/privacy

Plain English. No legal boilerplate.

The short version

ShieldScope does not collect, store, or share any personal information about you. No accounts. No tracking. No cookies. We built tools we'd want to use ourselves, and that means not treating you as a data source.

How scans work

ShieldScope tools work in two ways depending on the tool:

  • Client-side only (/password): All processing happens in your browser. Nothing you type is sent to ShieldScope's servers. The sole exception is the breach check, which sends only a 5-character hash prefix to a third-party API — see below.
  • Server-side (/headers, /mail, /url, /exposure, /sandbox): When you submit a domain, URL, or script content, our server processes your request and returns the result. For /sandbox, the script text you paste is transmitted to the server for static pattern analysis and discarded immediately after the response is returned. We do not log what you submitted, store results, or link requests to your IP address. The scan is stateless.

What we do not collect

  • No cookies of any kind
  • No personal identifiers or browser fingerprinting
  • No account registration or email collection
  • No behavioral tracking or user profiling
  • No advertising networks or data brokers

Page view analytics

ShieldScope uses Cloudflare Web Analytics to measure aggregate page views and visitor counts. This service uses no cookies, stores no IP addresses, collects no personal data, and does not track individuals across sites. Data collected is aggregated and anonymous: page view counts, approximate visitor counts, country-level geography, referrer domains, and device type. You are not identified as an individual. No consent banner is required because no personal data is processed.

Server logs

Our web server (Nginx) writes standard access logs containing IP addresses and timestamps. This is a default behavior of every web server on the internet. These logs are stored on the server, are not shared with any third party, and are rotated automatically. We do not analyze or correlate them.

Third-party services

ShieldScope makes requests to the following third-party services as part of normal tool operation:

  • Cloudflare Turnstile — spam prevention on the contact form. Cookie-free, no personal data collected.
  • Cloudflare Web Analytics — aggregate page view measurement. Cookie-free, no personal data, no individual tracking.
  • Have I Been Pwned API (haveibeenpwned.com) — used by the /password tool's breach check. Only the first 5 characters of a SHA-1 hash are transmitted. Your password is never sent. HIBP's privacy policy applies to this request.
  • HackerTarget API (api.hackertarget.com) — used by the /exposure tool to discover subdomains. The domain you submit is sent to HackerTarget as a query parameter. HackerTarget's privacy policy applies to this request.

No advertising networks, data brokers, or other third-party processors are involved.

GDPR

If you are in the European Union: because we do not collect personal data beyond transient server logs, there is no data subject request process needed. There is nothing to request, correct, or delete. Standard server logs are a legitimate interest under GDPR Article 6(1)(f) and are not used for profiling.

Changes

If this policy changes meaningfully, the updated version will be published here with a revised date.

Last updated: May 12, 2026 · Questions: Contact form