Legal
Effective July 2026
Decloak (decloak.dev) is operated by Sparrow Technology Ltd, a company registered in England and Wales under company number 15676284 (“Sparrow Technology”, “we”, “us”, “our”). This policy explains what data we collect when you use Decloak, why, and how you can control it.
Findings from your scan are sent to a third-party AI provider to generate the plain-English executive summary and, on paid scans, to guide the investigation agent and produce remediation text. Only scan findings and evidence are sent for this purpose - not your account credentials or billing information.
We rely on the following third parties to run the service. Each processes only the data necessary for its function:
Your session token is stored in your browser's local storage to keep you signed in - it is not shared with third parties and is cleared when you sign out.
We use Google Analytics to understand aggregate site usage (pages viewed, referral source, approximate location and device type) and the Reddit Ads pixel to measure the performance of our Reddit ad campaigns. Neither loads, and no analytics or advertising cookies (e.g. _ga, _ga_*) are set, until you accept the cookie banner shown on your first visit. This data is processed by Google and Reddit under their own privacy terms; we do not use it to identify individual visitors or combine it with scan results. You can withdraw consent at any time by clearing your browser's local storage for this site, which shows the banner again.
Enterprise customers can optionally install the Decloak Session Capture browser extension (Chrome and Firefox) to run an authenticated scan - one that crawls a site as a logged-in user, including sites using passkey/WebAuthn sign-in. The extension only acts when you click its “Capture” button, and only against the one site open in your current tab - it does not run in the background and does not have standing access to your browsing.
When you click Capture, the extension reads that tab's cookies and local/session storage and holds them in memory in the extension popup only - nothing is written to disk or synced. That data is sent to Decloak only if you separately paste a single-use capture code (shown in your Enterprise scan setup) and click “Send to Decloak,” over HTTPS directly to our API. Closing the popup without sending discards the capture entirely.
A capture code and the session it carries expire after 15 minutes and can be used once. Once a scan consumes it, we delete the captured cookies/storage from our systems immediately - it is not retained as a stored credential, and it is never shared with third parties. It exists solely to let that one scan crawl your target as an authenticated user.
The exception is a capture you explicitly link to a scheduled recurring scan: since there is no one there to click “Capture” again before each automated run, that capture is retained (encrypted at rest) and re-validated for liveness before every run, rather than deleted after one use. You can revoke it at any time from the schedule's settings, which deletes the stored session immediately.
Scans and their findings are retained so you can view report history and run comparisons over time. If you delete a scan or your account, the associated data is removed from active storage. Billing records are retained as required for tax and accounting purposes even after cancellation.
If you're in the UK or EEA, you have rights under UK GDPR / GDPR including access to, correction of, and deletion of your personal data, and the right to object to or restrict certain processing. To exercise any of these, email support@decloak.dev.
Some of the third-party processors listed above may process data outside the UK/EEA. Where they do, we rely on their own compliance mechanisms (such as Standard Contractual Clauses) for that transfer.
We may update this policy from time to time. Material changes will be reflected by updating the effective date at the top of this page.
Questions about this policy or your data can be sent to support@decloak.dev.