Privacy Policy
Last updated: April 15, 2026
This Privacy Policy explains how ebats solutions UG (haftungsbeschränkt) and Stakkd GmbH (together "we," "us") process personal data when you use secureless.ai and Stakkd (together, the "Products"). The two companies share operational responsibility for the Products and therefore act as joint controllers within the meaning of Art. 26 GDPR.
1. Joint controllers
The joint data controllers within the meaning of Art. 4(7) and Art. 26 of the General Data Protection Regulation (GDPR) are:
ebats solutions UG (haftungsbeschränkt)
Viechtacher Str. 16
10318 Berlin, Germany
Amtsgericht Charlottenburg (Berlin) HRB 243939 B
E-Mail: privacy@secureless.ai
Stakkd GmbH
Charlottenbrunner Str. 2
14193 Berlin, Germany
Amtsgericht Charlottenburg (Berlin) HRB 263423 B
E-Mail: privacy@secureless.ai
Joint-controllership arrangement. The two companies operate the Products jointly. Each company independently processes personal data for the purposes described below, and both companies share responsibility for ensuring compliance with the GDPR. A joint-controller agreement pursuant to Art. 26(1) GDPR is in place between the parties. You can exercise your rights under the GDPR against either company; we will handle your request jointly regardless of which company you contact. The primary point of contact for data-subject requests is privacy@secureless.ai.
1a. Single point of contact
For all data-protection matters (access, rectification, erasure, objection, withdrawal of consent, complaints), write to privacy@secureless.ai. Your request is processed by both joint controllers.
2. What data we collect
2.1 Account data
When you create an account, we collect:
- Email address
- Name (if provided)
- Company name (if provided)
- Authentication data (managed by our authentication provider)
Legal basis: Art. 6(1)(b) GDPR (performance of contract).
2.2 Billing data
When you subscribe to a paid plan, our payment provider collects:
- Payment method details (credit card, SEPA)
- Billing address
- VAT identification number (if provided)
We do not store payment card details. These are processed and stored exclusively by our payment provider (see Section 5).
Legal basis: Art. 6(1)(b) GDPR (performance of contract).
2.3 Usage data
When you use the Service, we collect:
- IP address
- Browser type and version
- Pages visited within the Service
- Actions taken (scans initiated, reports viewed, settings changed)
- Timestamps
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating and improving the Service).
2.4 Scan data
When you initiate a scan, we collect technical data about the target domain. This data is collected from publicly accessible sources and includes DNS records, HTTP headers, SSL/TLS configuration, JavaScript resources, network request logs, cookie data, and screenshots of publicly accessible pages.
Scan data relates to the technical infrastructure of the target domain, not to individuals. To the extent that any personal data is incidentally captured (for example, an email address appearing in a DNS record or HTTP header), we process it under Art. 6(1)(f) GDPR (legitimate interest in providing the contracted security assessment service). We apply data minimization: scan data is processed for assessment purposes only and is not used to identify, profile, or contact individuals.
2.5 Communication data
If you contact us via email, we collect the content of your message, your email address, and any information you voluntarily provide.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures or contract performance) or Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries).
2.6 Marketing consent data
If you opt in to marketing communications (for example via our waitlist form, or the optional consent checkbox shown when you request a snapshot PDF), we record:
- Your email address
- The fact that you gave consent and the date/time you did
- The exact text of the consent statement you agreed to (consent version), so we can prove later what you agreed to
- Where appropriate, the domain you came from, a buyer/vendor audience tag, and the UTM source of the page you signed up on
Legal basis: Art. 6(1)(a) GDPR (consent).
3. How we use your data
We use your data to:
- Provide the Products (run scans, generate reports, maintain your account)
- Process payments and manage subscriptions
- Send transactional emails (scan completion notifications, account-related notices, requested snapshot PDFs)
- With your explicit, freely given consent, send marketing communications about the Products operated by the joint controllers (secureless.ai, Stakkd). See Section 3a.
- Improve the Products (aggregate, anonymized usage analysis)
- Comply with legal obligations (tax and commercial record retention)
We do not sell your data. We do not share it with third parties for their own marketing purposes. We do not profile you for advertising.
3a. Marketing communications
Where you have given explicit consent (Art. 6(1)(a) GDPR), the joint controllers may send you marketing communications by email about the Products (secureless.ai, Stakkd). Example use cases:
- You join the Deep Scan waitlist and we later email you when it becomes available.
- You request a snapshot PDF and tick the optional marketing consent box; we may then send you occasional updates about related products from the joint controllers.
Consent is freely given, specific, informed, and unambiguous. We do not make service delivery conditional on marketing consent. You can withdraw consent at any time by clicking the unsubscribe link in any marketing email we send, or by writing to privacy@secureless.ai. Withdrawal does not affect the lawfulness of processing before withdrawal.
4. Cookies and tracking
4.1 Essential cookies
We use strictly necessary cookies for authentication and session management. These are required for the Service to function and cannot be disabled.
