Skip to content

Privacy policy

Draft — effective at beta launch. Last updated: 7 July 2026.

The short version (TL;DR)

  • We collect the minimum needed to run your audits: your email, the identifiers you track, the services you follow, and your check history.
  • Sensitive fields are encrypted at the field level. We never store passwords for other services, and we never get access to your accounts.
  • We never sell your data and run no advertising trackers.
  • We use a small number of processors (breach data, AI summaries, hosting, email) and share only what each strictly needs.
  • You can export or delete everything yourself, anytime.
  • Questions or requests: privacy@secbird.io.

The long version below says the same things with the precision a legal document needs.

Who we are

SecBird ("we") is the data controller for the personal data processed through secbird.io. Contact: privacy@secbird.io.

What we collect and why

DataWhyLegal basis
Account data (email, name, password hash, 2FA settings)Sign you in, secure your accountContract
Profile identifiers (encrypted)The identities you asked us to auditContract
Services followed, check attestations, inventories (encrypted)Your scores, history, and walkthroughsContract
Monitored email addresses (encrypted) and breach matchesBreach alerts you asked forContract
Notifications sentYour notification feedContract
Technical logs (IP, user agent, timestamps)Security, abuse prevention, debuggingLegitimate interest

We do not collect browsing history, advertising identifiers, or the contents of your accounts on other services, and we run no third-party trackers.

Processors we use

  • Have I Been Pwned — breach lookups. Receives the email addresses you asked us to monitor, after you verify them.
  • Anthropic — plain-language summaries of policy changes. Receives excerpts of public legal documents; never your personal data.
  • Stripe — billing for paid plans. Card data lives only at Stripe, never on our servers.
  • Email delivery and hosting providers — named in the sub-processor list when we go live; each receives only what the function requires.

The complete, always-current list lives at /legal/sub-processors.

We never sell personal data. We disclose it only when a law we are subject to compels us, and we'll tell you unless legally barred.

Retention

Your data lives as long as your account does. Delete your account and your personal data is deleted — not deactivated. Some data is trimmed earlier on a schedule (old notifications after 12 months, old document snapshots after 24). Backups age out on a fixed cycle after deletion.

Your rights

Access, rectification, erasure, portability, restriction, and objection (GDPR arts. 15–21). Export and deletion are self-service in the app; for anything else, email privacy@secbird.io. You can also complain to your data-protection authority — in the Netherlands, the Autoriteit Persoonsgegevens.

Changes to this policy

We track other services' policy changes for a living, so we hold ourselves to the standard we wish they met: meaningful changes are announced in plain language before they take effect, with a diff.