Privacy Policy

Last updated: June 25, 2026

This policy explains what whack.sh collects, why, and your choices. As a defensive security tool we aim to collect only what we need to run the Service.

1. What we collect

• Account data — your email and name, and, if you sign in with Google, your Google account identifier (we never receive your Google password).
• Scan data — the URLs you submit and the artifacts we capture for them (HTTP metadata/HAR, screenshots, and a derived cloaking score). Payload binaries are handled in isolation and not stored against your account.
• Usage & billing — credits consumed, plan, and your activity ledger.
• Technical data — IP address, user agent, and request logs needed for security and abuse prevention.

2. How we use it

To provide and secure the Service, run scans, meter and bill usage, prevent abuse, respond to support, and improve the product. We do not sell your personal data.

3. Cookies

We use a strictly-necessary, httpOnly session cookie to keep you signed in, plus privacy-friendly analytics (Umami and Google Analytics 4) to understand aggregate usage. You can block analytics cookies in your browser.

4. Third parties

We rely on a small set of processors: Google (Sign-in with Google, and GA4 / Search Console analytics), Cloudflare (CDN, TLS, and DDoS protection), and MailerSend (transactional email such as verification and password reset). Each processes data only to provide its function.

5. Retention

Scan artifacts are retained while useful for your investigation and then periodically purged. Account data is retained until you delete your account. We may keep limited records as required by law or for security.

6. Your rights

You can access, export, or delete your account data — contact us via the contact page and we’ll action verified requests. Depending on your location you may have additional rights under GDPR or CCPA.

7. Security

Data is encrypted in transit (TLS). Credentials are stored hashed, never in plaintext. Access to internal systems is restricted and network-isolated.

8. Children

The Service is not directed to anyone under 16 and we do not knowingly collect their data.

9. Contact

Privacy questions or requests? Reach out.