This Privacy Policy applies to information collected through ALCE's Services, including web applications, APIs, scan products, automated tools, consulting services, contact forms, waitlists, report delivery workflows, account-based products, enterprise subscription platforms, vendor invite workflows, and related platforms operated by ALCE Consulting LLC.
This Privacy Policy applies to ALCE's own collection, use, processing, storage, sharing, and retention of information. It does not apply to third-party websites, platforms, services, applications, payment processors, infrastructure providers, communications providers, or other third-party services that may be linked to, integrated with, relied upon by, or used in connection with the Services. Third-party services are governed by their own terms, privacy policies, security practices, data processing terms, and retention practices.
Where this Privacy Policy conflicts with a Product Addendum that expressly addresses product-specific data collection, processing, retention, deletion, report delivery, scan scope, authorization, third-party provider usage, or other product-specific privacy practices for a specific ALCE product or service, the Product Addendum controls solely with respect to that product or service and only to the extent of the conflict.
ALCE collects information that you provide directly to the Services, including information submitted through websites, forms, checkout pages, scan workflows, report workflows, account registration, support requests, consulting engagements, waitlists, communications, uploads, integrations, APIs, or other product workflows. Information you provide may include account information such as name, email address, company name, role, and contact details; domain names, URLs, websites, or other identifiers submitted for scanning, analysis, reporting, or assessment; scan authorization representations; checkout and purchase information; payment-related information processed by Stripe or another payment processor; communications with ALCE; contact form submissions and inquiries; and product feedback, bug reports, feature requests, or other messages you submit.
You must not submit sensitive credentials, classified information, regulated data, personal information of individuals under eighteen (18), or prohibited data types unless expressly authorized by ALCE under a separate written agreement. You are responsible for ensuring that you have the necessary rights, permissions, authority, notices, consents, contracts, and legal basis to provide information to ALCE and to request the applicable Services.
For Enterprise Clients accessing Optimus, ALCE collects information necessary to provide, operate, secure, and support the enterprise subscription platform. This may include company name, account contact email address, billing information processed by Stripe, subscription plan and status, domain names submitted for monitoring, DNS verification token status and records, authorization acknowledgment records and timestamps, notification preferences, scan history metadata, technology stack fingerprint data, CVE alert records, vendor invite records, and related enterprise account data.
For Vendors who accept an Enterprise Client invite through the Optimus vendor supply chain security pipeline, ALCE collects information at the time of invite acceptance and scan completion. This may include the Vendor's email address; the Designated Domain associated with the invite; authorization acknowledgment status and timestamp; report-sharing acknowledgment status and timestamp; IP address of the device used to accept the invite; user agent; session identifier; invite token identifier; the version of the Terms of Service accepted; the version of the Optimus Addendum accepted; the version of the Ghost Product Addendum accepted; scan results for the Designated Domain; and report delivery status and related operational metadata.
Vendor Consent Records are retained in a dedicated database table separate from scan job records and are retained for a minimum of three (3) years from the date of acceptance as described in Section 9.5, regardless of the status of the associated enterprise account.
ALCE does not access, retrieve, intercept, store, analyze, or collect the content of email messages from the Vendor's domain. ALCE's email security assessment is limited to DNS record analysis, including SPF records, DKIM records, DMARC records and policy, and related publicly observable email infrastructure metadata only.
ALCE may automatically collect technical, operational, usage, security, and diagnostic information when you access or use the Services. Automatically collected information may include IP address and network information; device, browser, and system characteristics; operating system information; browser type and version; referring and exit pages; pages visited; time spent; session information; feature interactions; timestamps; request logs; access logs; error logs; authentication events; report access events; checkout events; payment status metadata; waitlist submission metadata; usage metrics; performance data; tier or product selected; report delivery status; system-generated identifiers; and other information reasonably necessary to operate, secure, troubleshoot, support, and improve the reliability of the Services.
ALCE may use cookies, pixels, local storage, session storage, log files, and similar technologies to operate, secure, measure, and improve the Services. These technologies may help ALCE maintain essential site functionality, support login and session management, protect against fraud and abuse, remember user preferences and settings, understand how users interact with ALCE websites and Services, analyze performance and usage trends, improve functionality, and support security monitoring. Cookies may be session-based or persistent. You may control, block, or delete cookies through your browser settings. Doing so may impact the availability, security, performance, or functionality of certain features of the Services. ALCE does not use cookies or similar technologies to sell personal information, conduct third-party targeted advertising, or profile users for third-party advertising purposes.
