Privacy Policy
Last updated: March 25, 2026
1. Who We Are
SecureClear is operated by NSSG Consulting ("we", "us", "our"). This policy describes how we collect, use, store, and share information when you use the SecureClear service at getsecureclear.com and the broker portal at portal.getsecureclear.com.
2. Data We Collect
We collect the following categories of data:
Account data
Name, email address, and company name provided during registration. This data is required to create and operate your portal account.
Scan data
Domain names submitted for scanning, and the resulting security assessment data (scores, tier classification, detected issues, remediation guidance). Scan data is scoped to your organisation and is not shared with other accounts.
Outreach data
For broker portal users: prospect company names, domains, and contact email addresses added to outreach campaigns. Email engagement events (opens and clicks) recorded via tracking pixels embedded in outreach emails.
Usage data
Scan counts, batch job records, monitoring enrollments, API key usage, and billing events. Used to enforce plan limits and generate invoices.
Technical data
IP addresses (used for rate limiting only, not stored long-term beyond the rate limit window), and standard web server logs retained for 30 days.
3. How We Use Your Data
- To perform security scans and deliver results to you.
- To assess the insurability profile of submitted domains.
- To deliver transactional emails (magic link sign-in, invitation emails, scan notifications).
- To enforce usage quotas and billing entitlements.
- To provide monitoring and alerting for enrolled domains.
- To facilitate outreach email campaigns initiated by broker portal users.
- To improve the reliability and accuracy of the Service.
We do not use your data for advertising, and we do not sell or rent your data to third parties.
4. Third-Party Services
We use the following third-party services to operate SecureClear:
| Service | Purpose | Data shared |
|---|---|---|
| Supabase | Database and authentication | All application data, email addresses for auth |
| Resend | Transactional email delivery | Recipient email address, email content |
| Hunter.io | Email address discovery for outreach | Domain names submitted for lookup |
| Stripe | Payment processing and billing | Name, email, payment card data (Stripe handles PCI scope) |
| Qualys SSL Labs | SSL/TLS certificate analysis | Domain names submitted for scanning |
| Render | API server hosting | All API request data, server logs |
| Vercel | Web frontend hosting | IP addresses, standard web logs |
5. Cookies and Tracking
Public site (getsecureclear.com): We do not set any tracking or advertising cookies. No analytics scripts are loaded on the public scanner page.
Portal (portal.getsecureclear.com): The Supabase JavaScript client sets a session cookie to maintain your authenticated session. This is a strictly necessary cookie and cannot be disabled without logging out.
Outreach email tracking: Emails sent through the outreach campaign feature may contain a 1x1 pixel image (tracking pixel) and instrumented links. These record whether an email was opened and whether a link was clicked. Recipients who wish to opt out of tracking should disable image loading in their email client.
6. Data Retention
- Active accounts: Data is retained for the lifetime of the account.
- Churned accounts: After a subscription is cancelled or expires, data is retained for 90 days to facilitate recovery. After 90 days, all tenant data is permanently deleted.
- Immediate deletion: Admins may request immediate deletion from the Settings page at any time. This is irreversible.
- Rate limit logs: IP addresses used for rate limiting are purged within 2 hours.
- Server logs: Web server access logs are retained for 30 days.
7. Your GDPR Rights
If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):
- Right of Access (Article 15): Request a copy of the personal data we hold about you.
- Right to Rectification (Article 16): Correct inaccurate personal data. You may update your name and company name from the portal settings.
- Right to Erasure (Article 17): Request deletion of your data. Admin users may delete their account and all associated data directly from the Settings page.
- Right to Data Portability (Article 20): Export all your organisation data as a machine-readable JSON file from the Settings page.
- Right to Restriction (Article 18): Request that we restrict processing of your data in certain circumstances.
- Right to Object (Article 21): Object to processing based on legitimate interests.
To exercise any of these rights, contact [email protected]. We will respond within 30 days.
8. Data Security
We implement industry-standard security controls including TLS encryption in transit, row-level security in the database, and hashed API keys (SHA-256). Access to production data is restricted to authorised personnel. We undergo periodic security reviews.
No system is perfectly secure. In the event of a data breach that affects your personal data, we will notify you as required by applicable law.
9. Children's Privacy
SecureClear is a B2B service intended for business users. We do not knowingly collect personal data from individuals under 18 years of age.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email to the admin on file and by posting the revised policy on this page with an updated effective date.
11. Contact Us
For privacy-related enquiries or to exercise your GDPR rights, contact us at [email protected]. For general support, use [email protected].