Privacy Policy

How Hack My Website handles your data

This policy explains what information is collected when you use Hack My Website, why it is used, and how it is protected.

Information we collect

We collect account identity information from Firebase authentication, domain origins you register, scan results produced by the scanning engine, and report data generated for the product experience. We also collect operational logs needed to keep the service secure and functioning.

GitHub Integration & Source Code Handling

When you choose to connect a GitHub repository, we collect metadata about the connected repository (such as repository name and branches) and access token credentials. We do not store your repository code permanently.

How we use that information

We use the information only to authenticate users, verify domain ownership, run website scans, generate reports, and improve service reliability. We do not need your website source code to run the standard domain scan flow.

Domain ownership and scan safety

Hack My Website is designed to scan only domains controlled by the customer. The platform requires ownership verification before a scan is allowed. Requests aimed at localhost, private IP ranges, or internal infrastructure are blocked by design.

Storage and retention

Account information, domain records, scan records, structured findings, audit logs, and billing records may be stored in application databases and linked storage services used by the product. Report artifacts may also be stored for later download.

Zero-Footprint Ephemeral Cloning Guarantee

For GitHub Repository Scans, our background workers clone the specified repository branch ephemerally into volatile memory solely for static analysis (Semgrep). Absolutely no source code, repository files, or access tokens are permanently written to disk or retained in our databases; all cloned assets are completely purged immediately upon scan completion.

Third-party services

The product currently integrates with Firebase for authentication and storage, Gemini for report summarization, and GitHub OAuth / GitHub API. The application securely interfaces with GitHub using a read-only permission model to fetch repository metadata and contents exclusively requested by the user.

Security posture

We aim to reduce unnecessary exposure by validating user input, restricting internal-network targets, and protecting access to account-scoped resources. The scanning engine automatically masks and scrubs raw detected secrets or hardcoded credentials (such as API keys or database strings) before storing them in the database or displaying them in the final report artifacts. Even so, no system should be described as perfectly secure, and customers should treat scan results as sensitive.

Export and deletion

Authenticated users can request an export of account-scoped data and can delete their account data. Deletion anonymizes the account and strips personal content from retained operational records that may be needed for security, billing, fraud prevention, or legal obligations.

Contact

Privacy requests should be sent through the production support channel listed in the app or on the billing receipt. We will verify account ownership before acting on account-specific requests.