PRIVACY NOTICE
This privacy notice for CNT Friends Oy (“Company,” “we,” “us,” or “our”) explains how we collect, store, use, and share your information when you use appsecsanta.com (the “Website”).
Questions? Contact us at suphi@cnt.fi.
1. What Information Do We Collect?
Information you provide directly
If you use our contact form, we collect your name and email address so we can respond to your message. We don’t ask for phone numbers or any other personal details.
Free security tools
We offer free security tools (Security Headers Checker, DNS Security Checker, SSL/TLS Checker, and Subdomain Finder). When you use these tools:
What we process during your scan:
- Domain or URL you enter — sent to our Cloudflare Worker to perform the scan. Not stored in any database or log after the response is returned.
- Your IP address — used to generate a short-lived HMAC authentication token (held in memory only, not stored) and for rate limiting (see below).
Rate limiting via Cloudflare KV:
To prevent abuse, we store a counter keyed to your IP address (e.g., rl:ssl:203.0.113.5) in Cloudflare Workers KV. This counter tracks how many scans you’ve performed in the current hour. It auto-deletes after 1 hour (TTL-based expiration). No domain names, scan results, or other data is stored alongside it.
What we do NOT store server-side:
- The domains or URLs you scan
- Your scan results or grades
- Any personal information beyond the ephemeral rate-limit counter
Client-side storage (your browser only):
Your scan history (domain, score/grade, timestamp) is saved in your browser’s localStorage so you can see previous results. This data never leaves your browser and is not sent to us. You can clear it at any time through your browser settings.
Third-party services contacted during scans:
| Service | Data Sent | Purpose |
|---|---|---|
| Target domain’s server | HTTP/HTTPS requests with our user-agent | Headers, SSL/TLS, and DNS checks |
| crt.sh (Sectigo) | Domain name | Certificate Transparency log queries |
| Cloudflare DoH | Domain name | DNS record lookups |
These third-party services have their own privacy policies. We do not control how they process the domain names we query.
Comments via Giscus
Our tool pages use Giscus for comments, which runs on GitHub Discussions. If you leave a comment, you authenticate through your GitHub account. Giscus processes your GitHub username and profile information to display your comment. We don’t store this data ourselves; it lives on GitHub’s infrastructure under their privacy policy.
Information collected automatically
When you visit the Website, certain data is collected automatically:
Google Analytics (G-TYFW0D38YY)
We use Google Analytics to understand how visitors use the site. This collects:
- Pages viewed and time spent on pages
- Referring website or search engine
- Browser type, operating system, and screen resolution
- Approximate geographic location (country/city level, derived from IP)
- Device type (desktop, mobile, tablet)
Google Analytics uses cookies to distinguish between visitors. Your IP address is anonymized before storage. You can opt out by installing the Google Analytics Opt-out Browser Add-on.
Cloudflare Pages
The Website is hosted on Cloudflare Pages. Cloudflare automatically processes visitor IP addresses and standard HTTP request data (browser user-agent, requested URL, timestamp) to serve content and protect against abuse. See Cloudflare’s Privacy Policy for details.
Cookies
We use the following cookies:
- Google Analytics cookies (_ga, ga*): Track visitor sessions and distinguish between users. Expire after 2 years.
- Cloudflare cookies: Used for security and performance. See Cloudflare’s cookie policy for specifics.
We do not use advertising cookies or sell your data to third parties.
2. How Do We Use Your Information?
We use the information we collect to:
- Run and improve the Website. Analytics help us see which pages are useful, what content to add, and where visitors come from.
- Respond to enquiries submitted through the contact form.
- Protect the Website through Cloudflare’s security features.
We do not use your information for marketing, profiling, or automated decision-making.
3. Who Do We Share Your Data With?
We share data with the following service providers, each of which processes data as described in their own privacy policies:
| Service | Data Processed | Purpose |
|---|---|---|
| Google Analytics | Anonymized usage data | Website analytics |
| Cloudflare | IP addresses, request data | Hosting, security, and tool backend |
| GitHub (Giscus) | GitHub profile data | Comment system |
| crt.sh (Sectigo) | Domain names entered in tools | Certificate Transparency lookups |
| Cloudflare DNS (1.1.1.1) | Domain names entered in tools | DNS record lookups |
We do not sell, rent, or trade your personal information. We may disclose information if required by law or to protect our legal rights.
4. Data Retention
- Security tool rate-limit counters are auto-deleted after 1 hour (Cloudflare KV TTL). No scan data is retained.
- Google Analytics data is retained for 14 months, then automatically deleted.
- Contact form submissions are kept until we’ve responded to your enquiry, then deleted.
- Cloudflare edge logs follow Cloudflare’s standard retention periods (typically 72 hours for request logs).
- Giscus comments are stored on GitHub indefinitely as GitHub Discussions. You can delete your own comments through GitHub.
5. Your Privacy Rights
If you’re in the EEA, UK, or Switzerland
Under GDPR, you have the right to:
- Access your personal data and request a copy
- Rectify inaccurate information
- Erase your personal data (“right to be forgotten”)
- Restrict processing in certain circumstances
- Data portability, i.e. receive your data in a machine-readable format
- Object to processing based on legitimate interests
- Withdraw consent at any time where processing is based on consent
To exercise these rights, email us at suphi@cnt.fi. We will respond within 30 days.
You also have the right to lodge a complaint with your local data protection authority.
For all visitors
You can:
- Disable cookies in your browser settings (this may affect site functionality)
- Opt out of Google Analytics using the browser add-on
- Delete Giscus comments through your GitHub account
6. International Data Transfers
Your data may be processed outside the EEA by our service providers (Google, Cloudflare, GitHub). These companies use Standard Contractual Clauses and other safeguards for international transfers.
7. Children’s Privacy
The Website is not directed at anyone under 18 years of age. We do not knowingly collect personal information from children.
8. Do-Not-Track Signals
There is no uniform standard for handling Do-Not-Track browser signals. We do not currently respond to DNT signals.
9. Changes to This Notice
We may update this privacy notice from time to time. The “Last updated” date at the top of the page shows when it was last revised.
10. Contact Us
If you have questions about this privacy notice or want to exercise your data protection rights, contact us:
CNT Friends Oy Hitsaajankatu 13 Helsinki 00810 Finland
Email: suphi@cnt.fi
You can also reach us through our contact page.