Privacy Policy

Last updated: March 2, 2026

1. Information We Collect

Supascan is a security auditing tool for Supabase. To provide our service, we collect:

• Account Information: We collect your email address when you sign in via Supabase Auth.
• Connection Strings: We temporarily process your Postgres connection strings purely to execute the security scan. We do not store database passwords. Passwords are used ephemerally in memory during the scan and are never persisted to our database or logs. A 3-second server-side timeout is enforced structurally on every connection.
• Scan Results: We store the full results of your security scans — including numeric score, letter grade, and the list of findings (severity, check ID, affected object, remediation SQL) — in our scans table. We store only metadata derived from Postgres system catalogs. We do not store or query your application's user data.
• Consent Ledger (scan_consent_log): Before every scan, we record an immutable entry containing your User ID (if authenticated), the Target Project Reference (a non-sensitive identifier derived from your connection string host), your IP address, your browser User-Agent string, and a UTC timestamp. This is required to prove you authorized each scan and to enforce rate limits. This data cannot be modified or deleted by users.
• Rate Limit Data: IP addresses collected in the Consent Ledger are used exclusively to enforce rate limits (5 scans/hour for authenticated users, 2/hour for unauthenticated visitors). They are not used for tracking, profiling, or advertising.

2. What We Do NOT Collect

• We do not read, copy, or store any rows from your application's data tables.
• We do not store your database password at any point.
• We do not use third-party analytics or advertising trackers.
• We do not sell your data to any party.

3. Use of Information

The information we collect is used solely to provide, maintain, and improve the Supascan service. This includes authenticating your account, performing security audits against system catalogs only, enforcing rate limits, generating your security score and findings report, generating PDF reports (Agency tier), enforcing the scan history depth per subscription tier, and processing payments via our merchant of record, Lemon Squeezy.

4. Third-Party Services

We rely on trusted third-party services to operate Supascan:

• Supabase: For user authentication and storing your project metadata, scan history, full scan results, and the consent ledger. Data is stored in Supabase-managed PostgreSQL with Row Level Security enforced on all user-facing tables.
• Vercel: For hosting the application and executing serverless scan actions. Your connection string is processed within a Vercel serverless function and never written to disk.
• Lemon Squeezy: For processing subscription payments. We do not process or store your credit card information.

5. Data Retention

• Scan results are retained as long as your account is active. Deleting a project deletes all associated scans via cascading database rules.
• Consent ledger entries are retained indefinitely as a legal compliance requirement. They cannot be deleted by users.
• Account data is deleted on account termination.

6. Cookies and Tracking

We use essential cookies required for authentication (Supabase session tokens). We do not use intrusive tracking cookies or sell your data to third-party advertisers.

7. Contact Us

If you have any questions about this Privacy Policy, please contact us at support@supascan.com.