Privacy Policy

How Hack My Website handles your data

This policy explains what information is collected when you use Hack My Website, why it is used, and how it is protected.

Information we collect

We collect account identity information from Firebase authentication, domain origins you register, scan results produced by the scanning engine, and report data generated for the product experience. We also collect operational logs needed to keep the service secure and functioning.

How we use that information

We use the information only to authenticate users, verify domain ownership, run website scans, generate reports, and improve service reliability. We do not need your website source code to run the standard domain scan flow.

Domain ownership and scan safety

Hack My Website is designed to scan only domains controlled by the customer. The platform requires ownership verification before a scan is allowed. Requests aimed at localhost, private IP ranges, or internal infrastructure are blocked by design.

Storage and retention

Account information, domain records, scan records, structured findings, audit logs, and billing records may be stored in application databases and linked storage services used by the product. Report artifacts may also be stored for later download.

Third-party services

The product currently integrates with Firebase for authentication and storage, and Gemini for report summarization. Scanner results may be processed through these services where needed to deliver the product experience.

Security posture

We aim to reduce unnecessary exposure by validating user input, restricting internal-network targets, and protecting access to account-scoped resources. Even so, no system should be described as perfectly secure, and customers should treat scan results as sensitive.

Export and deletion

Authenticated users can request an export of account-scoped data and can delete their account data. Deletion anonymizes the account and strips personal content from retained operational records that may be needed for security, billing, fraud prevention, or legal obligations.

Contact

Privacy requests should be sent through the production support channel listed in the app or on the billing receipt. We will verify account ownership before acting on account-specific requests.