Payments are processed by third-party payment processors, including Stripe, Inc. ALCE does not store full payment card numbers, CVV codes, or complete payment credentials. ALCE may receive limited payment-related information from payment processors, including customer name, email address, payment status, transaction identifier, subscription status, invoice status, chargeback status, refund status, fraud-review status, payment method type, partial card information such as card brand and last four digits where made available, and other payment metadata reasonably necessary for billing, support, accounting, tax, fraud prevention, dispute resolution, legal compliance, and claim defense.
Stripe, Inc. is used for payment processing, billing support, subscriptions, invoices, fraud review, disputes, refunds, payment records, and related payment services.
SendGrid (Twilio) is used for email delivery of scan reports, CVE alerts, SSL certificate expiry warnings, vendor notifications, enterprise monitoring summaries, transactional communications, waitlist communications, and other email-based communications.
Supabase is used for primary database storage, PostgreSQL, backend services, application data handling, and related backend infrastructure for ALCE products. Supabase Auth is used for enterprise client authentication and session management for Optimus. Vendor access to Optimus is token-based and does not use Supabase Auth.
Redis is used as a Celery message broker and task queue. Scan task payloads including scan identifier, domain, and scan tier are transmitted to Redis for task queue management. Redis task records are short-lived.
Render.com is used for application hosting, deployment, application runtime, infrastructure operation, and cloud hosting services for ALCE products.
Cloudflare may be used for network security, DNS, content delivery network services, performance optimization, bot mitigation, traffic routing, caching, and related security or performance services.
crt.sh may be used for certificate transparency log queries for subdomain enumeration in Full Audit scans and Optimus enterprise scans. Where this module is used, the scanned domain name may be transmitted as a URL query parameter.
HaveIBeenPwned may be used for breach metadata lookup for Full Audit scans. Where this module is enabled, Ghost downloads publicly available breach metadata and performs domain matching locally on ALCE infrastructure. The scanned domain name is not transmitted to HaveIBeenPwned for local matching.
Internal CVE Database. CVE cross-referencing for Optimus enterprise accounts is performed against an internal CVE database maintained by ALCE as an internal Supabase database table. No domain data, technology stack data, user data, or account data is transmitted to external CVE data providers as part of the CVE matching process.
ReportLab is used for PDF report generation. Full report data is processed in memory on ALCE servers during PDF generation and is not transmitted externally.
A current list of subprocessors may be requested by contacting legal@alceconsulting.tech, subject to security, confidentiality, legal, provider, and operational limitations.
ALCE uses collected information to:
ALCE does not sell your personal information to third parties. ALCE does not use your personal information for third-party advertising, targeted advertising, or third-party marketing purposes. ALCE does not profile you for third-party advertising purposes.
ALCE may send limited communications about ALCE's own products, features, launch status, security updates, service updates, availability notices, waitlist opportunities, and related ALCE services where permitted by applicable law. You may opt out of non-transactional marketing communications at any time by contacting privacy@alceconsulting.tech or using the unsubscribe mechanism included in such communications.
For Optimus enterprise workflows, scan results generated for a Vendor's Designated Domain are accessible to the Enterprise Client that initiated the invite. Vendor scan data is not sold, shared with unrelated third parties, or used for any purpose outside the enterprise engagement that generated it, except as necessary to operate the platform, prevent fraud and abuse, comply with law, respond to legal process, enforce applicable terms, or defend against claims.
Enterprise Clients are granted access to and the right to use Vendor scan results generated through their enterprise account solely for internal vendor risk management, security review, compliance-support, and procurement-support purposes related to the Enterprise Client's assessment of the Vendor relationship that generated the scan. This access right does not authorize unrelated commercial use, resale, public disclosure, competitive misuse, coercive use, extortionate use, or use outside the enterprise engagement that generated the Vendor scan.
