1. Data we collect
- Account data you give us: your email, a hashed password, company name, and the domains / organizations / identifiers you ask us to monitor.
- Findings we detect on public sources and attribute to you: the source URL, a redacted preview and one-way hash of the secret, the detector type, and timestamps. We never store the plaintext secret.
- Billing data is handled by Stripe; we store only your plan tier and a customer reference, never card numbers.
2. How we use it
To run the monitoring service, attribute exposures to you, alert you, generate your reports, provide support, and process your subscription. We do not sell your data.
3. Sources we observe
We read publicly available content (public repositories, package registries, paste sites, the open and archived web, and similar public sources) to find exposures. We honor robots directives on general web crawling and observe rate limits. We do not access private systems or content behind authentication.
4. Isolation & security
Your findings are visible only to your account. We enforce tenant isolation at the database level (row-level security) so one customer can never see another's data. Secrets are redacted at detection; access to systems is limited and logged.
5. Sharing
We share data only with service providers that operate the platform (e.g. our payment processor and infrastructure hosts), under contract, and when required by law. As a SOCHQ product, data may be processed within the SOCHQ platform to deliver the service.
6. Retention & your rights
We keep account and finding data while your account is active and for a reasonable period after, then delete or de-identify it. You may request access to, correction of, or deletion of your data at privacy@sochq.io.
7. Contact
Privacy questions: privacy@sochq.io.