Legal

Privacy Policy

Last updated · 11 June 2026

Not legal advice. This document is provided for transparency and should be reviewed by qualified legal counsel for your specific circumstances.

This policy explains what personal data Thiron collects, why, how we use it, and the rights you have over it.

1. Who we are

Thiron ("we", "us") is operated by Northstar Intelligent Systems Ltd., 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom. For any privacy question, contact privacy@thiron.org. For users in the EU/UK, our data protection contact is reachable at hello@thiron.org.

2. What we collect

Scan inputs: the domain/URL you submit and the publicly observable results of scanning it.
Account & billing: email address and, for paid plans, billing details handled by our payment processor (we do not store full card numbers).
Usage data: log data, IP address, device/browser information, and product analytics.
Communications: messages you send us and email engagement.

3. How we use it

To run scans and deliver reports you request.
To create and manage your account and process payments.
To send service messages, alerts, and (with your consent where required) product updates.
To secure, maintain, and improve the service, and to comply with legal obligations.

Legal bases (GDPR, where applicable): performance of a contract, your consent, our legitimate interests in operating and securing the service, and compliance with law.

4. Discovered secrets

If a scan surfaces a credential exposed on your own infrastructure, its value is redacted in the report and is not stored in plaintext. See our Security page for detail.

5. Sharing

We share data only with service providers ("processors") who help us run Thiron, for example hosting, payment processing (Stripe), email delivery, and analytics, under contract, and where required by law. We do not sell personal data. Our sub-processors are listed in our Data Processing Agreement.

6. International transfers

Thiron is hosted in United States. Where we transfer personal data across borders, we rely on appropriate safeguards such as Standard Contractual Clauses.

7. Retention

Free scan results expire after 7 days. Paid reports remain accessible for 30 days. Account and billing records are kept as long as needed for the service and legal/accounting obligations, then deleted or anonymised.

8. Your rights

Subject to your jurisdiction, you may have the right to access, correct, delete, restrict, or port your data, and to object to certain processing. To exercise these, email privacy@thiron.org. You may also complain to your local data protection authority.

9. Security & changes

We protect personal data with the measures described on our Security page. We may update this policy; we will post the new version here and update the date above.