Last updated 10 May 2026

Privacy Policy

This page describes what AttackMap collects, why, and how long it stays. AttackMap is operated by Cliff Hack ("we", "us"). Contact: support@attackmap.org.

What we collect

• The URL you submit for a scan. Stored only as needed to run the scan and produce a report.
• Your email address, when you pay $29 and Stripe shares it with us so we can deliver the report.
• Scan results — the report we generate from your URL.
• Server logs — request IP and timestamp, for rate-limiting and abuse prevention. Not joined to identity.
• Payment metadata — handled entirely by Stripe. We never see, store, or process your card number.

We do not run third-party analytics, advertising trackers, or social pixels on attackmap.org. There is no cookie used for tracking. The only cookies present are those Stripe sets on the Checkout subdomain (their domain, their policy).

How long we keep it

• Cached scan results: 1 hour, so repeat scans of the same URL are fast.
• Paid reports: stored in Cloudflare R2 for 7 days so your re-download link works, then deleted.
• Email + Stripe receipts: retained by Stripe and by our outbound email service (Microsoft 365) per their respective retention policies. We do not maintain a separate customer list.
• Server logs: rotated after 30 days.

What we do with it

Submitted URLs are used only to run the scan you asked for. We do not aggregate them, sell them, share them with third parties for marketing, or train models on them. We do not add you to a mailing list — there is no AttackMap newsletter. We use your email exclusively to deliver the report and, if applicable, refund/support correspondence you initiated.

Subprocessors

Running this service requires a handful of vendors. Each only sees the data they need:

• Stripe — payment processing. Sees your name, email, card.
• Cloudflare — DNS, CDN, R2 object storage. Sees request metadata and (for R2) the generated report files.
• Railway — application hosting. Runs the scanner code.
• Microsoft 365 (Graph API) — outbound email delivery for your report.
• Anthropic — used to polish the report text before it's emailed. Scan output (your site's findings, not your email) is sent to their API and is subject to their zero-retention API terms.

Your rights

Email support@attackmap.org to request deletion of your stored report and email record. We'll confirm within a few business days.

Children

AttackMap isn't directed at anyone under 16 and we don't knowingly collect data from them.

Changes

If this policy changes materially, we'll update the date at the top and post a notice on the homepage for at least 30 days.