Privacy Policy

Introduction

CyberScore, published by Patrick Astoul (Individual Entrepreneur), is committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and the French Data Protection Act.

Data Controller

Personal Data Collected

1. Registration Data

• First and last name
• Email address
• Organization name (optional)

2. Billing Data

• Billing address
• Payment information (processed by Stripe, not stored by CyberScore)

3. Service Usage Data

• Scanned domains
• Security scan results
• Scan history
• Generated PDF reports

4. Technical Data

• IP address
• Browser type
• Pages visited
• Connection timestamps

Processing Purposes

Your data is collected to:

• Provide CyberScore security scanning services
• Manage your account and subscription
• Track usage according to your plan
• Improve service quality
• Comply with legal obligations
• Communicate about service updates

Legal Basis for Processing

• Contract performance: to provide scanning services
• Legitimate interest: for service improvement and security
• Legal obligation: for billing and accounting
• Consent: for optional features

Retention Period

Your Rights

Under GDPR, you have the following rights:

• Right of access: view your personal data
• Right to rectification: correct inaccurate data
• Right to erasure: delete your data
• Right to object: oppose data processing
• Right to portability: retrieve your data in a structured format
• Right to restriction: limit data processing

To exercise your rights, contact us at: patrick@cybersco.re

Data Security

CyberScore implements the following security measures:

• HTTPS/TLS encryption: all communications are encrypted in transit
• Password encryption: passwords are encrypted with bcrypt hashing (one-way, salted)
• Secure authentication: JWT tokens with expiration
• Restricted access: only authorized administrators access data
• Access monitoring: audit logs for sensitive operations
• Secure backups: daily encrypted backups
• Data isolation: Docker containerization

Note: Scan results (DNS records, SSL certificates, HTTP headers) are stored unencrypted as they represent publicly available information. Only passwords and authentication tokens are encrypted.

Sub-processors and data sharing

Your data may be processed by the following sub-processors:

• Stripe (Ireland / USA): payment processing (PCI-DSS compliant). Legal basis: contract performance.
• Hostinger International Ltd (Cyprus): dedicated VPS hosting in France. Legal basis: contract performance.
• OpenAI, L.L.C. (USA): AI generation of the post-scan brief. We send a structured summary of scan findings (no personal data of CyberScore users) for natural-language report generation. Legal basis: legitimate interest (Article 6.1.f) — providing actionable security insights.
• Competent authorities: in case of legal obligation.

Your data is never sold to third parties.

International Data Transfers

Some data may be transferred outside the European Union (notably to the United States for Stripe and OpenAI). These transfers are governed by Standard Contractual Clauses (SCC) approved by the European Commission. We do not transfer scan results to OpenAI as a dataset; we send a per-scan summary used only to generate the brief for that specific scan.

Anonymous sample preview

When you trigger a sample preview from the homepage without a user account, we log your IP address for the sole purpose of rate-limiting (one preview per IP, after which an account is required). Legal basis: legitimate interest (Article 6.1.f) — preventing abuse of a free service. Retention: 30 days, then automatically purged. You can request deletion of your IP record sooner by emailing patrick@cybersco.re with the timestamp of your preview.

People whose data appears in a scanned domain

CyberScore queries publicly available sources (Certificate Transparency logs, public GitHub repositories, the Wayback Machine, public threat-intelligence feeds). These sources may contain personal data (e.g. employee names, email addresses) belonging to people who are not CyberScore users.

Legal basis for processing: legitimate interest (Article 6.1.f), namely identifying and reporting publicly exposed digital assets of an organisation that has commissioned the scan. We do not aggregate or resell personal data extracted from scans. Retention is bound to the customer's subscription, after which the scan is purged within 30 days.

If you believe your personal data appears in a CyberScore scan and you wish to exercise your right to object or to be erased, contact patrick@cybersco.re. We will review the request and remove identifiable data from the affected scan record within 30 days.

Cookies

CyberScore uses cookies to:

• Maintain your login session
• Remember your preferences

You can disable cookies in your browser settings, but this may affect service functionality.

Minors

CyberScore is not intended for persons under 18 years old. If you are under 18, please do not use this service.

Filing a Complaint (EU Residents)

If you believe your rights are not being respected, you can file a complaint with the CNIL (French Data Protection Authority):

California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Last updated: December 2025

Contact

For any questions regarding this privacy policy, contact us: