// legal

Privacy Policy

Last updated: January 2026 · Effective immediately
CheckThatURL is a security tool. We are committed to minimal data collection. We do not sell your data. We do not track you across the web. We do not require an account.

Overview

This policy explains what data CheckThatURL ("we", "our", "the service") collects when you use checkthaturl.com, how we use it, and your rights regarding that data. We operate under a principle of minimal, purpose-limited data collection.

CheckThatURL is operated as a security research and threat intelligence platform. By using the service, you agree to the practices described here.

Data We Collect

When you use the URL scanner, we process:

  • The URL you submit for scanning
  • Scan result data (verdict, risk score, extracted features)
  • Timestamp of the request
  • HTTP request metadata (browser type, referring page) for abuse prevention

We do not collect:

  • Your name, email address, or any account information
  • Your IP address in association with scan results
  • Cookies for tracking or advertising purposes
  • Device fingerprints or persistent identifiers

How We Use It

Scan data is used for:

  • Delivering the scan result to you
  • System monitoring and abuse prevention
  • Improving detection accuracy (model retraining)
  • Threat intelligence aggregation for Hunter and Radar modules

We do not use scan data for advertising, profiling, or any purpose beyond security operations.

Storage & Security

Data is stored on infrastructure hosted in the EU (Render.com, Frankfurt region). We use industry-standard security practices including encrypted connections (TLS), managed database access controls, and principle-of-least-privilege service accounts.

Scan logs are retained for up to 90 days for operational purposes and then deleted. Anonymised aggregate data (e.g. threat statistics) may be retained indefinitely.

Feedback & Reports

When you submit feedback (thumbs up/down) or report a false positive/negative:

  • We record the URL, your rating, and the scan verdict
  • We generate an anonymised identifier from your User-Agent string using a salted HMAC — we cannot reverse this to identify you
  • No IP address is stored with feedback records
  • Optional notes you provide are stored as submitted

Third Parties

We use the following third-party services:

  • Render.com — hosting and managed database (EU region)
  • Google Fonts — font delivery (subject to Google's privacy policy)
  • Threat intelligence feeds — we query external feeds (OpenPhish, URLhaus, PhishTank) using only domain/URL data, no personal information

We do not use advertising networks, analytics platforms (e.g. Google Analytics), or social media tracking pixels.

Your Rights

You have the right to request deletion of any data associated with URLs you submitted. Because we do not link scans to identities, deletion requests must include the specific URL(s) in question. Contact us at the address below.

If you are in the EU/EEA, you have additional rights under GDPR including access, rectification, and portability. We aim to respond to requests within 30 days.

Contact

For privacy-related questions or data deletion requests, contact us via the CheckThatURL GitHub repository or through our institutional contact channels. We do not publish a direct email on this page to avoid spam scraping.