DygDog logoDygDog

Legal

Privacy Policy

Last updated: April 2026

DygDog (“we”, “our”, “us”) is committed to protecting your personal data. This Privacy Policy explains what data we collect when you use the DygDog security scanning platform, how we use it, and what rights you have over it. Please read it carefully before creating an account or submitting a scan.

1. Data We Collect

  • Account data: When you register, we collect your email address, name, and (if using Google OAuth) your Google profile information.
  • Scan data: We collect the URLs and domain names you submit for scanning, along with the results those scans produce, including findings, risk scores, and evidence artefacts.
  • Usage data: We collect standard server logs (IP address, user-agent, request timestamps) for security monitoring and abuse prevention.
  • Organisation data: We store organisation names, member email addresses, roles, and any API keys you generate within the platform.
  • We do not collect payment card data directly. Billing, if applicable, is handled by a third-party payment processor subject to their own privacy policy.

2. How We Use Your Data

  • To provide and operate the DygDog security scanning service.
  • To authenticate you and maintain your session securely.
  • To store and display your scan results, findings, and compliance evidence.
  • To send transactional emails (e.g. sign-up confirmation, scan completion notifications).
  • To detect, investigate, and prevent fraudulent or abusive use of the platform.
  • We do not sell your personal data to third parties. We do not use your scan results to train AI models without explicit consent.

3. Data Storage & Security

  • All data is stored in Supabase (PostgreSQL) hosted on infrastructure in the EU (Ireland, eu-west-1 by default) or the region you select at organisation creation.
  • Data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256.
  • Access to your organisation's data is controlled by Row-Level Security (RLS) policies enforced at the database layer. Only authenticated members of your organisation can access your scans and findings.
  • We retain scan data for as long as your account is active. You may request deletion of your data at any time by contacting us (see Section 6).
  • Backups are retained for a maximum of 30 days and are stored in the same geographic region as your primary data.

4. Third-Party Services

  • Supabase (supabase.com): Provides our database, authentication, and storage infrastructure. Your data is subject to the Supabase Privacy Policy.
  • Vercel (vercel.com): Hosts the DygDog application. Server-side logs including IP addresses and request metadata are processed by Vercel. Subject to the Vercel Privacy Policy.
  • Google OAuth (accounts.google.com): If you sign in with Google, Google shares your name and email address with DygDog. Subject to the Google Privacy Policy.
  • Threat intelligence providers: Scan enrichment queries external APIs (NVD, FIRST EPSS, CISA KEV, VirusTotal, URLhaus, OTX AlienVault). Only the target hostname or CVE identifier is transmitted — no account or personal data.
  • Vercel AI Gateway: AI-generated remediation guidance is produced by frontier LLMs accessed via the Vercel AI Gateway. Only anonymised finding text is transmitted — no account identifiers.

5. Your Rights (GDPR / UK GDPR)

  • If you are located in the European Economic Area (EEA), United Kingdom, or a jurisdiction with equivalent data protection legislation, you have the following rights:
  • Right of access: You may request a copy of the personal data we hold about you.
  • Right to rectification: You may request correction of inaccurate personal data.
  • Right to erasure: You may request deletion of your personal data, subject to our legal obligations.
  • Right to data portability: You may request your data in a structured, machine-readable format.
  • Right to restrict processing: You may request that we limit how we use your data in certain circumstances.
  • Right to object: You may object to processing of your personal data for direct marketing purposes.
  • To exercise any of these rights, please contact us using the details in Section 6. We will respond within 30 days.

6. Contact Us

  • If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:
  • Email: privacy@dyg.dog
  • We aim to respond to all privacy enquiries within 5 business days.
  • If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority (e.g., the ICO in the UK, or your national DPA in the EU).

This policy may be updated from time to time. We will notify registered users of material changes by email and will update the “Last updated” date above. Continued use of the service after notification constitutes acceptance of the revised policy.