← Back to scanner

Privacy Policy

Last updated: March 25, 2026

1. Overview

SecureMonk ("we", "us", "the Service") is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights regarding that data.

2. Data We Collect

2.1 Scan Data

When you perform a scan, we collect:

  • Target URL/hostname — the website you chose to scan
  • Scan results — TLS configuration, security header findings, and (if enabled) detected technologies with associated CVE data. All data is publicly observable.
  • Timestamp — when the scan was performed
  • Scan options — whether the optional vulnerability scan was requested

2.2 Ask Monk AI Chatbot Data

When you use Ask Monk, the following data is processed:

  • Chat messages — questions you submit are sent to the Anthropic Claude API to generate responses. Anthropic processes these messages subject to their own Privacy Policy. Do not include sensitive, personal, or confidential information in chat messages.
  • Semantic embeddings — your questions are converted into vector embeddings via the Voyage AI API to retrieve relevant context from our security knowledge base. Only the text of your question is sent; no personally identifiable information is included. Voyage AI handles this data under their Privacy Policy.
  • Rate limit tracking — a one-way SHA-256 hash of your IP address is used to enforce per-user daily chat limits. The raw IP address is never stored.
  • Chat history (local only)— your conversation history is stored exclusively in your browser's localStorage. It is never transmitted to or stored on our servers. Clearing your browser data will permanently delete your chat history.

2.3 Anonymized Analytics

  • IP address hash — your IP address is irreversibly hashed (SHA-256 with a rotating salt) before storage. We cannot recover your actual IP address from this hash.
  • Aggregate statistics — daily scan counts, average scores, common security issues, and Ask Monk usage counts

2.4 What We Do NOT Collect

  • No cookies (we do not use tracking cookies)
  • No user accounts or personal profiles
  • No raw IP addresses (only irreversible hashes)
  • No browser fingerprinting
  • No third-party analytics or advertising trackers
  • No email addresses (unless you contact us directly or choose to provide one in the optional feedback survey — see 2.5)
  • No chat message content is stored on our servers — Ask Monk conversations exist only in your browser's localStorage

2.5 Feedback Survey

SecureMonk occasionally shows a short, optional feedback survey to returning visitors. If you choose to submit it, we collect only what you enter:

  • A rating and category — a 1-5 star rating and an optional topic (idea, bug, praise, other)
  • Your message — only the free text you type, if any
  • Your email — only if you choose to provide one, and used solely to reply to your feedback. It is never required, never used for marketing, and never shared
  • A hashed IP — your IP address is hashed with a secret server-side key (HMAC-SHA-256) before storage, used only to limit spam. We cannot recover your IP from it

The survey is entirely optional. You can dismiss it and it will not reappear for a while, or permanently once you submit. To request deletion of feedback you submitted, contact us at the address in section 11.

3. How We Use Data

Collected data is used solely for:

  • Displaying scan results to you
  • Generating AI responses via the Anthropic Claude API (Ask Monk)
  • Retrieving relevant security context via semantic search (Voyage AI embeddings)
  • Rate limiting to prevent abuse (using IP hashes)
  • Generating anonymous aggregate statistics about web security trends
  • Improving the accuracy and reliability of the Service

4. Data Storage and Security

  • Scan data and rate limit hashes are stored in a PostgreSQL database on Google Cloud Platform (GCP), US region
  • The RAG knowledge base (security document embeddings) is stored in the same PostgreSQL database using the pgvector extension
  • Database connections are encrypted with TLS/SSL
  • The database server has no public IP address and is accessible only through a private VPC
  • Database credentials are managed via GCP Secret Manager
  • Chat history is stored only in your browser's localStorage — it never leaves your device

5. Data Retention

Scan results are retained for operational and analytical purposes. IP hashes used for rate limiting are stored only for the duration needed to enforce limits and are periodically purged. Chat history exists only in your browser and is retained until you clear your browser data. We may periodically purge old scan data to manage storage costs.

6. Data Sharing

We do not sell, rent, trade, or share your data with third parties, except as necessary to operate the Service (i.e., processing chat messages through the Anthropic Claude API and generating embeddings via Voyage AI). We do not display individual scan results publicly. Aggregate, anonymized statistics (e.g., "X% of scanned sites lack HSTS") may be shared publicly.

7. Third-Party Services

Google Cloud Platform

The Service runs on Google Cloud Platform (GCP). Google's infrastructure may process requests as part of normal operations (load balancing, CDN, DDoS mitigation). Please refer to Google Cloud's Privacy Notice for details on their data handling practices.

Cloudflare

Traffic to securemonk.io is proxied through Cloudflare, which provides DDoS mitigation, CDN, and performance optimization. Cloudflare may process request metadata (IP address, headers, request path) in accordance with their Privacy Policy.

We use Cloudflare Browser Insights (Real User Monitoring) to collect anonymized page performance metrics — such as page load time, time to first byte, and Core Web Vitals — from real visitors. This data is used solely to monitor and improve site performance. Cloudflare Browser Insights does not track individuals across sites and does not use cookies for tracking purposes.

Anthropic Claude API

Ask Monk responses are generated by the Anthropic Claude API. When you submit a question to Ask Monk, the text of your question (along with relevant security context retrieved from our knowledge base) is sent to Anthropic for processing. Anthropic handles this data under their Privacy Policy. Do not include sensitive, confidential, or personally identifiable information in Ask Monk conversations.

Voyage AI

Ask Monk uses the Voyage AI API to convert your questions into semantic vector embeddings for knowledge base retrieval. The text of your question is sent to Voyage AI for this purpose. Only the query text is transmitted — no personal data, scan results, or session information is included. Voyage AI handles this data under their Privacy Policy.

National Vulnerability Database (NVD)

When the optional vulnerability scan is enabled, the Service queries the NVD API (operated by NIST) to retrieve CVE data for detected technologies. No user data is sent to the NVD; only technology identifiers (CPE strings) are included in API queries.

OSV.dev (Open Source Vulnerabilities)

When the optional vulnerability scan is enabled and a target site exposes a package manifest (e.g. package-lock.json, composer.lock) or a source map, the Service queries OSV.dev (operated by Google) to look up advisories for the discovered packages. The package name and version pairs from the scanned target are sent to OSV.dev; no user data, IP, or session information is included.

Google Gemini AI

Daily security news summaries are generated using the Google Gemini API. Input to the API consists solely of publicly available RSS feed content (news headlines and summaries). No user data, chat messages, or scan results are sent to the Gemini API.

8. Your Rights

You have the right to:

  • Request information about what data we hold related to your usage
  • Request deletion of data associated with your scans (subject to technical feasibility given our anonymization practices)
  • Delete your Ask Monk chat history at any time by clearing your browser's localStorage
  • Opt out of using the Service at any time by simply not visiting the site

9. Children's Privacy

The Service is not directed at individuals under the age of 13. We do not knowingly collect data from children.

10. Changes to This Policy

We may update this Privacy Policy periodically. Changes will be reflected by the "Last updated" date at the top of this page.

11. Contact

For privacy-related inquiries, contact us at [email protected].