ALCE will not use Customer Data or Output in its original or reasonably identifiable form to train artificial intelligence models, improve algorithms, develop unrelated products, or for purposes unrelated to providing, securing, maintaining, supporting, or improving the reliability and operation of the Services, unless otherwise expressly agreed in writing or permitted by the applicable Product Addendum.
Certain ALCE Services, where enabled, may use third-party artificial intelligence systems, language model providers, automated processing systems, or AI-assisted workflows to generate system responses, assist with natural language query functionality, summarize information, support automated analysis, classify information, assist with report generation, improve user experience, or provide product functionality. Not all ALCE Services use third-party AI processing.
ALCE does not use Customer Data in its original or reasonably identifiable form to train third-party artificial intelligence models unless expressly agreed in writing or expressly disclosed in an applicable Product Addendum. ALCE uses commercially reasonable efforts to engage AI providers under terms that restrict use of transmitted data to providing the requested functionality to ALCE and do not permit providers to use transmitted data for independent commercial purposes, training on identified Customer Data, or resale.
Ghost is ALCE's automated website security scanning and reporting product. Ghost scans externally reachable, unauthenticated, publicly accessible information associated with domains submitted by users. Ghost scan activity may include analysis of SSL certificates, TLS configuration, DNS records, HTTP headers, security headers, exposed ports, subdomain records, certificate transparency records, publicly accessible file paths, publicly served JavaScript files, technology fingerprints, externally visible infrastructure metadata, breach metadata, publicly reachable endpoints, and other externally observable information associated with the submitted domain.
Ghost is not designed to authenticate into private systems, bypass access controls, exploit vulnerabilities, scan internal networks, access non-public resources, or retrieve information protected by authentication.
Ghost scan results may be associated with the submitted email address, submitted domain, payment status metadata, authorization records, acceptance records, terms-version records, scan tier, report delivery status, and related operational metadata. Ghost does not store, validate, or attempt to exploit any detected credential or secret. Where a finding indicates a potential credential exposure, Ghost displays only redacted, truncated, hashed, masked, or summarized indicators.
Ghost scan data retention is described in Section 9.2.
For Enterprise Client-owned domains added to the Optimus monitoring program, ALCE collects and processes domain verification records, DNS verification token records, authorization acknowledgment records, monthly scan summary metadata, SSL certificate monitoring data, technology stack fingerprint data, CVE alert records, and related monitoring metadata. Full scan report JSON for monthly monitoring scans is retained for up to seven (7) days following confirmed delivery, after which it is deleted from active production systems. Summary-level scan metadata is retained in the scan_history table for the life of the active enterprise account.
For vendor supply chain security assessments initiated through Optimus, ALCE processes Vendor information as described in Section 2.3, Designated Domain scan data, Vendor Consent Records, scan results, and related invite and assessment metadata. The full report JSON for vendor invite scans is retained for up to seven (7) days following confirmed delivery, after which it is deleted from active production systems. Invite-level summary metadata is retained in the vendor_invites table for the life of the active enterprise account.
Optimus performs daily automated cross-referencing of technology stack indicators detected during scans against an internal CVE database maintained by ALCE. CVE alert records are generated for new matches and retained in the cve_alerts table for the life of the active enterprise account. CVE matching is performed within ALCE's internal infrastructure. No domain data, technology stack data, user data, or account data is transmitted to external CVE data providers as part of this process.
The scan_history table in Optimus stores summary-level scan metadata only. It does not store full scan report JSON. Full scan report JSON is stored exclusively in the scan_jobs table and is subject to the seven-day deletion schedule. Enterprise Clients requiring long-term retention of full report content are responsible for downloading reports within the applicable seven-day window. ALCE is not responsible for full report content that has been deleted from active production systems in accordance with the applicable retention schedule.
Personal information and business information shared during consulting engagements is used to provide the requested consulting, advisory, implementation, remediation, automation, data engineering, development, security review, or other professional services. ALCE does not share personal information collected during consulting engagements with third parties without written consent, except as required by law, legal process, dispute resolution, claim defense, tax or accounting obligations, provider obligations, or as reasonably necessary to provide, secure, support, or administer the consulting services.
Consulting notes and correspondence that contain personal information are generally retained for up to twelve (12) months after engagement completion unless a longer retention period is required or permitted by law, legal process, tax obligations, accounting obligations, security needs, fraud prevention, abuse prevention, dispute resolution, claim defense, or applicable agreement.
