Privacy Policy
RedRun provides detection-only security testing for web apps, APIs, and AI features. This policy explains what we collect, why, who we share it with, and the choices you have. We keep it short and accurate - we'd rather say less and mean it.
01Who we are
RedRun ("RedRun", "we", "us") operates the websites redrun.app, scan.redrun.app, and app.redrun.app, and the underlying scanning service. Questions or requests: bekedil072@gmail.com.
02Information we collect
- Account information - your email address and a password, which is stored only as a salted hash (bcrypt); we never store your password in plain text.
- Scan information - the domains and URLs you submit, the domain-ownership verification records you create, and the scan results, including the request/response evidence we capture to prove each finding.
- Optional settings - e.g. a Slack/webhook URL, if you configure notifications.
- Technical & security data - IP address, timestamps, and request metadata, used for rate-limiting, audit logging, and abuse prevention.
- Communications - the content of messages you send us.
We do not intentionally collect special-category personal data, and we ask that you not submit it. The free scan can be run with just an email address for report delivery.
03How we use it
- To run the scans you request and deliver the resulting reports.
- To authenticate you and operate your account and dashboard.
- For security, abuse prevention, rate-limiting, and audit logging.
- To send you service communications (e.g. scan-complete notifications).
- To maintain, debug, and improve the service.
- To comply with legal obligations.
We do not sell your personal data, and we do not use it for third-party advertising.
04How scan data is handled
RedRun is detection-only. We probe to prove a vulnerability with the exact request and response, then stop - we do not exfiltrate data, escalate, or run destructive payloads. Active (intrusive) scans run only against domains you have verified you own or are authorized to test. We store the captured evidence so you can reproduce and remediate each finding.
05Service providers (subprocessors)
We share data with a small set of providers strictly to run the service:
- Anthropic - the AI model that analyzes scan data and drafts report summaries. Scan-derived content may be sent to Anthropic for processing.
- Railway - application hosting and the PostgreSQL database.
- Vercel - website and dashboard hosting, and DNS.
- Resend - transactional email (reports and account messages).
- DigitalOcean - infrastructure that runs active scans in an isolated, network-restricted sandbox.
Each provider is bound by its own data-processing terms. We may also disclose information if required by law or to protect the rights, safety, and security of RedRun and its users.
06Retention
We keep your account and scan data while your account is active and as needed to provide the service. You can delete scans, or ask us to delete your account and associated data, at any time by contacting us. We retain limited security and audit logs for a reasonable period to protect the service.
07Security
We protect data in transit with TLS, hash passwords with bcrypt, scope each user's data to their account, encrypt database backups, and restrict the scanner's network egress so it can only reach the targets you authorize. No system is perfectly secure, but security is the core of what we do and we treat our own posture accordingly.
08Your rights
Depending on where you live (e.g. the EEA/UK under GDPR, or California under the CCPA/CPRA), you may have the right to access, correct, delete, export, or object to the processing of your personal data. To exercise any of these, email bekedil072@gmail.comand we'll respond within the time required by applicable law.
09Cookies & local storage
We use browser local storage to keep you signed in (a session token). We do not use third-party advertising or cross-site tracking cookies. Any analytics we use are limited to understanding aggregate product usage.
10International transfers & children
Our providers may process data in the United States and other countries; where required, transfers rely on appropriate safeguards. RedRun is not directed to children and is not intended for anyone under 16.
11Changes
We may update this policy as the service evolves. We'll change the "last updated" date above and, for material changes, take reasonable steps to notify you.