Privacy Policy
Last updated: February 12, 2026
Who we are
Hardened is operated by R&D Solutions Numériques, sole proprietorship registered in Québec, Canada.
Privacy Officer (Responsable de la protection des renseignements personnels):
R&D Solutions Numériques
Email: privacy@hardened.app
What Hardened does
Hardened is an automated security audit tool for web applications. When you submit a URL, we perform publicly accessible security checks (HTTP requests, DNS lookups, TLS handshakes) — the same kind of checks any web browser performs. We do not access private data, user accounts, or databases of the applications we scan.
What data we collect
Account data
When you create an account:
- Email address — to authenticate you and send you important notifications
- Name (optional) — to personalize your experience
Scan data
When you run a scan:
- URL submitted — to perform the security audit
- Scan results — the security checks and score generated by our analysis
Payment data
When you subscribe to a paid plan:
- Stripe Customer ID — to manage your subscription
- We do not store your credit card number, expiration date, or CVC. All payment processing is handled directly by Stripe.
Technical data
- IP address — for rate limiting and security. Retained for 30 days maximum.
- Session cookies — strictly necessary for authentication. No tracking cookies are used.
Why we collect this data (legal basis)
| Data | Legal basis | Purpose |
|---|---|---|
| Consent (account creation) | Authentication, service communications | |
| URL & scan results | Contract performance | Delivering the service you requested |
| Stripe Customer ID | Contract performance | Managing your subscription |
| IP address | Legitimate interest | Security, rate limiting, abuse prevention |
| Session cookies | Strictly necessary | Keeping you logged in |
How long we keep your data
| Data | Retention period |
|---|---|
| Account data | Duration of your account + 30 days after deletion |
| Scan results (authenticated) | Duration of your account |
| Scan results (anonymous) | 90 days |
| IP addresses | 30 days |
| Payment records | Duration of your account + 6 years (tax obligations) |
Who has access to your data
We use the following service providers (sub-processors):
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Stripe | Payment processing | USA / EU | SOC 2 certified, SCCs |
| Resend | Transactional emails | USA | DPA available |
| DigitalOcean, LLC | Hosting | United States | SOC 2 certified, DPA available |
We do not sell, rent, or share your personal data with third parties for marketing purposes.
International data transfers
Your data may be processed in countries outside Canada or the European Union (notably the United States) through our service providers. These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission and adequate safeguards as required by Canadian privacy law.
Your rights
If you are in the European Union (GDPR)
You have the right to:
- Access your personal data
- Rectify inaccurate data
- Delete your data ("right to be forgotten")
- Port your data to another service
- Object to processing based on legitimate interest
- Withdraw consent at any time
- Lodge a complaint with your local data protection authority
If you are in Québec or Canada (Loi 25 / LPRPDE)
You have the right to:
- Access your personal data
- Rectify inaccurate data
- Withdraw your consent
- Request deletion of your data
- Request de-indexing of your data
- Data portability in a commonly used technological format
- Lodge a complaint with the Commission d'accès à l'information du Québec
How to exercise your rights
Send your request to: privacy@hardened.app
We will respond within 30 days. We may ask you to verify your identity before processing your request.
Account deletion
You can delete your account at any time from your account settings. This will permanently delete all your personal data, scan history, and reports within 30 days. Payment records will be retained for 6 years as required by tax law.
Cookies
Hardened uses only strictly necessary cookies for authentication (session management). We do not use analytics cookies, advertising cookies, or tracking technologies.
Since we only use strictly necessary cookies, no consent banner is required under GDPR (Article 5.3 of the ePrivacy Directive) or Loi 25.
If we add non-essential cookies in the future, we will update this policy and implement a consent mechanism before deploying them.
For more details, see our Cookie Policy.
Security
We take reasonable measures to protect your data:
- All communications are encrypted via HTTPS/TLS
- Database access is restricted to internal network only
- Authentication uses secure, encrypted sessions
- Payment data is handled exclusively by Stripe (PCI DSS compliant)
Children
Hardened is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@hardened.app.
Data breach notification
In the event of a security incident involving your personal data, we will:
- Notify the Commission d'accès à l'information du Québec (as required by Loi 25)
- Notify affected users without undue delay
- Notify relevant EU supervisory authorities within 72 hours if required by GDPR
Changes to this policy
We may update this policy from time to time. We will notify you of significant changes by email or by a notice on our website. Your continued use of Hardened after changes constitutes acceptance of the updated policy.
Contact
For any questions about this privacy policy or your personal data:
R&D Solutions Numériques
Email: privacy@hardened.app
Location: Montréal, Québec, Canada