Privacy policy
Draft — effective at beta launch. Last updated: 7 July 2026.
The short version (TL;DR)
- We collect the minimum needed to run your audits: your email, the identifiers you track, the services you follow, and your check history.
- Sensitive fields are encrypted at the field level. We never store passwords for other services, and we never get access to your accounts.
- We never sell your data and run no advertising trackers.
- We use a small number of processors (breach data, AI summaries, hosting, email) and share only what each strictly needs.
- You can export or delete everything yourself, anytime.
- Questions or requests: privacy@secbird.io.
The long version below says the same things with the precision a legal document needs.
Who we are
SecBird ("we") is the data controller for the personal data processed through secbird.io. Contact: privacy@secbird.io.
What we collect and why
| Data | Why | Legal basis |
|---|---|---|
| Account data (email, name, password hash, 2FA settings) | Sign you in, secure your account | Contract |
| Profile identifiers (encrypted) | The identities you asked us to audit | Contract |
| Services followed, check attestations, inventories (encrypted) | Your scores, history, and walkthroughs | Contract |
| Monitored email addresses (encrypted) and breach matches | Breach alerts you asked for | Contract |
| Notifications sent | Your notification feed | Contract |
| Technical logs (IP, user agent, timestamps) | Security, abuse prevention, debugging | Legitimate interest |
We do not collect browsing history, advertising identifiers, or the contents of your accounts on other services, and we run no third-party trackers.
Processors we use
- Have I Been Pwned — breach lookups. Receives the email addresses you asked us to monitor, after you verify them.
- Anthropic — plain-language summaries of policy changes. Receives excerpts of public legal documents; never your personal data.
- Stripe — billing for paid plans. Card data lives only at Stripe, never on our servers.
- Email delivery and hosting providers — named in the sub-processor list when we go live; each receives only what the function requires.
The complete, always-current list lives at /legal/sub-processors.
We never sell personal data. We disclose it only when a law we are subject to compels us, and we'll tell you unless legally barred.
Retention
Your data lives as long as your account does. Delete your account and your personal data is deleted — not deactivated. Some data is trimmed earlier on a schedule (old notifications after 12 months, old document snapshots after 24). Backups age out on a fixed cycle after deletion.
Your rights
Access, rectification, erasure, portability, restriction, and objection (GDPR arts. 15–21). Export and deletion are self-service in the app; for anything else, email privacy@secbird.io. You can also complain to your data-protection authority — in the Netherlands, the Autoriteit Persoonsgegevens.
Changes to this policy
We track other services' policy changes for a living, so we hold ourselves to the standard we wish they met: meaningful changes are announced in plain language before they take effect, with a diff.