Our commitments to your data: what we collect, why we collect it, how we protect it, and the rights you always retain.
This Privacy Policy explains how SecureCheap ("we", "us", "our") collects, uses, shares, and protects information about you when you use our Service. We designed SecureCheap with privacy as a default — we collect what we need to deliver the Service, nothing more.
We comply with GDPR (EU), CCPA/CPRA (California), UAE PDPL, and applicable data protection laws worldwide. You always retain control of your data — export, modify, or delete it anytime.
Account information you provide: name, email, company, billing address, and payment method (stored by our PCI-DSS Level 1 payment processor — we never see card numbers).
Service data: monitoring metrics, security scan results, alert configurations, infrastructure inventory you choose to add. This is your Customer Data — you own it, we process it on your behalf.
Usage data: pages visited, features used, performance metrics. Used solely to improve the Service. Aggregated and anonymised where possible.
Communications: support tickets, chat messages, feedback. Retained for service improvement and quality assurance.
To provide, operate, and maintain the Service — including running monitors, executing security scans, generating alerts, and powering AI recommendations on your behalf.
To send transactional emails: account confirmation, billing receipts, security alerts, incident notifications, password resets. You cannot opt out of these while you have an active account.
To send product updates and marketing — only if you opt in. You can unsubscribe at any time from any marketing email.
To detect, prevent, and respond to fraud, security incidents, and abuse.
To comply with legal obligations, court orders, and lawful regulatory requests.
We will never sell your personal information to third parties. Full stop.
We will never use Customer Data (metrics, security findings, infrastructure details) to train machine learning models without explicit, granular opt-in.
We will never access your Customer Data except as strictly necessary to operate the Service, respond to support you initiate, or comply with a binding legal order.
We will never enable tracking pixels or behavioural advertising on the dashboard or product UI.
You choose where your data lives: United States, European Union, United Arab Emirates, or Singapore. Data never crosses regional boundaries except for sub-processor functions that you explicitly enable.
Enterprise customers can request dedicated single-tenant infrastructure with custom data residency arrangements.
AES-256 encryption at rest. TLS 1.3 encryption in transit. Per-tenant data isolation. Annual penetration testing by independent third parties.
SOC 2 Type II audited. ISO 27001 certified. GDPR compliant by design.
24/7 security operations centre. Hardware key MFA mandatory for all staff. Audit logs retained 7 years and tamper-evident.
Full incident response plan, public post-mortems for any P1, customer notification within 1 hour of detection.
Active accounts: We retain your data for as long as your account is active and for legitimate business purposes.
Closed accounts: Customer Data is deleted within 30 days of account closure. You can request immediate deletion at any time.
Billing records: We retain billing data for 7 years to comply with tax and accounting laws.
Audit logs: Retained 7 years in tamper-evident storage for security and compliance.
Backups: Encrypted backups follow a rolling 30-day window. Data in backups is fully purged within 30 days of deletion from primary systems.
Access: Request a copy of all personal data we hold about you, in machine-readable format.
Correction: Update or correct inaccurate personal information directly in your account settings or by emailing [email protected].
Deletion: Request deletion of your personal data. We will comply within 30 days unless legally required to retain it.
Portability: Export your data via the API or dashboard at any time, in JSON, CSV, or PDF format.
Restriction & objection: Restrict processing of your data or object to specific processing activities.
Withdraw consent: Revoke marketing consent or opt out of optional data uses anytime.
To exercise any right, email [email protected]. We respond within 30 days (often within 48 hours).
The Service is not directed to children under 18. We do not knowingly collect personal information from children. If we discover such collection, we delete it immediately.
If you believe a child has provided personal information, contact [email protected].
When your data is processed outside your home region, we use Standard Contractual Clauses (SCCs) and additional safeguards required by law (encryption in transit, encryption at rest, access controls).
For EU-to-US transfers, we operate under the EU-US Data Privacy Framework where applicable, and SCCs in all other cases.
We may update this Privacy Policy from time to time. Material changes will be notified by email to the account owner at least 30 days before taking effect.
All historical versions of this policy are available at [email protected] on request.
Data Protection Officer: [email protected]
Privacy inquiries: [email protected] · Legal: [email protected]
Postal: SecureCheap FZ-LLC, DIFC, Dubai, United Arab Emirates.
EU representative under Article 27 GDPR: SecureCheap Europe, Berlin, Germany.
Email [email protected] — we typically reply within one business day.
Contact our team