ASMHunter
Features Pricing Get Started
Legal

Privacy Policy

Last updated: 2026-05-13

This policy explains what data ASMHunter collects, why we collect it, where it lives, and how you can get it out or delete it. We try to keep this short and honest. If anything is unclear, email ops@asmhunter.app.

1. Who we are

ASMHunter is a continuous attack surface monitoring service operated by an independent founder based in Turkey. There is no legal entity yet — you are dealing with one human and one platform. The service is offered through asmhunter.app.

2. What we collect

Account data

  • Email address (required to sign in via Supabase Auth).
  • Hashed password, or OAuth identifier if you sign in with Google/GitHub.
  • Display name and optional Telegram chat ID if you enable Telegram alerts.

Scan and asset data

  • Domains, subdomains, IPs, and wildcard scopes you submit as monitoring targets.
  • Scan results: discovered subdomains, open ports, HTTP fingerprints, vulnerability findings, crawl URLs.
  • Scan schedule, frequency, and tier configuration.

Payment metadata

  • Subscription tier, billing cycle, status, renewal date, and LemonSqueezy customer/order IDs.
  • We do not store credit card numbers, CVVs, or full billing addresses. Payment processing happens entirely inside LemonSqueezy — they are the merchant of record.

Operational telemetry

  • IP address and basic browser metadata (user-agent, locale) at sign-in and on API requests, used for rate-limiting and abuse prevention.
  • Server-side application logs (request paths, status codes, error traces).
  • Crash reports and exception traces via Sentry. We scrub obvious PII; sometimes URLs from your scans appear in stack traces.

We do not currently run any third-party analytics, advertising, or session-replay tools. No Google Analytics, no Mixpanel, no Hotjar.

3. Where it is stored

  • Postgres database — Supabase, Frankfurt (EU) region. Encrypted at rest, TLS in transit.
  • Scan artifacts and raw tool output — Backblaze B2, us-west region. Encrypted at rest, TLS in transit.
  • Worker fleet — Hetzner Cloud, EU regions (Falkenstein / Helsinki). Scans run on these machines; no scan output is retained on workers after upload.
  • Edge / CDN — Cloudflare. TLS termination and DDoS protection.

Note that scan artifacts cross the Atlantic to reach B2. If this is a problem for your jurisdiction, email us before signing up.

4. Subprocessors

We rely on the following third parties to operate the service. They each process the categories of data described above:

  • Supabase — auth, Postgres database, EU region.
  • Hetzner — compute and worker fleet, EU regions.
  • Backblaze B2 — object storage for scan artifacts, US region.
  • Cloudflare — DNS, CDN, TLS termination, WAF.
  • Resend — transactional email (sign-in, alerts, billing receipts).
  • LemonSqueezy — payments and subscription billing, merchant of record.
  • Sentry — error and crash reporting.
  • BetterStack — uptime monitoring and status page.
  • Telegram (BotFather) — outbound alert delivery for users who opt in.

5. How we use it

  • To run scans against the targets you explicitly configure.
  • To send you alerts about findings (Telegram, email).
  • To bill you (Pro / Elite / Legend tiers) and email receipts.
  • To debug and improve the service (logs, Sentry traces).
  • To prevent abuse (rate limiting, blocking obviously malicious scope).

We do not sell your data. We do not share it with advertisers. We do not train any AI model on your scan results.

6. Your rights

  • Export — request a full dump of your account, targets, and findings by emailing ops@asmhunter.app. We respond within 14 days.
  • Deletion — delete your account from Settings → Account → Delete account, or email us. Hard deletion runs 7 days after the request.
  • Correction — edit your profile fields directly in settings, or email us for anything you cannot reach in the UI.
  • Objection / restriction — if you are in the EU/UK and want to invoke GDPR rights beyond the above, email us and we will work it out.

7. Retention

While your subscription is active, we retain all account, scan, and finding data so you can monitor change-over-time — that is the whole point of the product.

After you delete your account, we keep data for a 7-day grace period in case you change your mind, then hard-delete from Supabase and B2. Operational logs and crash reports rotate out within 30 days. Billing records (LemonSqueezy) are retained for the period their tax law requires.

8. Cookies and local storage

We use essential cookies and browser storage only:

  • Supabase auth session token (so you stay signed in).
  • CSRF token.
  • UI preferences (theme, billing toggle state).

No tracking pixels. No third-party cookies. No analytics cookies.

9. Security

Passwords are hashed by Supabase (bcrypt). All data in transit is TLS 1.2+. Data at rest is encrypted by Supabase, Backblaze, and Hetzner block storage. Worker machines pull job definitions over authenticated channels and do not store scan output after upload.

This is a one-person operation. There is no SOC 2 report yet. If you need formal compliance attestations before signing up, ASMHunter is probably not the right fit at this stage.

10. Region and jurisdiction

The operator is based in Turkey. Primary data hosting is in the European Union (Supabase Frankfurt, Hetzner EU). Object storage and a few subprocessors are based in the United States. By using ASMHunter you consent to data being processed in these regions.

11. Age

ASMHunter is intended for security professionals. You must be at least 18 years old to create an account. We do not knowingly collect data from anyone under 18; if you believe a minor has signed up, email us and we will delete the account.

12. Changes to this policy

If we change this policy materially, we will update the "Last updated" date at the top of this page and email all active account holders at least 14 days before the change takes effect. Minor edits (typos, link fixes) will not trigger a notification.

13. Contact

Questions, requests, complaints, or curiosity: ops@asmhunter.app. We read every email.

ASMHunter
Privacy Terms Contact