Privacy-first by design
Privacy & Security
Clarvia is designed to scan public endpoints without collecting personal data. Here is exactly what we do and don't do.
What data we collect
- The URL you submit for scanning
- Scan results and computed Clarvia Score
- No personally identifiable information (PII) is collected
- No user accounts or login required for basic scans
Where data is stored
- Scan results are cached server-side for performance
- Persistent reports are stored in Supabase (PostgreSQL)
- All data is transmitted over HTTPS
- No data is sold or shared with third parties
SSRF protection
- Private and internal IP ranges (10.x, 172.16.x, 192.168.x, 127.x) are blocked
- The scanner cannot access internal network resources
- DNS rebinding attacks are mitigated
- Only public HTTP/HTTPS endpoints are scanned
API keys for authenticated scans
- API keys are used only during the active scan session
- Keys are never stored, logged, or persisted to disk
- Keys are transmitted over HTTPS and discarded after scan completion
- You can scan without authentication — API keys are optional
Tracking & analytics
- No tracking cookies are set
- No third-party analytics (Google Analytics, etc.)
- No fingerprinting or cross-site tracking
- We respect Do Not Track headers