KWScanner
Sign in Get started
Legal

Privacy Policy

How we collect, use, and protect your information.

Last updated: 1 January 2026

This policy explains what data KWScanner ("we", "us") collects, how we use it, and the choices you have. We've kept it short and direct — if anything is unclear, email us at [email protected].

1. Who we are

KWScanner is operated as a software-as-a-service. The service is available at kwscanner.com, the dashboard at app.kwscanner.com, and via our browser extension. References to "the Service" in this policy mean any of those surfaces.

2. What we collect

Account data

  • Email address and authentication identifiers, provided through our sign-in partner.
  • Account preferences: notification settings, auto top-up configuration, and any other preferences you set in your account.
  • Browser extension tokens: when you generate a token to authenticate the extension, we store its hash (not the plaintext token) plus a short prefix for display purposes.

Payment data

We use Stripe to process payments. We never see or store your full card number — Stripe handles the card data directly. We retain the Stripe customer ID, payment method ID (for auto top-up), and transaction metadata required to issue receipts and refunds.

Account activity

  • Credit ledger: every purchase, charge, refund, and adjustment is recorded as an immutable ledger entry tied to your account so we can show you accurate balances and history.
  • Sign-in events: timestamps and approximate location of recent sign-ins, used for security alerts.

Technical data

  • Standard server logs (IP address, user agent, request path, response status) retained for up to 30 days for security and abuse prevention.
  • Error reports from your browser when something breaks. We do not attach these to your identity unless you choose to email us about a specific issue.

3. How we use it

  • To deliver the service you signed up for: authenticating you, applying credit charges, sending receipts, processing refunds.
  • To prevent abuse: rate limiting, fraud detection, account-takeover protection.
  • To improve the product: aggregate analytics on which features are used and what error rates look like. Always done on aggregated, anonymised data — never on individual users.
  • To communicate with you: transactional emails (purchase receipts, low-balance alerts, refund notifications). You can opt out of non-essential email in your account settings.

We do not sell your data. We do not use your account activity to advertise to you on other platforms. We do not share your data with anyone except the processors listed below.

4. Sub-processors

We share account data with these processors to operate the service:

  • Authentication provider — sign-in and session management.
  • Stripe — payment processing.
  • Email delivery provider — transactional email (receipts, account alerts).
  • Cloud hosting providers — compute, database storage, and backups.

Each sub-processor has a data processing agreement in place that limits how they may use the data we share with them. We do not share your email address or account identity with any third party for marketing purposes.

5. Your rights

Wherever you live, you have the right to:

  • Access the personal data we hold about you.
  • Correct data that is wrong.
  • Delete your account and the data attached to it. Deletion is irreversible — your account record and transaction history are removed within 30 days, except where we are legally required to retain certain records (such as tax invoices).
  • Export your data in a portable format.
  • Object to processing for analytics or marketing.

To exercise any of these, email [email protected]. We respond within 30 days.

If you're in the EU/EEA, GDPR applies. The lawful bases we rely on are: contract (delivering the service you signed up for), legitimate interest (preventing abuse, improving the product), and consent (where required, such as marketing email).

If you're in California, CCPA applies. We do not sell personal information as defined by the CCPA.

6. Security

  • All traffic is encrypted in transit (TLS 1.2+).
  • Sensitive secrets (API keys, refresh tokens) are stored in a managed secrets store, not in code or version control.
  • Production database access is restricted to a small set of operator accounts and audited.
  • Browser extension tokens are stored as SHA-256 hashes; the plaintext is shown to you exactly once.

No system is perfect. If we ever discover a breach affecting your data, we will notify affected users within 72 hours and explain what happened, what we're doing, and what you should do.

7. Cookies

We use a small number of essential cookies (authentication session, CSRF protection) without which the service cannot function. We do not use third-party advertising cookies. We may use privacy-friendly analytics (e.g. Plausible) that do not set persistent identifiers.

8. Children

KWScanner is not intended for use by anyone under 16. We do not knowingly collect data from children. If you believe a child has signed up, contact us and we'll delete the account.

9. International transfers

Our infrastructure is hosted in regions that may include the United States and Europe. When data crosses borders, we rely on the relevant standard contractual clauses approved by the EU Commission.

10. Changes to this policy

We update this policy when our practices change. The "last updated" date at the top reflects the most recent revision. For material changes, we'll email you and post a banner on the dashboard at least 14 days before the change takes effect.

11. Contact

Email us at [email protected] for anything related to this policy or your data.

One-line summary We collect what's needed to run the service, share it only with processors that help us deliver it, never sell it, and let you delete it whenever you want.