Strategic Technical Layered Unified Resolver Logo
STLUR

Privacy Policy

Your privacy is paramount. This policy outlines how STLUR collects, uses, and protects your data.

1. Data Collection

We collect only essential information: the URL of the target asset, billing information (processed securely via Stripe), contact email for reports, and security scan results. For Enterprise plans, encrypted session data may be temporarily stored as described in Section 5.

2. Data Usage

Your data is used solely for the purpose of performing security audits and delivering reports. We do not sell or share your personal data with third parties, except subprocessors listed on our Trust page (Supabase, Cloudflare, Vercel, Google Cloud, Stripe, OpenAI, Resend).

3. Security

We employ industry-standard encryption and security measures. All data in transit is protected by TLS 1.2 or higher. Data at rest is protected by AES-256 encryption provided by our infrastructure subprocessors. Security scan results are stored in Cloudflare R2 with server-side encryption.

4. Global Compliance

We adhere to GDPR, CCPA, and APPI standards regarding data protection and user rights. Enterprise customers may request a Data Processing Agreement (DPA) by contacting us at security@stlur.app.

5. Enterprise Authenticated Scanning — Credential Handling

For the Enterprise authenticated scanning feature, your browser's STLUR Chrome Extension encrypts session credentials (such as cookies) locally using AES-GCM 256-bit encryption before transmitting them to STLUR servers. The encrypted data is further protected using a key derived from your installation token via HKDF (SHA-256), so that an R2 storage breach alone cannot decrypt your credentials. STLUR decrypts credentials only at scan execution time, solely for the purpose of configuring the security scanner. Plaintext credentials exist only in memory during the scan and are never written to logs, databases, or persistent storage. Encrypted credential payloads are automatically deleted within 48 hours of scan completion or upon credential expiry (whichever comes first). You can delete your stored credentials at any time from the account dashboard.

6. Data Retention

Security scan reports are retained for a minimum of 12 months to support your compliance and audit needs. Raw scan data may be retained for up to 24 months. Billing information is retained as required by applicable financial regulations. You may request deletion of your account and associated data at any time.

7. Your Rights

Under GDPR and CCPA, you have the right to access, correct, delete, and export your personal data. To exercise these rights, contact us at privacy@stlur.app.

8. Cookies

We use essential cookies for authentication and session management. We do not use tracking cookies for advertising purposes.

9. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes by email or in-product notification.

Last Updated: April 2026