Skip to content
NANOTESTINGNANOTESTING

Privacy

Privacy Policy

Effective May 14, 2026 · Sodasoft LLC (30 N Gould St, Sheridan, Wyoming 82801, United States)

This Privacy Policy describes how Sodasoft LLC (NANOTESTING, “we”, “us”, or “our”) collects, uses, discloses, and otherwise processes personal data when you visit nanotesting.com, register an account, or use the NANOTESTING security-assessment platform (the “Service”).

We act as a data controller for information we collect about our website visitors and account holders, and as a data processor for the content our customers choose to scan through the Service (their “Customer Content”). The terms of our processor role are governed by the separate Data Processing Agreement (DPA).

1. Who is the controller

For the purpose of the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK General Data Protection Regulation, the Swiss Federal Act on Data Protection (“FADP”), and the California Consumer Privacy Act of 2018 as amended by the CPRA (“CCPA/CPRA”), the controller of personal data described in this Policy is:

Sodasoft LLC
30 N Gould St
Sheridan, Wyoming 82801
United States

You can reach our privacy team at privacy@nanotesting.com or our Data Protection Officer at dpo@nanotesting.com.

2. Categories of personal data we collect

2.1 Account data

  • Email address (required for magic-link authentication).
  • Display name and avatar URL, if you choose to provide them.
  • Organization name, slug, and team-member email addresses invited by you.
  • Role assignments inside the organization (owner / admin / analyst / viewer).

2.2 Billing data

  • Subscription plan, billing status, and Stripe customer identifier. We do not store payment-card data; Stripe processes that information directly. Their privacy notice is at stripe.com/privacy.
  • Country of billing and tax identifier (when supplied via Stripe Checkout for EU/UK VAT).

2.3 Telemetry and product analytics

  • Server-side logs of HTTP requests including timestamp, request path, response code, IP address, and a user-agent fingerprint. The visitor IP is salted-hashed before persistence; the raw IP is retained for at most 24 hours in transient logs.
  • Audit-log events that record who performed which action inside an organization (target verified, scan started, member invited, etc.). These rows are retained for the duration of the customer's account plus the legal retention period described in section 8.
  • Email-delivery events from our transactional email provider (delivered / bounced / complained). Bounces are aggregated for deliverability monitoring.

2.4 Customer Content processed on your behalf

When you use the Service to scan a target you own or are authorised to test, we ingest content from that target's public surface (HTTP responses, DNS records, certificate chains, repository contents from the GitHub URL you provided, mobile-app binaries you uploaded, etc.) and store the resulting findings. That content is your data; we process it as a processor on your behalf and the DPA governs the terms.

3. How we use personal data

We process personal data for the following purposes:

  • Authenticating you (magic-link email delivery + session cookies).
  • Providing the Service (running scans you request, presenting findings, generating reports, sending alert emails / webhooks).
  • Billing and account management (invoice generation via Stripe, plan-limit enforcement, suspending delinquent accounts).
  • Security and abuse prevention (rate-limiting, IP-block listing on confirmed abuse, audit-log retention for incident response).
  • Product analytics (aggregated, never linked back to an identifiable user, used to prioritise feature work + reliability improvements).
  • Customer support (responding to support requests, troubleshooting failed scans).
  • Marketing communications related to the Service, transactional in nature (incident notifications, billing receipts, security advisories). We only send promotional email if you opt in.

4. Legal bases (EU / UK GDPR Article 6)

  • Contract (Art. 6(1)(b)) - delivering the Service you signed up for, billing you, and surfacing scan results.
  • Legitimate interests (Art. 6(1)(f)) - product security, fraud prevention, aggregated analytics, defending legal claims. Our legitimate-interest assessment is available on request to dpo@nanotesting.com.
  • Consent (Art. 6(1)(a)) - non-essential cookies, marketing email, anything you opt into explicitly. You can withdraw consent at any time without affecting the lawfulness of processing performed before withdrawal.
  • Legal obligation (Art. 6(1)(c)) - tax-record retention, response to lawful access requests, court orders.

5. Disclosures of personal data

We disclose personal data only to the categories of recipients listed below. A full subprocessor inventory is published at /legal/subprocessors.

