Legal

Privacy Policy

Last updated 2026-07-04
This page explains what we collect when you join the launch list or run a scan, how long we keep it, who else processes it, and how to ask us to delete it. It is written in plain language rather than legal boilerplate; see the Disclaimer for what a scan is (and isn't).

What we collect

If you join the launch list: your email address, plus the timestamp, browser user-agent, referring page, and country your request came from (standard anti-abuse signals). We use double opt-in — you'll get a confirmation email and nothing is added to the active list until you click it. Unconfirmed signups are inert and are periodically cleared.

If you run a scan: the URL you submit; your IP address and, if you provide one, your email address, used only to enforce the free daily scan limits described in our Terms of Service and to fight abuse; and a one-time Turnstile (Cloudflare's CAPTCHA alternative) verification token. We do not require an account or email to run a free scan.

What a scan captures: we load the public homepage of the URL you submit in a real browser and record what's visible there — screenshots (desktop and mobile), the rendered page HTML, the list of network hosts and requests the page made, and, if a chat widget is present, a screenshot and text capture of its first message. This is the "evidence" a report is built from. Because it's whatever is publicly visible on that page, it may incidentally include names or other details the page owner has chosen to display publicly (for example, in chat-widget branding). We only use it to generate and, if you request it, deliver your report.

We only fetch what's public

DisclosureProof fetches publicly accessible pages only. We do not accept credentials, do not access anything behind a login, and reject private, local, or otherwise non-public addresses at intake. The free scan is limited to the homepage of the URL you submit; if we ever crawl beyond that single page, we respect that site's robots.txt, identifying ourselves with our own user-agent so a site owner can always see and control what we fetch.

How long we keep it

You can ask for anything of yours to be deleted sooner — see "Your choices" below.

We do not sell scan data

We do not sell, rent, or otherwise trade scan results, waitlist emails, or any other data we collect. Aggregated, non-identifying statistics (for example, "N scans run this month") may be used internally or shared publicly, but never in a way that identifies a specific submitter or target site.

Who else processes it (sub-processors)

Cookies

We don't set first-party tracking cookies of our own. Google Analytics (gtag.js) sets its standard analytics cookies/identifiers on every page to measure aggregate traffic; Cloudflare Turnstile may set a technical cookie or use local storage to complete its bot-verification challenge on the scan page. Neither is used to build an advertising profile of you.

Your choices

Email hello@disclosureproof.com to: remove a waitlist entry, request early deletion of a scan record (include the scan URL or ID from your report link), or ask what data we hold about you. We'll act on deletion requests as soon as we reasonably can.

Changes to this policy

If we materially change what we collect or how long we keep it, we'll update this page and the "last updated" date above. This policy is written for DisclosureProof's current (v0.1) feature set and will be extended as accounts, payments, and monitoring ship.

See also: Terms of Service and the Disclaimer. This page is informational and not legal advice.