AcuityScan

Privacy Policy

Last updated: May 13, 2026

1. Who we are

AcuityScan (the “Service”) is operated by AcuityScan, a DBA of Your PGH Tech (the “Company,” “we,” “us,” or “our”), located in Pittsburgh, Pennsylvania, United States. This Privacy Policy explains what information we collect, how we use it, and what choices you have. By using the Service, you agree to this policy.

2. What we collect

We collect only what we need to provide the Service:

  • Domains you scan. The domain you enter is processed to run checks against it. Scan results are stored privately. Anonymous scans live behind an unguessable URL for up to 10 days and are then deleted. Pro and Agency accounts retain scan history privately in their dashboard until the user deletes it.
  • Account information. If you create an account: your email address and authentication credentials. Passwords are hashed by our identity provider; we never see them in plaintext.
  • Payment information. If you subscribe to a paid plan, billing is handled by Stripe. We never receive or store full card numbers. We do receive your name, email, billing country, and subscription status from Stripe.
  • Branding assets (Agency tier). If you upload a logo or set brand colors, those are stored on our infrastructure and used only to render your white-label PDF reports.
  • Server logs and usage data. We log standard server data including IP address, user agent, request path, response status, and timestamps. We may use first-party analytics to understand aggregate site usage.
  • Contact form submissions. If you contact us, we receive whatever you put in the form (typically name, email, and message).
  • Cookies and similar technologies. See Section 8 below.

3. What we do not collect

  • We do not access, store, or process the content of the websites you scan beyond what is publicly accessible via standard HTTP requests, and we do not log into target sites.
  • We do not sell, rent, or trade your personal information to third parties.
  • We do not use your personal information for advertising, retargeting, or behavioral profiling.
  • We do not knowingly collect personal information from children under 13 (or under 16 in jurisdictions that require it).

4. How we use your data

  • To run scans and generate the reports you request.
  • To create and maintain your account, process payments, and manage your subscription.
  • To send transactional emails (sign-in links, account confirmations, password resets, billing receipts, scan alerts if you opt in).
  • To respond to your support requests.
  • To improve the Service, monitor reliability, and detect abuse.
  • To comply with legal obligations and enforce our Terms of Service.

We process your data on the legal bases of contract performance (to deliver the Service you signed up for), legitimate interests (to keep the Service running, secure, and improving), consent (where required for non-essential cookies or marketing), and legal obligation.

5. Third-party services and sub-processors

We rely on the following third-party providers to operate the Service. Each one has their own privacy practices that govern data we share with them.

  • Supabase — managed Postgres and authentication. Account data, scan history, and uploaded branding assets are stored here.
  • Vercel — application hosting, edge network, and serverless function execution. Server logs and request metadata pass through Vercel.
  • Cloudflare — DNS, CDN, and DDoS protection.
  • Stripe — payment processing, billing, customer portal, and tax handling for paid subscriptions.
  • Brevo (Sendinblue) — transactional and notification email delivery.
  • Sentry — server-side application error reporting. We send error stack traces and request metadata to help us debug. Sentry is intentionally NOT loaded in your browser, so it cannot observe your activity on the site.

We choose providers with strong security and data-protection practices, and we limit what each one receives to what is needed for their role.

6. Data retention

  • Anonymous scan reports — available via an unguessable link for up to 10 days, then deleted.
  • Pro / Agency scan history — retained privately in your dashboard until you delete a report or close your account. Default visibility is private.
  • Account data — retained while your account is active. You can request deletion at any time and we will delete it within 30 days unless we are legally required to retain it longer.
  • Payment records — retained as required by accounting, tax, and Stripe's own data-retention policies, typically up to 7 years.
  • Server logs — retained for up to 90 days for security and reliability purposes.

7. Security

We use industry-standard security measures including encrypted connections (HTTPS), encrypted database storage, hashed credentials, role-based access controls, and security-focused infrastructure providers. No system is ever 100 percent secure, however, and we cannot guarantee that unauthorized access, disclosure, or loss will not occur. You acknowledge that you provide your information at your own risk and that we are not liable for any unauthorized access, security incident, or data breach to the fullest extent permitted by law.

8. Cookies and similar technologies

We use cookies and similar storage technologies for the following purposes:

  • Strictly necessary — authentication sessions, security tokens, and remembering that you have dismissed our cookie banner. These cannot be disabled if you want the Service to work.
  • Functional — preferences like theme or your last-used scan domain.
  • Analytics — if and when we enable them, used only in aggregate to understand site usage.

We do not use advertising or cross-site tracking cookies. You can manage cookies through your browser settings, and we will respect a Global Privacy Control (GPC) signal as an opt-out where applicable.

9. Your rights

Subject to applicable law, you may have the right to:

  • Access the personal information we hold about you.
  • Request correction of inaccurate or incomplete information.
  • Request deletion of your account and associated data.
  • Export your scan history and account data in a portable format.
  • Object to or restrict certain processing.
  • Withdraw consent for processing that relies on consent.
  • Opt out of non-essential email communications.
  • Lodge a complaint with a data-protection authority where you live.

To exercise any of these rights, contact support@acuityscan.com. We may need to verify your identity before fulfilling a request.

10. California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act and the California Privacy Rights Act give you the rights described in Section 9 above, plus the right to know what categories of personal information we collect and disclose, and the right to opt out of any “sale” or “sharing” of your personal information. We do not sell or share your personal information for cross-context behavioral advertising. We do not knowingly collect or sell the personal information of minors. To exercise your rights, contact support@acuityscan.com. You may also designate an authorized agent to make a request on your behalf.

11. European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR)

If you are located in the EEA, the United Kingdom, or Switzerland, you have the rights described in Section 9. The Company acts as a data controller for the personal information described in this policy. Our legal bases for processing are described in Section 4. We may transfer your data to the United States and other countries where our sub-processors operate; where required, those transfers rely on Standard Contractual Clauses or other recognised transfer mechanisms. You can contact us with privacy questions at support@acuityscan.com.

12. International users and data transfer

The Service is operated from the United States. By using the Service, you understand and agree that your information will be transferred to and processed in the United States and any other country where our sub-processors operate, which may have data-protection laws different from those in your jurisdiction.

13. Children

The Service is not directed to children. We do not knowingly collect personal information from children under 13 (or the equivalent minimum age under applicable law). If you believe a child has provided us with personal information, contact us and we will delete it.

14. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Material changes will be posted on this page with a revised “Last updated” date. Continued use of the Service after changes take effect constitutes acceptance.

15. Contact

Questions about privacy? Email support@acuityscan.com.