stratquad

StratQuad Privacy Policy

Effective 23 April 2026

This privacy policy explains how StratQuad processes personal data when you visit stratquad.co.uk, create an account at app.stratquad.co.uk, or use the StratQuad External Attack Surface Management platform. StratQuad operates under the UK General Data Protection Regulation and the Data Protection Act 2018.

1. Who we are

StratQuad is a United Kingdom based operation. If you have any questions about this policy or how your data is handled, contact us at [email protected].

We are the data controller for the personal data collected through our website and platform.

2. What data we collect

2.1 Account data

When you create an account, we collect your email address, a password (stored as a one way hash), your organisation name if provided, and your chosen display name.

2.2 Scan data

When you run a scan, we record the domain or URL you submit, the timestamp, the configuration options you selected, and the results of the scan. Scan results may include technical metadata about the target (open ports, exposed services, certificate details, detected technologies, email security configuration, and other information gathered from passive and active reconnaissance).

You must only submit domains you own or are explicitly authorised to scan. Submitting domains you do not own or are not authorised to scan is a breach of our terms of service and may also be a breach of the Computer Misuse Act 1990.

2.3 Usage data

We record which pages you visit, which features you use, and the time and duration of your sessions. This data is used to operate and improve the service. We do not sell this data or share it with advertisers.

2.4 Communication data

If you email us, we retain the contents of that correspondence for as long as is reasonable to resolve your query and for record keeping purposes.

3. Legal basis for processing

We process personal data under the following legal bases as set out in UK GDPR Article 6:

4. How long we keep data

We retain personal data only for as long as is necessary for the purposes for which it was collected.

5. Where your data is stored

StratQuad runs on infrastructure provided by Hetzner Online GmbH in data centres located in the European Union (Germany and Finland). Your data does not leave the UK or EU unless you explicitly share it externally, for example by exporting a PDF report and sending it to a third party.

We do not transfer personal data to any country outside the UK or EU.

6. Who we share data with

We do not sell your data. We share data only in the following circumstances:

7. Your rights

Under UK GDPR you have the following rights:

To exercise any of these rights, email [email protected]. We will respond within one month.

If you believe we have not handled your data correctly, you can complain to the Information Commissioner's Office at ico.org.uk.

8. Security

We take security seriously because it is what we do. The platform uses TLS 1.2 or higher for all traffic in transit, AES 256 encryption at rest for stored data, password hashing via bcrypt, and strict access controls on all systems. Secrets are stored in HashiCorp Vault. PostgreSQL row level security enforces data isolation between tenants.

No system is perfectly secure. If we become aware of a breach affecting your personal data, we will notify you and the Information Commissioner's Office within 72 hours as required by UK GDPR.

9. Cookies

We use a small number of essential cookies to operate the platform. These are needed for authentication and session management. We do not use tracking cookies, advertising cookies, or analytics cookies that profile individual users.

Essential cookies we set:

We do not share cookie data with third parties.

10. Children

StratQuad is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will delete it.

11. Changes to this policy

We may update this policy from time to time. The effective date at the top of this document shows when it was last updated. Material changes will be notified to you by email. Continued use of the platform after a change constitutes acceptance of the updated policy.

12. Contact

For any privacy related query, contact [email protected].