Retention periods for Customer Data vary by product, workflow, record type, subscription status, and applicable Product Addendum. Unless a Product Addendum, product workflow, order form, or separate written agreement provides a more specific schedule, the following general principles apply.
For no-charge products and free-tier services, Customer Data submitted for processing is retained only for the period necessary to complete the requested action, generally not to exceed twenty-four (24) hours, unless a longer period is required or reasonably necessary for security, fraud prevention, abuse prevention, payment processing, support, troubleshooting, legal compliance, dispute resolution, enforcement, provider complaint response, or claim defense.
For paid one-time products, Customer Data is retained for the operational period described in the applicable Product Addendum, generally not to exceed seven (7) days following confirmed delivery or scan completion, unless a longer period is required or reasonably necessary for security, fraud prevention, abuse prevention, payment processing, support, troubleshooting, legal compliance, dispute resolution, enforcement, provider complaint response, or claim defense.
For subscription products, Customer Data associated with active subscriptions may be retained for the life of the active subscription plus the post-cancellation period described in the applicable Product Addendum, unless a shorter retention period applies to a specific data type or unless a longer period is required or reasonably necessary for security, fraud prevention, abuse prevention, payment processing, support, troubleshooting, legal compliance, dispute resolution, enforcement, provider complaint response, or claim defense.
Specific retention schedules for Ghost and Optimus are set forth in Sections 9.2, 9.3, 9.4, and 9.5 of this Privacy Policy and in the applicable Product Addenda.
Ghost scan records, including full scan report JSON, are retained in Ghost's active production database for up to seven (7) days following confirmed email delivery or scan completion, after which they are automatically deleted from active production systems, unless a longer retention period is required or reasonably necessary for troubleshooting, security, abuse prevention, fraud prevention, payment disputes, provider disputes, legal compliance, dispute resolution, enforcement, or claim defense.
Abandoned or pending Ghost scans where no payment is confirmed are deleted after twenty-four (24) hours from initiation. Ghost scan records where email delivery has failed are deleted after forty-eight (48) hours from initiation, unless retention is required for troubleshooting, alternative delivery, security, abuse prevention, fraud prevention, payment disputes, provider complaints, legal compliance, or claim defense.
Customers are responsible for downloading, saving, and securely storing Ghost Reports promptly after delivery.
For active Optimus subscriptions, full scan report JSON for vendor scans and monthly monitoring scans is retained for up to seven (7) days following confirmed delivery or scan completion, then deleted from active production systems. scan_history metadata, domain_tech_stacks records, cve_alerts records, vendor_invites records, domain_verifications records, and enterprise_accounts records are retained for the life of the active enterprise account.
Following cancellation of an Optimus subscription, all enterprise account data is retained in active production systems for up to thirty (30) days beginning on the effective date of cancellation. The deletion date is set at the time of cancellation and is enforced by an automated daily process. Upon reaching the deletion date, enterprise data is hard-deleted from active production systems in the following cascading order: CVE alerts, technology stack data, scan history metadata, vendor invite records, domain verification records, and enterprise account records.
Enterprise Clients are responsible for exporting or downloading any scan history, reports, or records they require before the deletion date. ALCE is not responsible for data loss after the hard-deletion date. Post-cancellation deletion does not affect Vendor Consent Records, payment records, Stripe billing records, abuse-prevention records, legal records, tax records, accounting records, provider complaint records, security logs, or other operational records retained for legitimate business, legal, security, compliance, fraud-prevention, abuse-prevention, dispute-resolution, or claim-defense purposes.
Vendor Consent Records are stored in a dedicated database table that is structurally and operationally separate from the scan_jobs table. The database foreign key from Vendor Consent Records to vendor invite records is configured to set the invite reference to null on invite deletion rather than cascade-delete the consent record. As a result, Vendor Consent Records are not subject to the seven-day scan job deletion schedule or the thirty-day post-cancellation enterprise account deletion schedule.
Vendor Consent Records are retained for a minimum of three (3) years from the date of Vendor acceptance, unless a longer period is required or reasonably necessary for legal compliance, fraud prevention, abuse prevention, provider complaint response, dispute resolution, enforcement, or claim defense.