4.2 No tracking before consent
We do not load any analytics, advertising, or tracking scripts before or without your explicit consent. We practice what we preach.
4.3 Analytics (if enabled)
If we implement analytics in the future, we will use a privacy-friendly analytics tool hosted in the EU that does not use cookies or process personal data. We will update this section accordingly.
5. Data processors
We use the following third-party service providers to operate the Service:
| Provider | Purpose | Location | Data processed |
|---|---|---|---|
| Clerk | Authentication | United States | Email, name, auth tokens |
| Stripe | Payment processing | United States (EU processing available) | Billing data, payment details |
| Railway | Application hosting, database | European Union (europe-west4) | Account data, scan results |
| Hetzner | Scanner processing | Frankfurt, Germany | Scan data (target domain technical data) |
| Resend | Transactional email | Ireland, EU | Email address, email content |
| Cloudflare | CDN, DDoS protection, bot management | United States (global edge network) | IP addresses, request metadata, bot detection cookies |
| Fastly | CDN, edge caching | United States (global edge network) | IP addresses, cached page content |
Transfers outside the EU/EEA
Clerk, Stripe, Cloudflare, and Fastly are based in the United States. Data transfers to the US are conducted under the EU-U.S. Data Privacy Framework, which provides an adequacy decision by the European Commission (Implementing Decision (EU) 2023/1795). All four providers are certified under the Data Privacy Framework. Where applicable, Standard Contractual Clauses (SCCs) are in place as a supplementary safeguard.
Scan data (the technical analysis of target domains) is processed exclusively within the European Union (Hetzner Frankfurt and Railway EU).
6. Data retention
| Data type | Retention period | Reason |
|---|---|---|
| Account data | Duration of account + 30 days | Contract performance |
| Billing records | 10 years after transaction | German commercial and tax law (§ 147 AO, § 257 HGB) |
| Scan results | Duration of account + 30 days | Contract performance |
| Scan results after account deletion | Deleted within 30 days of request | Data minimization |
| Usage data | 90 days | Legitimate interest (service improvement, security) |
| Communication data | Duration of business relationship + 3 years | Legitimate interest (dispute resolution, statute of limitations) |
| Marketing consent records | Until withdrawal + 3 years | Legitimate interest (proof of consent in case of complaint or audit) |
| Marketing mailing list membership | Until withdrawal | Consent (Art. 6(1)(a) GDPR) |
After the retention period, data is deleted or irreversibly anonymized.
7. Your rights
Right of access (Art. 15 GDPR): You may request confirmation of whether we process your personal data and, if so, request a copy of that data.
Right to rectification (Art. 16 GDPR): You may request correction of inaccurate personal data or completion of incomplete data.
Right to erasure (Art. 17 GDPR): You may request deletion of your personal data where there is no longer a legal basis for processing, subject to legal retention obligations.
Right to restriction (Art. 18 GDPR): You may request restriction of processing in certain circumstances, for example while we verify the accuracy of contested data.
Right to data portability (Art. 20 GDPR): You may request your data in a structured, commonly used, machine-readable format (JSON) and have it transmitted to another controller.
Right to object (Art. 21 GDPR): You may object to processing based on legitimate interest (Art. 6(1)(f)). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
To exercise any of these rights, contact us at: privacy@secureless.ai
We will respond within 30 days. If we need more time (up to an additional 60 days for complex requests), we will inform you within the initial 30-day period.
8. Supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for our company is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219
10969 Berlin
Germany
https://www.datenschutz-berlin.de
9. Security
We implement technical and organizational measures to protect your data, including encryption in transit (TLS), encryption at rest for databases, access controls, and regular security assessments of our own infrastructure.
We process scan data in isolated environments. Scan results from one customer are not accessible to other customers.
10. Data concerning third-party domains
When you scan a domain you do not own (company-side vendor monitoring), we process technical data about that domain. This data is publicly accessible and equivalent to what any web browser observes when visiting the domain.
We do not consider publicly accessible technical infrastructure data (DNS records, HTTP headers, SSL certificates, JavaScript files) to be personal data within the meaning of the GDPR, as it relates to organizational technical configuration, not to identified or identifiable natural persons.
If any personal data is incidentally captured during a scan (for example, an employee name in a WHOIS record or an email address in an HTTP header), we process it under Art. 6(1)(f) GDPR (legitimate interest in providing a security assessment service) and apply data minimization. Such data is not extracted, indexed, or used for any purpose other than the security assessment.
Domain owners who wish to inquire about data we hold relating to their domain may contact us at privacy@secureless.ai.
11. Children
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will delete it promptly.
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when the most recent changes were made.
13. Contact
For privacy-related inquiries and data-subject requests, write to the single point of contact for both joint controllers:
E-Mail: privacy@secureless.ai
Postal address (primary):
ebats solutions UG (haftungsbeschränkt)
Viechtacher Str. 16
10318 Berlin, Germany
Postal address (Stakkd GmbH):
Stakkd GmbH
Charlottenbrunner Str. 2
14193 Berlin, Germany