StratQuad Privacy Policy

Effective 23 April 2026

This privacy policy explains how StratQuad processes personal data when you visit stratquad.co.uk, create an account at app.stratquad.co.uk, or use the StratQuad External Attack Surface Management platform. StratQuad operates under the UK General Data Protection Regulation and the Data Protection Act 2018.

1. Who we are

StratQuad is a United Kingdom based operation. If you have any questions about this policy or how your data is handled, contact us at [email protected].

We are the data controller for the personal data collected through our website and platform.

2. What data we collect

2.1 Account data

When you create an account, we collect your email address, a password (stored as a one way hash), your organisation name if provided, and your chosen display name.

2.2 Scan data

When you run a scan, we record the domain or URL you submit, the timestamp, the configuration options you selected, and the results of the scan. Scan results may include technical metadata about the target (open ports, exposed services, certificate details, detected technologies, email security configuration, and other information gathered from passive and active reconnaissance).

You must only submit domains you own or are explicitly authorised to scan. Submitting domains you do not own or are not authorised to scan is a breach of our terms of service and may also be a breach of the Computer Misuse Act 1990.

2.3 Usage data

We record which pages you visit, which features you use, and the time and duration of your sessions. This data is used to operate and improve the service. We do not sell this data or share it with advertisers.

2.4 Communication data

If you email us, we retain the contents of that correspondence for as long as is reasonable to resolve your query and for record keeping purposes.

3. Legal basis for processing

We process personal data under the following legal bases as set out in UK GDPR Article 6:

• Contract: to provide the services you sign up for.
• Legitimate interest: to operate, secure, and improve the platform, and to detect and prevent abuse.
• Consent: where you have explicitly agreed, for example to receive product update emails.
• Legal obligation: where we must retain or disclose data to comply with UK law.

4. How long we keep data

We retain personal data only for as long as is necessary for the purposes for which it was collected.

• Account data: for the lifetime of your account plus 12 months after closure for audit and dispute resolution.
• Scan data: for the lifetime of your account. You can delete individual scans at any time from the scan history page.
• Usage data: retained for 24 months then aggregated and anonymised.
• Communication data: retained for 36 months from the last contact.

5. Where your data is stored

StratQuad runs on infrastructure provided by Hetzner Online GmbH in data centres located in the European Union (Germany and Finland). Your data does not leave the UK or EU unless you explicitly share it externally, for example by exporting a PDF report and sending it to a third party.

We do not transfer personal data to any country outside the UK or EU.

6. Who we share data with

We do not sell your data. We share data only in the following circumstances:

• With infrastructure providers (Hetzner) who host the platform on our behalf, under data processing agreements that comply with UK GDPR.
• With third party intelligence sources when you use features that query those sources (for example, Shodan for passive port data, Have I Been Pwned for credential exposure checks). These queries are made with the information needed to complete the query and no more.
• When required by UK law, court order, or lawful request from a competent authority.
• When we have your explicit consent to do so.

7. Your rights

Under UK GDPR you have the following rights:

• Right of access: you can request a copy of the personal data we hold about you.
• Right to rectification: you can ask us to correct inaccurate data.
• Right to erasure: you can ask us to delete your data, subject to any legal retention obligations.
• Right to restrict processing: you can ask us to pause processing of your data in certain circumstances.
• Right to data portability: you can request your data in a machine readable format.
• Right to object: you can object to processing based on legitimate interest.
• Right to withdraw consent: where we rely on consent, you can withdraw it at any time.

To exercise any of these rights, email [email protected]. We will respond within one month.

If you believe we have not handled your data correctly, you can complain to the Information Commissioner's Office at ico.org.uk.

8. Security

We take security seriously because it is what we do. The platform uses TLS 1.2 or higher for all traffic in transit, AES 256 encryption at rest for stored data, password hashing via bcrypt, and strict access controls on all systems. Secrets are stored in HashiCorp Vault. PostgreSQL row level security enforces data isolation between tenants.

No system is perfectly secure. If we become aware of a breach affecting your personal data, we will notify you and the Information Commissioner's Office within 72 hours as required by UK GDPR.

9. Cookies

We use a small number of essential cookies to operate the platform. These are needed for authentication and session management. We do not use tracking cookies, advertising cookies, or analytics cookies that profile individual users.

Essential cookies we set:

• Session authentication token: expires at the end of your session or after a configurable idle timeout.
• Theme preference: stores your light or dark mode choice locally.

We do not share cookie data with third parties.

10. Children

StratQuad is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will delete it.

11. Changes to this policy

We may update this policy from time to time. The effective date at the top of this document shows when it was last updated. Material changes will be notified to you by email. Continued use of the platform after a change constitutes acceptance of the updated policy.

12. Contact

For any privacy related query, contact [email protected].