Privacy Policy
This Privacy Policy describes how AI QA Monkey ("Company," "we," "us," or "our") collects, uses, stores, and protects information. This Policy applies to all users, visitors, and entities whose information we may process.
Last Updated: February 19, 2026
1. SCOPE & APPLICABILITY
This Privacy Policy applies to:
- Users: Individuals who visit our website or use our services
- Customers: Individuals or entities that purchase our services
- Indexed Entities: Companies included in our Industry Security Index
- All Visitors: Anyone who accesses our platforms
NOTE: Our analysis of publicly available information for the Industry Security Index is NOT subject to privacy restrictions as it involves only publicly accessible data that any member of the public can obtain.
2. INFORMATION WE COLLECT
2.1 Information You Provide
- Contact Information: Email addresses, names when provided
- Target URLs: Domains submitted for scanning
- Payment Information: Processed by third-party providers (we do not store card numbers)
- Communications: Messages sent to our support channels
2.2 Information Collected Automatically
- Device Information: Browser type, operating system, device identifiers
- Usage Data: Pages viewed, features used, interactions
- IP Addresses: For security, analytics, and fraud prevention
- Cookies & Tracking: Session cookies, analytics cookies
2.3 Publicly Available Information (Scans & Industry Index)
For security scans and our Industry Security Index, we collect and analyze publicly available information only, including:
- SSL/TLS certificate details (public)
- HTTP security headers, including CORS, Permissions-Policy, COOP, and CORP (public)
- DNS records and configurations, including SPF, DMARC, and CNAME records (public)
- WHOIS registration data (public)
- Company names and domains (public)
- Publicly accessible API endpoint availability (e.g., Swagger, OpenAPI, GraphQL)
- Cloud storage references found in publicly served page source code (e.g., S3, Azure Blob, GCS bucket names)
- HTTP/2 protocol support (publicly negotiable)
- Publicly accessible security configurations
IMPORTANT: This publicly available information is NOT "personal data" under privacy laws as it is lawfully obtainable by anyone without authorization. Our collection and publication of this information serves legitimate public interest in cybersecurity awareness.
3. LEGAL BASIS FOR PROCESSING
We process information based on the following legal grounds:
| Processing Activity | Legal Basis |
|---|---|
| Providing requested services | Contract performance |
| Processing payments | Contract performance |
| Security & fraud prevention | Legitimate interest |
| Analytics & improvement | Legitimate interest |
| Industry Security Index | Legitimate interest / Public information |
| Legal compliance | Legal obligation |
| Marketing (with consent) | Consent |
4. HOW WE USE INFORMATION
4.1 Service Delivery
- Perform security scans and analysis
- Generate and deliver reports
- Process transactions
- Provide customer support
4.2 Industry Security Index
- Analyze publicly available security configurations
- Calculate and assign security scores
- Publish rankings and leaderboards
- Send informational notifications to companies
4.3 Security & Operations
- Detect and prevent fraud and abuse
- Maintain service security
- Debug and troubleshoot issues
- Enforce our Terms of Service
4.4 Improvement & Analytics
- Analyze usage patterns
- Improve our services and methodology
- Develop new features
5. INFORMATION SHARING & DISCLOSURE
5.1 We Do NOT Sell Personal Data
We do NOT sell, rent, or trade your personal information to third parties for their marketing purposes.
5.2 Service Providers
We share information with trusted service providers who assist in our operations:
- Payment Processors: Gumroad, Stripe (for transaction processing)
- Hosting Providers: Cloud infrastructure services
- Email Services: For transactional and support communications
- Analytics: For service improvement
5.3 Public Information
Industry Security Index rankings and scores are publicly published by design. This publication serves the public interest in cybersecurity transparency and is a core function of our service.
5.4 Legal Requirements
We may disclose information when required by law, including:
- Response to valid legal process (subpoenas, court orders)
- Protection of our legal rights
- Investigation of fraud or security incidents
- Protection of public safety
5.5 Business Transfers
In the event of a merger, acquisition, or sale of assets, user information may be transferred as part of the transaction, subject to standard confidentiality requirements.
6. DATA RETENTION
| Data Type | Retention Period |
|---|---|
| Scan reports | 30 days (downloadable), then archived or deleted |
| Account information | Duration of account + 2 years |
| Payment records | 7 years (legal/tax requirements) |
| Industry Index data | Indefinitely (public interest) |
| Server logs | 90 days |
| Support communications | 3 years |
7. DATA SECURITY
We implement reasonable security measures including:
- Encryption of data in transit (TLS/SSL)
- Secure storage with access controls
- Regular security assessments
- Employee access limitations
- Incident response procedures
DISCLAIMER: While we implement reasonable security measures, no system is 100% secure. We cannot guarantee absolute security of your information. You use our services at your own risk.
8. COOKIES & TRACKING TECHNOLOGIES
8.1 Types of Cookies Used
- Essential Cookies: Required for basic functionality
- Analytics Cookies: Help us understand usage patterns
- Preference Cookies: Remember your settings
8.2 Third-Party Cookies
Some third-party services may set their own cookies. We do not control these cookies. Please review the privacy policies of these services.
8.3 Managing Cookies
You can control cookies through your browser settings. Disabling cookies may affect functionality.
9. YOUR RIGHTS (GDPR / CCPA / Global)
9.1 Rights for All Users
Depending on your jurisdiction, you may have the right to:
- Access: Request a copy of your personal data
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your personal data
- Portability: Receive your data in a portable format
- Object: Object to certain processing
- Restriction: Request restricted processing
- Withdraw Consent: Where processing is based on consent
9.2 Exercising Your Rights
To exercise any rights, contact us at privacy@aiqamonkey.com with your request. We will respond within 30 days (or as required by applicable law).
9.3 Limitations on Rights
IMPORTANT: Rights regarding personal data do NOT apply to publicly available information analyzed for the Industry Security Index. You cannot request deletion of publicly available security configurations or our analysis/opinions about them, as this information is not "personal data" and its publication serves legitimate public interest.
9.4 California Privacy Rights (CCPA)
California residents have additional rights:
- Right to know what personal information is collected
- Right to know if personal information is sold or disclosed
- Right to say no to the sale of personal information (we do not sell)
- Right to equal service and price (non-discrimination)
9.5 European Economic Area (GDPR)
EEA residents may lodge a complaint with their local supervisory authority if they believe their data protection rights have been violated.
10. INTERNATIONAL DATA TRANSFERS
Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. By using our services, you consent to such transfers.
We implement appropriate safeguards for international transfers, including:
- Standard contractual clauses
- Data processing agreements
- Privacy Shield certification (where applicable)
11. CHILDREN'S PRIVACY
Our Service is not directed to children under 16 (or applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If we learn we have collected such information, we will delete it promptly.
12. DO NOT TRACK
Some browsers include a "Do Not Track" (DNT) feature. We currently do not respond to DNT signals as there is no industry-standard interpretation of DNT.
13. THIRD-PARTY LINKS
Our Service may contain links to third-party websites. We are not responsible for the privacy practices of these sites. We encourage you to read their privacy policies.
14. CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time. Changes are effective upon posting. We will notify users of material changes via email or prominent notice on our Service. Your continued use after changes constitutes acceptance.
15. DATA PROTECTION OFFICER
For data protection inquiries, you may contact our Data Protection Officer at:
- Email: dpo@aiqamonkey.com
- Subject Line: "DPO Inquiry"
16. CONTACT US
For privacy-related questions or requests:
- Privacy Inquiries: privacy@aiqamonkey.com
- Data Requests: datarequests@aiqamonkey.com
- General Support: support@aiqamonkey.com