PrivKitPrivKit
Full ScanIP Lookup

Privacy Policy

Last updated: February 11, 2026

At PrivKit ("we," "us," or "our"), privacy is at the core of everything we build. This Privacy Policy explains what data we collect, how we use it, and your rights regarding your information when you use our website at privkit.app (the "Service").

1. Data We Collect

1.1 Privacy Scan Data

When you run a privacy scan, we temporarily process:

  • IP address — used for geolocation, ASN lookup, and risk assessment
  • HTTP headers — User-Agent, Accept-Language, and other request headers
  • TLS fingerprint (JA4) — derived from your browser's TLS handshake
  • TCP/IP fingerprint — derived from network packet characteristics
  • Browser fingerprint signals — canvas, WebGL, audio, fonts, screen, and other browser API outputs
  • Leak test results — DNS resolver IPs and WebRTC candidate IPs

This data is processed in real-time to generate your scan results. Scan summaries (scores, grades, and anonymized metadata) may be stored for up to 90 days to enable result sharing and trend analysis. Raw fingerprint data is not stored beyond the scan session.

1.2 API Key Data

If you register for an API key, we collect:

  • Email address — for account recovery and usage notifications
  • Name (optional) — for account identification
  • API usage metrics — request counts, rate limit hits, and endpoint usage

1.3 Analytics Data

We use Google Analytics to collect anonymous page view statistics. This includes:

  • Pages visited and referral sources
  • Browser type and screen size (aggregated, not individual)
  • Country of origin (from IP, not stored individually)

2. How We Use Your Data

  • Provide scan results — process your technical data to generate privacy scores and recommendations
  • Improve detection accuracy — aggregate anonymized fingerprint statistics to improve our uniqueness and blending scores
  • API service — authenticate requests, enforce rate limits, and track usage
  • Service improvement — anonymous analytics to understand usage patterns and improve the platform

3. Data We Do NOT Collect

  • We do not sell, rent, or share your personal data with advertisers
  • We do not build advertising profiles from scan data
  • We do not store raw browser fingerprint data beyond the scan session
  • We do not require account creation for basic scans

4. Third-Party Services

We use the following third-party services:

  • MaxMind GeoLite2 — for IP geolocation data. MaxMind does not receive your IP address; lookups happen on our servers using a local database.
  • Stripe — for payment processing of API tier upgrades. Stripe processes payment data under their own Privacy Policy. We do not store credit card numbers.
  • Hetzner — our infrastructure provider. Servers are located in the EU and subject to GDPR requirements.

5. Data Retention

  • Scan results — anonymized summaries retained for up to 90 days
  • API keys — retained until you delete your account or the key expires
  • Usage logs — retained for 30 days for rate limiting and abuse prevention, then deleted
  • Analytics — aggregated statistics retained indefinitely; no individual data is stored

6. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access — request a copy of the data we hold about you
  • Deletion — request deletion of your personal data
  • Correction — request correction of inaccurate data
  • Portability — receive your data in a machine-readable format
  • Objection — object to processing of your data for specific purposes

To exercise any of these rights, contact us at [email protected].

7. Security

We implement industry-standard security measures to protect your data, including:

  • TLS encryption for all connections
  • API keys stored as SHA-256 hashes (we cannot recover your key)
  • Rate limiting and abuse detection
  • Regular security audits and dependency updates
  • Infrastructure hardening with minimal attack surface

8. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will promptly delete it.

9. International Transfers

Our servers are located in the European Union. If you access the Service from outside the EU, your data may be transferred to and processed in the EU. We ensure appropriate safeguards are in place for any such transfers.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated date. We encourage you to review this page periodically.

11. Contact Us

For privacy-related questions or concerns, contact us at [email protected].