Privacy Policy
Last updated: 1 June 2026
This Privacy Policy describes what information getcodeaudit.com collects, how we use it, when we share it, and your rights regarding it. The service is operated by Cruzetec Solutions, a partnership firm registered in India (GSTIN 03AAQFC5394M1ZW), with its registered office at Cruzetec Solutions, Mohali. For the purposes of the EU/UK GDPR, Cruzetec Solutions is the data controller for the personal data described here, and can be reached at support@getcodeaudit.com.
This policy applies to customers worldwide. Depending on where you live, you may have additional rights under laws such as the EU/UK GDPR or the California Consumer Privacy Act — see Your rights below.
This policy is written to be understandable. If anything is unclear, email support@getcodeaudit.com.
1. Information we collect
1.1 Information you give us directly
- Email address — required at checkout to deliver your report.
- Target URL or project name — what you want us to scan.
- Consent declarations — your confirmation that you're authorized to test the target.
- Support ticket contents — anything you submit through our support form or email.
1.2 Information collected automatically
- IP address — captured at order placement and ticket submission. Used for rate-limiting and abuse prevention. Stored for 90 days, then purged.
- Browser user agent — captured for the same reasons as IP.
- Order timestamps and scan progress events — captured to deliver the live-activity page and report.
- Razorpay transaction identifiers — order ID, payment ID, refund ID. Retained per RBI / tax requirements.
1.3 What we do NOT collect
- Your payment card details. All card data is captured by Razorpay's checkout widget and never touches our servers. We only receive an opaque payment identifier from Razorpay.
- Cookies for tracking / advertising. The only cookie our site sets is a session cookie for the admin panel (used only by us). No third-party analytics, no Facebook Pixel, no Google Ads.
- Any data from your scan target beyond what the scan needs.
2. How we use your information
Information you provide is used to:
- Deliver the service you paid for (run your scan, generate your report, email it to you).
- Process payment via Razorpay (your email and payment amount are shared with Razorpay).
- Process refunds when applicable.
- Respond to your support requests.
- Detect abuse and prevent fraud.
- Comply with Indian tax and accounting laws (GST, income tax).
We do not use your information for any other purpose, and we don't share it with anyone for marketing.
3. Scan findings and reports
When we scan a target you provided, we generate a "findings" record describing the security issues we found. This record:
- Is stored alongside your order in our database, encrypted at rest.
- Is rendered into a PDF report and emailed to the address you provided at checkout.
- Is retained for 30 days after delivery, so you can re-download the PDF if you lose it.
- Is then automatically purged from our database.
We do not share scan findings with anyone other than you. We do not aggregate them for research or commercial purposes. We do not pass them to the target's owner if that owner is different from the person who paid (that's your responsibility per the consent form).
4. Data sharing with third parties
We share the minimum necessary data with the following service providers:
- Razorpay — for payment processing and refunds. They receive your email, payment amount, and order ID. Their privacy policy is at razorpay.com/privacy.
- Our SMTP provider — receives your email and the report attachment to deliver to you.
- Our hosting provider — receives the same data as any web host (IP addresses, request paths) for the purpose of running our servers.
We do not share your data with:
- Advertising networks (we don't advertise).
- Data brokers or list-builders.
- Other GetCodeAudit customers.
- Anyone, for any compensation.
5. Legal disclosure
We may disclose your information when legally required — in response to a court order, subpoena, or other valid government request — or when we have a good-faith belief that disclosure is necessary to protect our rights, the safety of others, or to prevent illegal activity (including unauthorized penetration testing of third-party systems via our service).
If you placed an order for a target you are not authorized to test, we may share your order record, IP address, and identity with the affected target owner or with law enforcement.
6. Data retention
| Data type | Retention |
|---|---|
| Scan findings & PDF report | 30 days after delivery |
| Order record (email, target) | 12 months after the order |
| Tax/invoice record (amount, payment ID, GSTIN if applicable) | Only as long as required by applicable tax law |
| IP address & user agent | 90 days |
| Support tickets | 3 years |
| Audit log (scan progress events) | 90 days |
We keep personal data only as long as needed for the purpose it was collected, plus any period required by law (such as tax record-keeping). Where the law requires us to keep a record, we keep the minimum necessary (e.g. the invoice amount and payment reference) rather than your full order detail.
7. Security
Security is what we sell, so we take protecting your data seriously. In summary:
- All data in transit is encrypted using industry-standard TLS.
- Our database is not reachable from the public internet — only our application can read or write to it.
- Payment card data never touches our servers. Razorpay handles all card details directly; we only receive an opaque transaction identifier.
- PDF reports are encrypted with a password sent in a separate email from the report itself.
- Administrative access is multi-factor protected, with strong password hashing, automatic account lockout on failed attempts, and short session lifetimes.
- Production secrets and credentials are stored separately from the application code and are accessible only to authorised systems.
No system is perfectly secure. If you believe you’ve found a security issue with our service, please email security@getcodeaudit.com — we respond to responsible disclosures within 48 hours.
8. Legal basis for processing (EEA / UK)
If you are in the European Economic Area or the United Kingdom, we process your personal data on these legal bases:
- Performance of a contract — to deliver the scan, report, and support you purchased.
- Legal obligation — to keep tax and accounting records where required.
- Legitimate interests — to prevent fraud and abuse, secure our systems, and operate the Service. We balance these against your rights.
- Consent — where you give it (e.g. confirming authorization to test a target). You can withdraw consent at any time.
9. International data transfers
We operate from India, and our service providers (payment, email, hosting) may process data in India or other countries. If you are in the EEA, UK, or another region with data-export rules, your data may be transferred outside your home jurisdiction. Where required, such transfers are made under appropriate safeguards (such as the recipient's own compliance commitments or standard contractual clauses). By using the Service you understand your data will be processed in India.
10. Your rights
Depending on where you live, you have some or all of the following rights over your personal data. We honour these rights for all customers regardless of location, except where the law requires us to retain certain records.
- Access — request a copy of the data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — ask us to delete your data. We will, except for the minimal tax/invoice record the law requires us to keep.
- Restriction / objection — ask us to limit or stop certain processing, including processing based on legitimate interests.
- Portability — receive your data in a portable, machine-readable format.
- Withdraw consent — where processing is based on consent, withdraw it at any time (without affecting prior processing).
- Non-discrimination — we will not deny service or charge you differently for exercising your privacy rights.
EEA / UK customers may lodge a complaint with their local supervisory authority (for the UK, the Information Commissioner's Office; in the EEA, your national Data Protection Authority).
California customers (CCPA/CPRA): you have the right to know what personal information we collect and how it's used, to request deletion, and to opt out of any "sale" or "sharing" of personal information. We do not sell or share your personal information as those terms are defined under California law, and we do not use it for cross-context behavioural advertising.
India customers may exercise the equivalent rights available under applicable Indian data-protection law, and may raise concerns with the relevant Indian authority.
To exercise any right, email support@getcodeaudit.com from the address you used at checkout (so we can verify the request). We respond within 30 days. There is no charge, and you may use an authorized agent.
11. Children
This service is not directed at, intended for, or designed to attract individuals under 18. We do not knowingly collect information from anyone under 18. If you believe we have, contact us and we'll delete it.
12. Changes to this policy
We may update this policy from time to time. Material changes will be reflected in the "Last updated" date at the top of this page. For substantial changes, we'll also email anyone who has placed an order in the last 90 days.
13. Contact
Email: support@getcodeaudit.com
Postal: Cruzetec Solutions, S.A.S Nagar (Mohali), Punjab, India