Back to home

Privacy Policy

Last updated: April 7, 2026

FirewallScan helps security and network teams review firewall configuration exports with AI-assisted analysis. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our websites, applications, and related services (collectively, the “Service”).

Overview

This policy applies to visitors and registered users of FirewallScan. If you use the Service on behalf of an organization, your organization’s internal policies and any separate agreement with us may also apply.

Information we collect

Account and profile: When you create an account or sign in (including with Google or email and password), we collect identifiers such as your email address, display name, profile image when supplied by an identity provider, and account status.

Content you submit: You may upload firewall configuration exports and related text files for analysis. We process the contents of those uploads and derived outputs such as parsed rules, risk findings, summaries, scores, and similar results produced by the Service. Before cloud AI analysis, we automatically redact common secret patterns from configuration backups (for example encrypted ENC tokens, password-related fields, and selected sensitive information) to reduce exposure of credentials in stored data and in transmissions to our AI provider.

Payment information: Purchases are processed by Stripe. We receive limited information from Stripe (for example subscription or purchase status, customer reference, and billing-related metadata). We do not store full payment card numbers on our own servers.

Technical data: We automatically collect certain technical information, such as IP address, device and browser type, timestamps, and diagnostic logs needed to operate, secure, debug, and improve the Service.

How we use your information

We use personal data to provide and maintain the Service, authenticate users, generate analyses and reports from content you upload, process payments and entitlements, communicate with you about your account or material changes to the Service, detect and prevent abuse or security incidents, comply with legal obligations, and improve reliability and features.

AI-assisted processing

FirewallScan uses automated systems to interpret configuration text and produce findings. For our hosted cloud offering, analysis requests are sent to Scaleway Generative APIs, a European provider. Inference runs on Scaleway infrastructure in France (Paris). The Scaleway Generative API models are hosted in European data centers, traffic is encrypted in transit, and by default it does not collect, read, reuse, or analyze the content of your inputs or outputs generated by the APIs. Your content is not used to train or improve underlying models and is not shared with other customers or model vendors. For additional technical details, see Scaleway’s Generative APIs privacy documentation at https://www.scaleway.com/en/docs/generative-apis/reference-content/data-privacy/.

If you operate FirewallScan yourself, AI processing uses the provider and credentials you configure (such as OpenAI or Anthropic). That processing occurs outside FirewallScan’s hosted European stack and is governed by your agreements with those providers.

We implement appropriate safeguards and data-processing terms with AI and infrastructure subprocessors where required by law.

Sharing and subprocessors

We use the following categories of subprocessors to operate the hosted Service (roles may overlap with the descriptions in “European hosting” below):

• Scaleway — hosts the FirewallScan API. • MongoDB Atlas — primary database for accounts, analyses, and related application data. • Scaleway — Generative APIs for AI-assisted analysis in the hosted Service. • Upstash — managed Redis used for operational features such as quotas and caching on the hosted Service. • Bunny — DNS and related network services for the hosted Service. • NetBird — secure network access used by our team to administer hosted applications on our VPS infrastructure. • Stripe, Inc. — our payment processor for subscriptions, checkout, and billing (card data is handled by Stripe; we do not store full card numbers). • Google — authentication when you choose “Sign in with Google.” • Resend — transactional email such as account and security messages.

We do not sell your personal data. We may disclose information if required by law, or to protect the rights, safety, and integrity of users, FirewallScan, or the public. Where subprocessors process data outside the European Economic Area, we rely on appropriate safeguards (such as standard contractual clauses) as applicable.

Retention

We retain account and transactional records for as long as your account is active and for a reasonable period afterward for legal, tax, accounting, or dispute resolution purposes. Uploaded configurations and analysis results are retained according to operational needs and your use of the Service until you delete them or request deletion, subject to minimum retention required by law.

Security

We implement technical and organizational measures designed to protect personal data against unauthorized access, loss, or alteration. No method of transmission or storage is completely secure; you use the Service at your own risk to the extent permitted by applicable law.

Your privacy rights

Depending on where you live, you may have rights to access, correct, delete, or export personal data; restrict or object to certain processing; or withdraw consent where processing is consent-based. To exercise these rights, contact us using the details in the last section. You may also lodge a complaint with a supervisory authority in your country.

Cookies and similar technologies

We use cookies and similar technologies as needed for authentication sessions, security, and essential preferences. Core functionality such as staying signed in may rely on such technologies.

International transfers

For the hosted FirewallScan service, we configure core application data storage and AI inference in the European Union (see “European hosting” below). Some subprocessors—such as Stripe, Google, or email providers—may process limited personal data in the United States or other countries to provide their global services. Where such transfers occur, we rely on appropriate safeguards such as standard contractual clauses or equivalent mechanisms approved by regulators, in addition to each provider’s contractual commitments.

Children

The Service is not directed to children under the age of 16 (or the minimum age required in your jurisdiction). We do not knowingly collect personal data from children.

Changes and contact

We may update this Privacy Policy from time to time. We will post the revised version with an updated date. If changes are material, we will provide additional notice as appropriate.

For privacy-related questions or requests—including exercising your privacy rights—email us at privacy@firewallscan.nl. You may also use other support or contact channels published on the website for your region.

European hosting (hosted service)

When you use FirewallScan as a hosted cloud service (not a self-hosted deployment you operate), we design our infrastructure so that your firewall analyses and account data are stored and processed primarily in Europe:

• Application API: Our API runs in a European region (for example Amsterdam or Frankfurt). • Database: Application data—including uploaded configuration text, analysis results, and account records—is stored in MongoDB Atlas with our cluster deployed in a European Union region. • AI inference: Scaleway Generative APIs in Paris, France (see “AI-assisted processing” above). • Caching and quotas: We use Upstash Redis in a European region for short-lived operational data (for example daily analysis quotas and cached API responses). • DNS: We use Bunny for DNS services associated with the hosted Service. • Administration: Our team uses NetBird for secure access when operating applications on our VPS infrastructure. • Payments: Stripe, Inc. is our payment processor for subscriptions, checkout, and billing management.

Payment, sign-in, and email subprocessors may process limited personal data globally; see “Sharing and subprocessors” and “International transfers.”

Self-hosted deployments: If you install and run FirewallScan on your own infrastructure, data location and AI routing depend on your environment and the AI providers you configure—not on the European stack described above.