and improve our service.

3.2 Data Collected Automatically

• IP address — Collected temporarily to enforce rate limits and prevent abuse. We do not store IP addresses in our application database beyond what is needed for this purpose, and we do not correlate IP addresses with individual scan results in our records.
• Scan results — We store the results of each scan (a list of URL paths checked, HTTP status codes returned, and a timestamp) so that users can access their report via a unique, shareable link. We do not store the contents of any files found during a scan.
• Standard server access logs — Our hosting infrastructure automatically logs standard access data including IP addresses, HTTP method, URL requested, response code, user agent, and timestamps. These logs are used for security monitoring, debugging, and abuse prevention. They are retained for a limited period in accordance with our hosting provider's practices.
• Browser and device information — Via Google Analytics (see Section 6), we may collect anonymized information about your browser type, operating system, screen resolution, and referral source. This is aggregated and not linked to personal identity.

4. What We Do NOT Collect

• We do not collect, store, or transmit the contents of any file discovered during a scan.
• We do not use cookies for advertising, ad targeting, or behavioral profiling.
• We do not sell, rent, trade, or share your personal data with third-party advertisers or data brokers.
• We do not build user profiles or track individual behavior across the web.
• We do not require account registration or authentication to use the core scanning feature.
• We do not use fingerprinting techniques to track you across sessions.

5. Legal Basis for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases as required by the General Data Protection Regulation (GDPR) and UK GDPR:

• Legitimate interests (Art. 6(1)(f) GDPR) — We process IP addresses and server logs to prevent abuse, enforce rate limits, and ensure the security and integrity of our Service. We have conducted a legitimate interests assessment and determined that this processing is necessary and proportionate.
• Performance of a contract / pre-contractual steps (Art. 6(1)(b) GDPR) — We process the domain name you submit and the resulting scan data to deliver the service you requested.
• Consent (Art. 6(1)(a) GDPR) — Where you voluntarily provide your email address, we rely on your consent as the legal basis for processing. You can withdraw consent at any time by contacting us.
• Compliance with a legal obligation (Art. 6(1)(c) GDPR) — We may process data where required by applicable law (e.g., retaining certain records for legal compliance).

6. Third-Party Services and Data Processors

We use the following third-party services that may process data on our behalf or independently:

• Google Analytics — We use Google Analytics (Google LLC, USA) to understand aggregate, anonymized traffic patterns and user behavior to improve our Service. Google Analytics may set first-party cookies in your browser. We have enabled IP anonymization. Google acts as a data processor on our behalf and may transfer data to the USA under standard contractual clauses. For details, see Google's Privacy Policy. You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.
• Cloudflare — Our website is proxied through Cloudflare (Cloudflare, Inc., USA), which provides DDoS protection, CDN services, and security filtering. Cloudflare may process IP addresses and request metadata as part of this service. See Cloudflare's Privacy Policy.
• Hetzner Online GmbH (Hosting) — Our servers are hosted on Hetzner infrastructure (Hetzner Online GmbH, Germany). Standard server access logs may be retained by the hosting provider. Hetzner is headquartered in the EU and processes data under applicable EU law. See Hetzner's Privacy Policy.
• Google Fonts — We load the Space Grotesk and Inter typefaces from Google Fonts. When your browser requests these fonts, Google's servers may log your IP address. See Google's Privacy Policy. We use preconnect hints to minimize latency.

7. Cookies

We use only essential and analytics cookies:

• Google Analytics cookies — Used to collect anonymized traffic and usage data. You can opt out as described in Section 6.
• We do not use advertising cookies, tracking pixels, or any third-party marketing cookies.

Most browsers allow you to control cookies through their settings. Disabling analytics cookies will not affect your ability to use the scanner.

8. Data Retention

• Scan results — Retained indefinitely so that shareable report links remain functional. If you would like a scan result deleted, contact us at [email protected] with the scan ID or URL and we will delete it promptly.
• Email addresses — Retained until you unsubscribe or request deletion. We honor all deletion requests promptly.
• Server logs — Standard access logs are retained for a limited operational period (typically 30–90 days) before rotation and deletion.
• IP addresses for rate limiting — Stored in memory or short-term cache only, not persisted to our primary database beyond the rate-limiting window.

9. International Data Transfers

Our infrastructure is primarily based in the European Union (Germany, via Hetzner). Some of our third-party processors, including Google Analytics and Cloudflare, may transfer data to the United States or other countries. Where such transfers occur, we rely on appropriate safeguards such as the EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs), or the UK International Data Transfer Agreement, as applicable.

10. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

• Right of access — Request a copy of the personal data we hold about you.
• Right to rectification — Request correction of inaccurate personal data.
• Right to erasure ("right to be forgotten") — Request deletion of your personal data, subject to certain exceptions (e.g., legal obligations).
• Right to restriction of processing — Request that we limit the processing of your data in certain circumstances.
• Right to data portability — Request a copy of your data in a structured, machine-readable format.
• Right to object — Object to processing based on our legitimate interests, including direct marketing.
• Right to withdraw consent — Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Right not to be subject to automated decision-making — We do not use automated decision-making or profiling with significant legal effects.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days (or within the timeframe required by applicable law). We may ask you to verify your identity before processing your request.

EEA/UK users: You have the right to lodge a complaint with your local data protection supervisory authority if you believe our processing of your data violates applicable law. In the EU, you can find your national authority at edpb.europa.eu.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to know — You may request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete — You may request deletion of personal information we have collected about you, subject to certain exceptions.
• Right to correct — You may request correction of inaccurate personal information.
• Right to opt out of sale or sharing — We do not sell or share personal information for cross-context behavioral advertising. No opt-out is necessary, but you have this right regardless.
• Right to non-discrimination — We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact us at [email protected].

12. Children's Privacy

The Service is not directed to individuals under the age of 13 (or 16 in the EEA/UK, or the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately at [email protected] and we will delete such information promptly.

13. Security

We implement industry-standard technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction. These include:

• Encrypted HTTPS connections on all pages and API endpoints.
• Firewall and DDoS protection via Cloudflare.
• Access controls limiting who can access backend systems.
• Minimal data collection practices to reduce risk.

However, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, and use of the Service is at your own risk. In the event of a data breach that affects your rights, we will notify you and applicable regulators as required by law.

14. Do Not Track

Some browsers offer a "Do Not Track" (DNT) setting. Our Service does not currently respond to DNT signals, as there is no universal standard for how such signals should be interpreted. However, we do not engage in cross-site behavioral tracking regardless of DNT status.

15. Links to Third-Party Sites

Our Service may contain links to external websites or resources not operated by us. We are not responsible for the privacy practices or content of those sites. We encourage you to review the privacy policy of every site you visit.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this policy. Where we are required by applicable law to notify you of changes, we will do so by email (if we have your email address) or by prominently posting a notice on our homepage. Your continued use of the Service after any change constitutes your acceptance of the updated policy.

17. Contact and Data Protection Inquiries

For any questions, concerns, or requests relating to this Privacy Policy or the handling of your personal data, please contact us:

• Email: [email protected]
• Contact form: siteleak.com/contact

We take all privacy inquiries seriously and aim to respond within 30 days.