Privacy Policy
Last updated: June 2, 2026
This Privacy Policy explains how Secureless UG (haftungsbeschränkt) and Stakkd GmbH (together "we," "us") process personal data when you use secureless.ai and Stakkd (together, the "Products"). The two companies share operational responsibility for the Products and therefore act as joint controllers within the meaning of Art. 26 GDPR.
1. Joint controllers
The joint data controllers within the meaning of Art. 4(7) and Art. 26 GDPR are:
Secureless UG (haftungsbeschränkt)
Kollwitzstraße 76
10435 Berlin, Germany
Amtsgericht Charlottenburg HRB 287751 B
E-Mail: support@secureless.ai
Stakkd GmbH
Charlottenbrunner Str. 2
14193 Berlin, Germany
Amtsgericht Charlottenburg (Berlin) HRB 263423 B
E-Mail: hello@stakkd.tech
Joint-controllership arrangement. The two companies operate the Products jointly. Each company independently processes personal data for the purposes described below, and both share responsibility for GDPR compliance. A joint-controller agreement under Art. 26(1) GDPR is in place. You can exercise your GDPR rights against either company; we will handle your request jointly regardless of which company you contact. The primary point of contact for data-subject requests is support@secureless.ai. Where Stakkd processes customers' scan data on Secureless's documented instructions rather than for the joint controllers' own purposes, it acts as a processor under Secureless's Data Processing Agreement; its role as joint controller is limited to account, billing, and marketing data as described above.
1a. Single point of contact
For all data-protection matters (access, rectification, erasure, objection, withdrawal of consent, complaints), write to support@secureless.ai. Your request is processed by both joint controllers.
2. What data we collect
2.1 Account data
When you create an account, we collect your email address, name (if provided), company name (if provided), and authentication data (managed by our authentication provider).
Legal basis: Art. 6(1)(b) GDPR (performance of contract).
2.2 Billing data
When you subscribe to a paid plan, our payment provider collects payment method details, billing address, and VAT identification number (if provided). We do not store payment card details; these are processed and stored exclusively by our payment provider (see Section 5).
Legal basis: Art. 6(1)(b) GDPR (performance of contract).
2.3 Usage data
When you use the Service, we collect IP address, browser type and version, pages visited, actions taken (scans initiated, reports viewed, settings changed), and timestamps.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating and improving the Service).
2.4 Scan data
When you initiate a scan, we collect technical data about the target domain from publicly accessible sources, including DNS records, HTTP headers, SSL/TLS configuration, JavaScript resources, network request logs, cookie data, and screenshots of publicly accessible pages.
Scan data relates to the technical infrastructure of the target domain, not to individuals. To the extent any personal data is incidentally captured (for example, an email address in a DNS record or HTTP header), we process it under Art. 6(1)(f) GDPR (legitimate interest in providing the contracted security assessment service). We apply data minimisation: scan data is processed for assessment purposes only and is not used to identify, profile, or contact individuals.
2.5 Communication data
If you contact us, we collect the content of your message, your email address, and any information you voluntarily provide.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures or contract performance) or Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries).
2.6 Marketing consent data
If you opt in to marketing communications (for example via our waitlist form, or the optional consent checkbox shown when you request a snapshot PDF), we record your email address, the fact and date/time of consent, the exact text of the consent statement (consent version), and where appropriate the domain you came from, a buyer/vendor audience tag, and the UTM source of the page you signed up on.
Legal basis: Art. 6(1)(a) GDPR (consent).
3. How we use your data
We use your data to:
- Provide the Products (run scans, generate reports, maintain your account)
- Process payments and manage subscriptions
- Send transactional emails (scan completion notifications, account notices, requested snapshot PDFs)
- With your explicit, freely given consent, send marketing communications about the Products operated by the joint controllers (secureless.ai, Stakkd). See Section 3a.
- Improve the Products and produce aggregated benchmarks, statistics, and industry reports that do not identify you or any assessed domain
- Comply with legal obligations (tax and commercial record retention)
We do not sell your data. We do not share it with third parties for their own marketing purposes. We do not profile you for advertising.
