Legal

Privacy Policy

Effective July 2026

Decloak (decloak.dev) is operated by Sparrow Technology Ltd, a company registered in England and Wales under company number 15676284 (“Sparrow Technology”, “we”, “us”, “our”). This policy explains what data we collect when you use Decloak, why, and how you can control it.

1. What we collect

  • Account data - email address, and authentication data if you register a passkey. We use Supabase for authentication; sign-in is passwordless (magic link or passkey).
  • Scan data - the URL you submit, and the findings, evidence snippets, and metadata (response headers, script URLs, detected library versions, third-party domains contacted, etc.) produced by scanning it. Free-tier scans can be created without an account; if you're signed in, scans are associated with your account.
  • Billing data - if you subscribe to a paid plan, payment is processed by Stripe. We store your Stripe customer and subscription IDs and plan status - we do not receive or store your full card details.
  • Usage data - basic request metadata (e.g. IP address) used for free-tier rate limiting and abuse prevention.

2. How we use it

  • To run scans and generate your report.
  • To let you save, view, and compare your scan history if you have an account.
  • To send scan-complete email notifications, if enabled (you can opt out in Account Settings).
  • To process billing and manage your subscription.
  • To enforce rate limits and prevent abuse of the service.

3. AI processing

Findings from your scan are sent to a third-party AI provider to generate the plain-English executive summary and, on paid scans, to guide the investigation agent and produce remediation text. Only scan findings and evidence are sent for this purpose - not your account credentials or billing information.

4. Third-party processors

We rely on the following third parties to run the service. Each processes only the data necessary for its function:

  • Supabase - authentication and database hosting
  • Stripe - subscription billing and payment processing
  • Browserless - headless browser rendering used to analyse the pages you scan
  • An AI model provider - generates report summaries and remediation guidance
  • An email delivery provider - sends scan-complete and account notification emails
  • NVD (National Vulnerability Database) - queried for CVE data matched against detected software versions; no personal data is sent

5. Cookies and local storage

Your session token is stored in your browser's local storage to keep you signed in - it is not shared with third parties and is cleared when you sign out.

We use Google Analytics to understand aggregate site usage (pages viewed, referral source, approximate location and device type) and the Reddit Ads pixel to measure the performance of our Reddit ad campaigns. Neither loads, and no analytics or advertising cookies (e.g. _ga, _ga_*) are set, until you accept the cookie banner shown on your first visit. This data is processed by Google and Reddit under their own privacy terms; we do not use it to identify individual visitors or combine it with scan results. You can withdraw consent at any time by clearing your browser's local storage for this site, which shows the banner again.

6. Browser extension (Session Capture)

Enterprise customers can optionally install the Decloak Session Capture browser extension (Chrome and Firefox) to run an authenticated scan - one that crawls a site as a logged-in user, including sites using passkey/WebAuthn sign-in. The extension only acts when you click its “Capture” button, and only against the one site open in your current tab - it does not run in the background and does not have standing access to your browsing.

When you click Capture, the extension reads that tab's cookies and local/session storage and holds them in memory in the extension popup only - nothing is written to disk or synced. That data is sent to Decloak only if you separately paste a single-use capture code (shown in your Enterprise scan setup) and click “Send to Decloak,” over HTTPS directly to our API. Closing the popup without sending discards the capture entirely.

A capture code and the session it carries expire after 15 minutes and can be used once. Once a scan consumes it, we delete the captured cookies/storage from our systems immediately - it is not retained as a stored credential, and it is never shared with third parties. It exists solely to let that one scan crawl your target as an authenticated user.

The exception is a capture you explicitly link to a scheduled recurring scan: since there is no one there to click “Capture” again before each automated run, that capture is retained (encrypted at rest) and re-validated for liveness before every run, rather than deleted after one use. You can revoke it at any time from the schedule's settings, which deletes the stored session immediately.

7. Data retention

Scans and their findings are retained so you can view report history and run comparisons over time. If you delete a scan or your account, the associated data is removed from active storage. Billing records are retained as required for tax and accounting purposes even after cancellation.

8. Your rights

If you're in the UK or EEA, you have rights under UK GDPR / GDPR including access to, correction of, and deletion of your personal data, and the right to object to or restrict certain processing. To exercise any of these, email support@decloak.dev.

9. International transfers

Some of the third-party processors listed above may process data outside the UK/EEA. Where they do, we rely on their own compliance mechanisms (such as Standard Contractual Clauses) for that transfer.

10. Changes to this policy

We may update this policy from time to time. Material changes will be reflected by updating the effective date at the top of this page.

11. Contact

Questions about this policy or your data can be sent to support@decloak.dev.