Payment, billing, tax, accounting, invoice, and transaction records are retained for up to seven (7) years or longer where required or permitted by law, tax obligations, accounting obligations, audit needs, dispute resolution, chargeback handling, fraud prevention, compliance, or claim defense. Server and system logs are generally retained for up to thirty (30) days. Contact form submissions are generally retained for up to twelve (12) months unless a longer period is required or permitted for support, sales, legal, security, abuse prevention, fraud prevention, dispute resolution, or claim defense. Email addresses submitted to a waitlist are retained for up to three hundred sixty-five (365) days, until removal is requested, or until ALCE no longer requires the information for the waitlist purpose, whichever occurs first.
Deletion from active production systems does not require immediate deletion from encrypted backups, disaster-recovery systems, security logs, provider logs, payment records, tax records, accounting records, legal records, support records, abuse-prevention records, authorization records, acceptance records, terms-version records, provider complaint records, email delivery records, or other operational records. Such records may be retained according to applicable retention cycles and legitimate business, legal, security, operational, compliance, fraud-prevention, abuse-prevention, payment-processing, or claim-defense needs. ALCE does not use backup or residual log data to recreate Customer Data or reports for ordinary business purposes.
ALCE may generate and retain Aggregated Data and Derived Data from use of the Services, maintained in a manner that does not reasonably permit identification of any individual user, account, Customer, submitted domain, underlying dataset, Customer confidential information, or Customer Data in its original or reasonably identifiable form. ALCE may use Aggregated Data and Derived Data to improve Services, improve scan methodology, improve report quality, improve system reliability, develop new features, generate industry-level insights, create general security trend reports, detect abuse, monitor performance, and support business analytics. ALCE will not use Aggregated Data or Derived Data in a manner that identifies Customer, identifies an individual, identifies a submitted domain, or discloses Customer's confidential information unless Customer consents or disclosure is required by applicable law.
ALCE implements commercially reasonable administrative, technical, and organizational safeguards designed to protect information against unauthorized access, disclosure, alteration, loss, misuse, and destruction. ALCE's current security practices may include: encryption in transit using TLS; encryption at rest using the encryption controls provided by Supabase and ALCE's infrastructure providers; access controls restricting administrative access to authorized ALCE personnel on a need-to-know basis; logical data isolation so one Enterprise Client's data is not accessible to another through normal platform operation; enterprise client authentication via Supabase Auth with inactivity auto-logout; token-based vendor access scoped exclusively to the applicable vendor invite workflow; HMAC-SHA256 signed report access tokens; rate limiting and abuse-prevention controls; private IP blocking at both submission time and scan initiation; and log sanitization controls designed to reduce credential leakage risk in operational logs.
No method of transmission, storage, processing, hosting, scanning, reporting, email delivery, payment processing, cloud infrastructure, or security control is completely secure or guaranteed to prevent all unauthorized access, disclosure, alteration, loss, misuse, or destruction. ALCE cannot guarantee absolute security but takes commercially reasonable measures designed to protect information consistent with the nature of the Services, the sensitivity of the information, and ALCE's operational environment.
In the event of a security incident that ALCE reasonably determines has resulted in unauthorized access to, acquisition of, or disclosure of Customer Data or personal information that triggers applicable notification obligations under law, ALCE will provide notice in accordance with applicable legal requirements. ALCE will use commercially reasonable efforts to notify affected Enterprise Clients as promptly as practicable following ALCE becoming aware that a reportable incident has occurred, and where required by applicable law will target notification within seventy-two (72) hours to the extent practicable.
Notification will be provided to the Enterprise Client's account email address on file. For Ghost one-time scan customers, notification will be provided to the email address associated with the applicable scan record, to the extent such records are available within the applicable retention period. Where a Vendor's data is affected by a security incident, ALCE will notify the Enterprise Client, who is responsible for coordinating notification to affected Vendors where required by applicable law or contract.
To report a suspected security incident or vulnerability, contact abuse@alceconsulting.tech.
ALCE does not sell Customer Data or personal information as defined under applicable law. ALCE does not disclose Customer Data or personal information for independent third-party marketing or resale purposes.