3a. Marketing communications
Where you have given explicit consent (Art. 6(1)(a) GDPR), the joint controllers may send you marketing communications by email about the Products. Example use cases: you join the Deep Scan waitlist and we later email you when it becomes available; or you request a snapshot PDF and tick the optional marketing consent box, and we then send occasional updates about related products from the joint controllers.
Consent is freely given, specific, informed, and unambiguous. We do not make service delivery conditional on marketing consent. You can withdraw consent at any time via the unsubscribe link in any marketing email, or by writing to support@secureless.ai. Withdrawal does not affect the lawfulness of processing before withdrawal.
4. Cookies and tracking
4.1 Strictly necessary cookies
We use strictly necessary cookies for authentication (Clerk) and bot protection (Cloudflare). These are required for the Service to function and cannot be disabled. No consent is required under § 25(2) TTDSG and Art. 5(3) of the ePrivacy Directive.
4.2 Product analytics (PostHog): consent required
Subject to your explicit consent, we use PostHog (PostHog Inc.) hosted on the EU Cloud (Frankfurt, Germany) for first-party product analytics. PostHog records pageviews, in-product interactions, device and browser metadata, and an anonymous distinct identifier. If you sign in, we associate your Clerk user ID with the analytics data to correlate behaviour across sessions of the same user.
We do not enable session replay. We do not use PostHog for advertising. We do not share PostHog data with third parties.
Until you give consent, PostHog is initialised with capturing disabled and memory-only storage, so no analytics cookies are set and no events are sent. On Accept, we set first-party analytics cookies and begin recording the data described above. On Decline, we keep PostHog disabled.
Legal basis: Art. 6(1)(a) GDPR (consent) for the storage of cookies and processing of analytics data.
Withdrawing consent. You can change your decision at any time using the "Cookie preferences" link in the footer of every page. Withdrawal is as easy as the original acceptance (one click) and does not affect the lawfulness of prior processing. Declining or revoking has no effect on your use of the Service.
Pages excluded from analytics. No analytics events are sent from /login or /signup, regardless of your consent state.
4.3 No tracking outside this scope
We do not load any advertising, marketing-attribution, or cross-site tracking scripts. We do not embed Google Analytics, Meta Pixel, LinkedIn Insight Tag, or comparable trackers anywhere on the Service.
5. Data processors
We use the following third-party service providers to operate the Service:
| Provider | Purpose | Location | Data processed |
|---|---|---|---|
| Clerk | Authentication | United States (EU-U.S. Data Privacy Framework) | Email, name, auth tokens |
| Stripe | Payment processing | United States (EU processing available) | Billing data, payment details |
| Railway | Application hosting, database | European Union (europe-west4) | Account data, scan results |
| Hetzner | Scanner processing | Frankfurt, Germany | Scan data (target domain technical data) |
| Resend | Transactional email | Ireland, EU | Email address, email content |
| Cloudflare | CDN, DDoS protection, bot management | United States (global edge network) | IP addresses, request metadata, bot detection cookies |
| Fastly | CDN, edge caching | United States (global edge network) | IP addresses, cached page content |
| PostHog | Product analytics (consent-gated, see Section 4.2) | European Union (Frankfurt) | Pageviews, in-product events, device/browser metadata, anonymous distinct ID, Clerk user ID after sign-in |
| Stakkd GmbH | Operations, design, partnerships, customer support (joint controller for account/marketing data per Section 1; processor for scan data) | Berlin, Germany (EU) | Account data, scan results, support communications |
| Anthropic | AI analysis of scan data | United States (Standard Contractual Clauses; 30-day retention; no model training) | Scan data (target domain technical data) |
Transfers outside the EU/EEA
Clerk, Stripe, Cloudflare, and Fastly are based in the United States. Transfers to the US are conducted under the EU-U.S. Data Privacy Framework (Implementing Decision (EU) 2023/1795). Where applicable, Standard Contractual Clauses (SCCs) are in place as a supplementary safeguard. Anthropic processes scan data in the United States under Standard Contractual Clauses (controller-to-processor, Module 2); Anthropic does not train its models on this data and retains it for no longer than 30 days.
