SP-API Migration Validator Run free scan

Migration assurance

Privacy policy

This policy explains what is processed during a scan and what the service deliberately does not retain.

Operator and contact

The production operator, jurisdiction and privacy contact are published here. Values marked TO_BE_CONFIGURED must be replaced with the real legal identity before public paid launch.

FieldValue
Legal operatorTO_BE_CONFIGURED_BEFORE_PAID_LAUNCH
AddressTO_BE_CONFIGURED_BEFORE_PAID_LAUNCH
JurisdictionTO_BE_CONFIGURED_BEFORE_PAID_LAUNCH
Effective dateTO_BE_CONFIGURED_BEFORE_PAID_LAUNCH
Support contactsupport@your-domain.example
Security contactsecurity@your-domain.example
Legal contactlegal@your-domain.example
Privacy contactprivacy@your-domain.example

What we process

We process source, configuration or sample text submitted by paste or ZIP in order to produce findings. A static scan does not require Amazon credentials or an account.

What we store

The report stores findings, typed evidence, file paths where applicable, ruleset metadata and counts for the access period attached to the purchased product: 30 days for Single, 90 days for Bundle and 180 days for each Agency beta project after its first paid scan or unlock. Agency credits expire 180 days after purchase, no new project may be created after credit expiration, and Agency stored report data expires no later than 365 days after pack purchase. Free preview report access is 30 days. Source is not retained; the uploaded ZIP and full submitted source are not persisted.

Secrets and analytics

Possible secret values are masked. .env files commonly contain credentials; prefer .env.example or redact all secrets before upload. Pasted text runs browser preflight before submit; uploaded files are received into isolated transient processing and scanned server-side before report persistence. Secret preflight blocks private keys, LWA client secrets, AWS keys, OAuth tokens, database URLs and password assignments before a report is saved. Product analytics, when enabled, excludes source, filenames, file paths, snippets, emails, order IDs, report tokens and raw errors.

Your choices

Reports expire and can be deleted using their private access link. Account-lite data can also be deleted. Privacy rights requests should be sent to the privacy contact with enough information to identify the report or purchase, but never the private access token.

Subprocessors and international data handling

Paid launch requires the configured hosting/storage, email and payment processors to be published. Until those fields are final, this policy is suitable for staging/private beta, not production paid launch.

AreaProvider
Payment processorPaddle
Hosting/storageProduction hosting/storage vendor TO_BE_CONFIGURED_BEFORE_PAID_LAUNCH
Email deliveryProduction email vendor TO_BE_CONFIGURED_BEFORE_PAID_LAUNCH
International handlingData may be processed where the configured hosting, payment and email subprocessors operate; final production subprocessors must be published before paid launch.

Recommended next action

Last reviewed: 2026-07-02.

Open the interactive scanner: /app#/privacy