  • Infrastructure providers who host the Service (cloud compute, managed database, encrypted object storage, content-delivery network).
  • Payment processor (Stripe Payments Europe, Ltd. + Stripe, Inc.).
  • Transactional email provider for sending magic-link, billing, and scan-completion emails.
  • Threat-intelligence providers (NIST NVD, CISA KEV, FIRST.org EPSS) - we consume their public feeds; no personal data leaves our environment.
  • Authorities when compelled by a binding legal order or to defend against a credible threat to life or property. We publish a transparency report annually.
  • Successor entity in the event of a merger, acquisition, or asset sale. The acquirer must inherit this Privacy Policy or provide a notice with a reasonable opt-out period before changing terms.

We do not sell or share personal data for cross-context behavioural advertising (CCPA/CPRA definitions).

6. International data transfers

We are a Wyoming(United States) company; our primary infrastructure runs in the United States and the European Union. Where we transfer personal data from the EEA, the UK, or Switzerland to a third country that has not been deemed adequate by the European Commission, we rely on the European Commission's 2021 Standard Contractual Clauses (Module One / Module Two as applicable) and apply the supplementary technical and organisational measures documented in our DPA.

For UK transfers we rely on the UK International Data Transfer Addendum to the EU SCCs (B1.0). For Swiss transfers we rely on the SCCs with the FADP-required modifications.

7. Cookies and similar technologies

We use a small number of strictly-necessary cookies + local storage entries to keep you signed in, remember your active organisation, and persist your theme preference. See the separate Cookie Policy for a per-cookie inventory and your controls.

8. Retention

  • Account data is retained for the lifetime of the account. When you delete your account we erase identifying fields and either anonymise or delete dependent rows within 30 days, except where retention is required by law.
  • Audit logs are retained for 24 months for security and compliance reasons.
  • Findings and scan output follow your plan retention (currently 12 months on paid plans). Anonymised aggregates may be retained for product analytics.
  • Billing records are retained for 7 years per US accounting requirements.
  • Backup snapshots are retained on rolling 30- to 35-day windows by our infrastructure providers.

9. Security

We protect personal data with TLS 1.2+ for all transport, AES-256-GCM at rest for customer-supplied secrets, row-level security in our managed database, signed download URLs for report PDFs and raw scan output, short-lived service tokens for worker-to-control-plane RPC, and role-based access for our own team. The full programme is described in the DPA Schedule 2 - Technical and Organisational Measures.

10. Your rights

10.1 GDPR / UK GDPR (EEA, UK, Switzerland)

Subject to the conditions of GDPR Articles 15-22 you have the right to:

  • access the personal data we hold about you;
  • rectify inaccurate or incomplete data;
  • erase data (“right to be forgotten”);
  • restrict processing in defined situations;
  • receive your personal data in a structured, machine-readable format and transmit it elsewhere (portability);
  • object to processing based on our legitimate interests; and
  • not be subject to a decision based solely on automated processing that has a legal or similarly significant effect.

10.2 California / CPRA

California residents may request to know what personal information we collect, to delete it, to correct inaccuracies, and to limit the use and disclosure of “sensitive personal information” (we do not currently process sensitive PI of California residents). You may also designate an authorised agent to exercise these rights on your behalf.

10.3 How to exercise your rights

Send a request to privacy@nanotesting.com from the email address associated with your account, or use the self-service controls at /settings/privacy once you are signed in (data export and account deletion). We will respond within 30 days (extendable by 60 days for complex requests). We will not retaliate against any consumer who exercises their rights, including by denying service or charging different prices.

10.4 Complaints to a supervisory authority

If you are in the EEA, the UK, or Switzerland you have the right to lodge a complaint with your local data-protection authority. Contact details are at edpb.europa.eu/about-edpb/about-edpb/members_en (EU), ico.org.uk/make-a-complaint (UK), or edoeb.admin.ch (Switzerland).

11. Children

The Service is intended for organisations and professional users and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child contact privacy@nanotesting.com and we will delete it.

12. Automated decisions and profiling

We do not use automated decision-making that has a legal or similarly significant effect on a user. Severity scoring, prioritisation, and finding triage are decision-support tools; a human always remains in the loop for remediation.

13. Changes to this Policy

We may update this Policy from time to time. The current version is identified by the effective date at the top of the page. We announce material changes by email to account holders at least 30 days before they take effect, and refresh the effective date on the page. Your continued use of the Service after the effective date constitutes acceptance.

14. Contact

Privacy team: privacy@nanotesting.com
Data Protection Officer: dpo@nanotesting.com
Postal mail: Sodasoft LLC, 30 N Gould St, Sheridan, Wyoming 82801, United States.