Privacy Policy

Last updated: April 19, 2026

This policy describes how PublicVector collects, uses, and protects your information when you use the PublicVector service at publicvector.io (the "Service").

1. Information we collect

Information you provide

Email address. You provide your email when starting a free trial or subscribing. We use it to deliver access links, notify you about your subscription, and recover access.
Payment information. Paid subscriptions are processed by Stripe. PublicVector does not receive or store your full card number. Stripe may share limited billing metadata (customer ID, subscription status) with us to manage your access.

Information we collect automatically

Access cookies. We set a single access_token cookie (HttpOnly, Secure, SameSite=Lax) to authenticate you. No advertising or cross-site tracking cookies are used.
Server logs. Our hosting providers record standard request logs including IP address, user agent, requested path, and timestamp. These are used for security, rate limiting, and debugging, and are retained for up to 90 days.
Usage metrics. We record which URLs and mobile app packages authenticated users scan in order to meter trial quotas and improve the service.

Information we do not collect

We do not use third-party advertising trackers, analytics pixels, session replay, or behavioral advertising on PublicVector pages.
We do not sell personal information.
We do not knowingly collect data from children under 13.

2. How we use your information

To provide the Service — authentication, scan execution, result display.
To bill subscribers and process payments via Stripe.
To send transactional emails (magic links, access recovery, billing notices).
To meter trial usage and enforce plan limits.
To investigate abuse and secure the Service.
To comply with law and respond to lawful requests.

3. Service providers we share data with

We share personal data only with providers needed to operate the Service:

Stripe, Inc. — payment processing.
Resend, Inc. — transactional email delivery.
Supabase, Inc. — managed database for user accounts and scan results.
Vercel, Inc. — web application hosting.
Railway Corp. — hosted scanning infrastructure.

Each provider is bound by its own privacy terms and a data-processing agreement.

4. Scanned websites and mobile apps

When you scan a public website or analyze a publicly distributed mobile app, we capture network requests, tracker fingerprints, cookies, policy text, and similar technical signals from that target. We do not scan private or authenticated environments on your behalf unless you explicitly authorize it by providing credentials or session cookies. You are responsible for ensuring you have the right to scan the targets you submit.

5. Data retention

Access tokens: 3 days (trial) or 1 year (paid), renewable on subscription renewal.
Account email: retained while your account is active and for 12 months after cancellation.
Scan results and tracker evidence: retained indefinitely as part of the public-interest compliance database.
Server logs: up to 90 days.

6. Your rights

Depending on where you live, you may have the right to:

Access the personal data we hold about you.
Correct inaccurate data.
Delete your account and associated personal data.
Export your data in a portable format.
Object to or restrict processing.
Withdraw consent where processing is based on consent.

To exercise any of these rights, email admin@publicvector.io. We will respond within 30 days.

California residents (CCPA / CPRA)

California residents may request disclosure of personal information collected, sold, or shared in the past 12 months. PublicVector does not sell or share personal information for cross-context behavioral advertising.

EU / UK residents (GDPR)

Our legal bases are: contract performance (providing the Service), legitimate interests (security, abuse prevention), legal obligation (tax, lawful requests), and consent (where applicable).

7. Security

We use TLS for all traffic, store access tokens as hashed values, process payment through PCI-compliant Stripe infrastructure, and restrict administrative access to vetted personnel. No system is perfectly secure; if you discover a vulnerability, email admin@publicvector.io.

8. Children

The Service is intended for professional use. We do not knowingly collect personal data from anyone under 13.

9. Changes to this policy

We may update this policy. Material changes will be announced via the Service or email to active subscribers. The “Last updated” date above will always reflect the current version.

10. Contact

Questions, requests, or complaints: admin@publicvector.io