PostHog Inc. is incorporated in the United States, but the analytics data of European visitors is processed exclusively on its EU Cloud (Frankfurt). SCCs are in place via our data processing agreement with PostHog.
Scan data (the technical analysis of target domains) is stored and primarily processed within the European Union (Hetzner Frankfurt and Railway EU). The AI analysis step is performed by Anthropic in the United States under the safeguards described above.
6. Data retention
| Data type | Retention period | Reason |
|---|---|---|
| Account data | Duration of account + 30 days | Contract performance |
| Billing records | 10 years after transaction | German commercial and tax law (§ 147 AO, § 257 HGB) |
| Scan results | Duration of account + 30 days | Contract performance |
| Scan results after account deletion | Deleted within 30 days of request | Data minimisation |
| Usage data | 90 days | Legitimate interest (service improvement, security) |
| Communication data | Duration of business relationship + 3 years | Legitimate interest (dispute resolution, statute of limitations) |
| Marketing consent records | Until withdrawal + 3 years | Legitimate interest (proof of consent) |
| Marketing mailing list membership | Until withdrawal | Consent (Art. 6(1)(a) GDPR) |
| Product analytics events (PostHog) | 12 months from event, or until consent withdrawn (whichever is shorter) | Consent (Art. 6(1)(a) GDPR) |
After the retention period, data is deleted or irreversibly anonymised. Aggregated, de-identified data that no longer identifies any individual or assessed domain may be retained and used without time limit, including for benchmarks and industry reports.
7. Your rights
You have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection to processing based on legitimate interest (Art. 21), and withdrawal of consent (Art. 7(3)), each subject to the conditions in the GDPR and any legal retention obligations. Withdrawal of consent does not affect the lawfulness of processing before withdrawal.
To exercise any of these rights, contact support@secureless.ai. We respond within 30 days. If we need more time (up to an additional 60 days for complex requests), we will tell you within the initial 30-day period.
8. Supervisory authority
You have the right to lodge a complaint with a supervisory authority. The competent authority for us is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219, 10969 Berlin, Germany
https://www.datenschutz-berlin.de
9. Security
We implement technical and organisational measures to protect your data, including encryption in transit (TLS), encryption at rest for databases, access controls, and regular security assessments of our own infrastructure. We process scan data in isolated environments; one customer's scan results are not accessible to other customers.
10. Data concerning third-party domains
When you scan a domain you do not own (company-side vendor monitoring), we process technical data about that domain. This data is publicly accessible and equivalent to what any web browser observes when visiting the domain.
We do not consider publicly accessible technical infrastructure data (DNS records, HTTP headers, SSL certificates, JavaScript files) to be personal data within the meaning of the GDPR, as it relates to organisational technical configuration, not to identified or identifiable natural persons.
If any personal data is incidentally captured during a scan (for example, an employee name in a WHOIS record or an email address in an HTTP header), we process it under Art. 6(1)(f) GDPR (legitimate interest in providing a security assessment service) and apply data minimisation. Such data is not extracted, indexed, or used for any purpose other than the security assessment.
Domain owners who wish to inquire about data we hold relating to their domain, or to object to active monitoring, may contact us at support@secureless.ai.
11. Children
The Service is not directed at individuals under 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will delete it promptly.
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least 30 days before they take effect. The "Last updated" date indicates when the most recent changes were made.
13. Contact
For privacy-related inquiries and data-subject requests, write to the single point of contact for both joint controllers: support@secureless.ai
Postal address (primary):
Secureless UG (haftungsbeschränkt), Kollwitzstraße 76, 10435 Berlin, Germany
Postal address (Stakkd GmbH):
Stakkd GmbH, Charlottenbrunner Str. 2, 14193 Berlin, Germany