ALCE may disclose information to service providers supporting infrastructure, hosting, storage, databases, payments, email delivery, report delivery, communications, analytics, monitoring, security, logging, error tracking, support, legal compliance, tax, accounting, fraud prevention, abuse prevention, and other operational needs expressly described in this Privacy Policy or the applicable Product Addendum.
ALCE may disclose information as required by applicable law, regulation, legal process, subpoena, court order, governmental request, regulatory request, law enforcement request, payment processor request, provider request, security investigation, or other lawful process. Where ALCE is legally permitted to do so and where providing notice would not compromise an ongoing investigation, ALCE will use commercially reasonable efforts to notify affected users before disclosing personal information to law enforcement.
ALCE may disclose information where reasonably necessary to protect the rights, safety, security, property, systems, infrastructure, customers, users, service providers, or interests of ALCE, its users, customers, providers, or others; or in connection with a merger, acquisition, financing, corporate reorganization, sale of equity, sale of assets, change of control, bankruptcy, or similar transaction, subject to this Privacy Policy or another privacy policy providing materially comparable protections where required by applicable law.
Depending on your location and applicable law, you may have some or all of the following rights with respect to your personal information: access, correction, deletion, data portability, opt-out of sale or sharing, restriction or objection, and withdrawal of consent where ALCE relies on consent for a specific processing activity. ALCE does not sell personal information. ALCE does not use personal information for third-party advertising.
To exercise privacy rights, contact privacy@alceconsulting.tech or legal@alceconsulting.tech. ALCE may need to verify your identity, authority, account ownership, email address, transaction history, scan request, or relationship to the applicable data before processing your request. ALCE may deny or limit a request where permitted by applicable law, including where the request cannot be verified, conflicts with legal obligations, affects the rights or privacy of others, would compromise security, would interfere with fraud or abuse prevention, or would interfere with legal claims.
To opt out of marketing communications, contact privacy@alceconsulting.tech or use the unsubscribe mechanism in such communications. To request removal from a waitlist, contact privacy@alceconsulting.tech. ALCE will respond to verifiable privacy requests within the timeframes required by applicable law.
If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what personal information ALCE collects, uses, discloses, and sells or shares; the right to delete personal information ALCE holds about you subject to certain exceptions; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of personal information (ALCE does not sell or share personal information as defined under California law); the right to limit use of sensitive personal information (ALCE does not use sensitive personal information for purposes beyond those permitted under California law without consent); and the right to non-discrimination for exercising your rights.
To submit a California privacy request, contact privacy@alceconsulting.tech. California residents may submit requests on behalf of themselves or, where applicable, on behalf of minor children. ALCE will respond to verifiable California privacy requests within forty-five (45) days, with an additional forty-five (45) day extension where reasonably necessary.
ALCE is based in the United States. If you are accessing the Services from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where ALCE's service providers operate. By using the Services, you acknowledge and consent to the transfer of your information to countries that may have different data protection laws than your country of residence.
ALCE uses commercially reasonable measures to protect personal information transferred internationally. If you have questions about international data transfers or the safeguards used, contact privacy@alceconsulting.tech.
The Services are not directed to children under the age of thirteen (13), and ALCE does not knowingly collect personal information from children under thirteen (13). If ALCE becomes aware that it has collected personal information from a child under thirteen (13) without verifiable parental consent, ALCE will take steps to delete such information as soon as practicable. If you believe that ALCE may have collected personal information from a child under thirteen (13), please contact privacy@alceconsulting.tech. The Services require users to be at least eighteen (18) years of age to purchase or initiate a scan, as described in the applicable Product Addenda.
ALCE may update this Privacy Policy from time to time to reflect changes in ALCE's practices, services, legal requirements, or other operational or business reasons. ALCE will post the updated Privacy Policy on ALCE's website and update the "Effective Date" at the top of this Privacy Policy. Where required by applicable law, ALCE will provide additional notice of material changes to this Privacy Policy, such as by sending an email to the email address associated with your account or by displaying a notice within the applicable Service.
Your continued use of the Services after the updated Privacy Policy becomes effective constitutes your acknowledgment of the updated practices. If you do not agree to the updated Privacy Policy, you should stop using the Services before the updated Privacy Policy becomes effective.
For privacy-related inquiries, data requests, or to exercise your privacy rights: