Privacy Policy

CheckURL (“the Service”, “we”, “us”) is a defensive website-reputation scanner operated by PWN-ALL Auditing, Reviewing & Testing Cyber Risks CO. L.L.C. You give us a URL; we fetch the page on your behalf, analyse it for security, privacy, brand-impersonation and scam signals, and return a report. The data controller is PWN-ALL Auditing, Reviewing & Testing Cyber Risks CO. L.L.C; contact privacy@pwn-all.com.

This is the most important thing to understand before using the Service. When you submit a URL:

• The submitted URL, final destination URL, domain, verdict & score and scan time appear in a public “Last user scans” list and a public API (/api/scans/recent).
• The full report — including the screenshot, redirects, technologies, response headers and extracted page text — is served at a public, unauthenticated URL (/scans/<id> and /screenshots/<id>.png). Anyone with the identifier can view it.

Do not submit URLs that contain secrets (tokens, password-reset or signed links, session IDs, invitation codes, personal data). Such a secret would become part of a public record. This public record is automatically deleted 40 days after the scan (see §6), but is fully public during that window.

Data you provide: the URLs you submit; optionally an account email and password (stored only as an Argon2 hash, never plaintext) or a Telegram ID and username.

Data generated by the scan: normalized/final URL and domain, verdict and scores, a screenshot, extracted visible text and title, redirect chain, detected technologies, server headers, content hashes and raw engine results. As noted in §2 this material is public.

Technical & anti-abuse data: your IP address is stored only as a keyed (peppered) hash — never in raw form — for rate-limiting, per-network free-scan quota and abuse prevention; a strictly-necessary encrypted session cookie; short-lived proof-of-work challenges; login-attempt records; and an administrative audit log. Raw IPs may appear only transiently in standard infrastructure logs.

Local browser storage: your theme preference is stored in your browser (localStorage) and never sent to us.

We use a single strictly necessary cookie: an encrypted, HttpOnly session cookie that keeps you signed in and carries the CSRF token protecting our forms (marked Secure over HTTPS). We use no advertising, analytics or tracking cookies.

To produce a report the Service sends the submitted URL and/or domain (and our server’s IP — not yours) to threat-intelligence and data providers: VirusTotal, Google Safe Browsing, OpenPhish, URLhaus (abuse.ch), Tranco, and RDAP/WHOIS registries. Each has its own privacy policy and may be located outside your country. To scan a site we also make requests to it, so the site’s operator sees incoming requests from our infrastructure (or a proxy). Our pages use only your device’s built-in system fonts — we load no third-party web fonts, scripts or CDNs, so no font or asset provider receives your IP from our pages. We do not sell your data or share it for third-party marketing.

Scan records (URLs, screenshots, reports) are automatically deleted 40 days after the scan. A scheduled purge runs continuously and removes each record — and its screenshot file — within hours of crossing the 40-day mark, so nothing is retained beyond 40 days. You may also request earlier deletion (see §8). Account data is kept until you delete it; IP hashes and abuse-prevention records are routinely pruned; sessions and proof-of-work challenges expire automatically.

Where the EU/UK GDPR applies we rely on: performance of your request / a contract (to run the scan and operate your account); legitimate interests (to secure the Service, prevent abuse and keep audit logs, using minimised data such as hashed IPs); and consent where we explicitly ask for it, which you may withdraw at any time.

Subject to applicable law you may access, rectify, erase (including removal of a specific scan/screenshot from public view), restrict or object to processing, port your data, and withdraw consent. To exercise a right, contact privacy@pwn-all.com (include the scan URL or ID for a removal request). We aim to respond within 30 days.

We protect data with encrypted session cookies, Argon2 password hashing, IP addresses stored only as keyed hashes, CSRF protection, defences against server-side request forgery, rate-limiting and proof-of-work, and an administrative audit log. No system is perfectly secure, and scan results are public by design (§2).

The Service is not directed to children and we do not knowingly collect their data. If you believe a child has provided personal data, contact us and we will delete it.

If you are in the EEA or UK and believe our processing infringes data-protection law, you may complain to your local supervisory authority — though we would appreciate the chance to resolve it first via privacy@pwn-all.com.

CheckURL is a defensive tool. It reads what a site serves to assess it; it does not submit forms on the target, fuzz, exploit, or bypass a target’s access controls. By using the Service you confirm you scan URLs for legitimate, lawful, defensive purposes and have the right to submit them.

We may update this policy; we will change the “Last updated” date and, for material changes, post a notice on the site. Continued use after an update constitutes acceptance of the revised policy.

Questions or requests: privacy@pwn-all.com. Controller: PWN-ALL Auditing, Reviewing & Testing Cyber Risks CO. L.L.C.