Privacy Policy

Your privacy matters to us. This policy explains how we collect, use, and protect your data.

Last updated: September 3, 2025

1. Overview

This Privacy Policy explains how Warin Security Inc. (“Warin”, “we”, “us”, or “our”) collects, uses, discloses, and safeguards information in connection with our cybersecurity monitoring and scanning platform (the “Platform”). By creating an account or using the Platform, you acknowledge that you have read and understood this Policy.

We design our services to help you monitor and protect digital assets that you own or are authorized to manage (e.g., domains, subdomains, public IP addresses, and email addresses). We process data only to deliver the services you request, operate our business, comply with law, and enhance security.

2. Information We Collect

  • Account & Tenant Information: Email address (required), organization name (for multi-tenant separation), authentication logs (e.g., login timestamps, IP, user agent).
  • Asset & Scan Data: Assets you add (domains, subdomains, IP addresses, email addresses) and associated scan configuration and results generated by industry-standard security scanners operated by us. If you enable breach monitoring, email addresses you provide are checked against Have I Been Pwned (HIBP).
  • Operational & Usage Data: Service events (job creation/completion/failure), performance telemetry, error logs, basic analytics, and security audit trails necessary to operate and secure the Platform.
  • Billing & Payments: Subscription status, plan, and Stripe identifiers (e.g., customer/session IDs). Payment card data is processed by Stripe; we do not store card numbers.
  • Communications: Preferences for alerts and reports (recipients, frequency, types), support messages you send (including via email forms), and delivery status.
  • Cookies/Similar Technologies: Session cookies to keep you logged in and functional cookies for security and performance. See Section 8.

3. How We Use Your Data

  • To provide, operate, and maintain the Platform, including running manual and scheduled scans you configure.
  • To send you alerts, reports, and service notifications according to your settings.
  • To improve reliability, security, and user experience, including troubleshooting, audits, and performance optimization.
  • To manage subscriptions, invoicing, fraud prevention, and account lifecycle.
  • To comply with legal obligations and enforce our Terms and Conditions.

Legal bases (GDPR): performance of a contract; legitimate interests (e.g., security, service improvement); consent (where required, such as certain cookies/communications); and legal obligation.

4. Data Sharing and Third-Party Services

We do not sell your personal information. We share data with service providers (processors) solely to operate the Platform or fulfill your requests, under contracts that require confidentiality and appropriate safeguards:

  • Stripe – subscription management and payment processing (we receive non-card identifiers/status only).
  • MailerSend – sending alerts, reports, and support emails (we provide recipient addresses and message content needed for delivery).
  • Have I Been Pwned (HIBP) – email breach lookups for addresses you authorize us to monitor.
  • Hosting and edge infrastructure providers – to host and secure our services (currently including providers such as Hetzner and Cloudflare).
  • AI content generation provider (currently OpenAI) – optional generation of fix guides that you explicitly trigger for a finding. We minimize the context sent (e.g., issue title, description, asset type, severity) and never send payment data or account credentials. Despite these controls, identifiers such as an asset name may be included in rare edge cases; do not include secrets or sensitive information in free-text inputs. You can choose not to use this feature.

Our list of processors may evolve. When we add, replace, or remove processors, we will update this page to reflect those changes. Where required by law, we will also provide additional notice.

We may disclose information if required by law, to protect rights, safety, and security, to prevent fraud/abuse, or in connection with a business transaction (e.g., merger or acquisition) subject to appropriate safeguards.

5. International Data Transfers

Warin Security Inc. is based in Canada, with production infrastructure hosted in the United States. Our processors may process data in jurisdictions different from yours. Where applicable, we rely on recognized transfer mechanisms (e.g., Standard Contractual Clauses) and require our processors to implement appropriate safeguards.

6. Data Retention

We retain personal and scan data for as long as necessary to provide the Platform, meet legal and accounting requirements, resolve disputes, and enforce agreements. Retention periods vary by data type and business need (e.g., security logs may be retained longer for audit and integrity). You can request deletion of certain data (see Section 7). Backups and archival copies may persist for a limited period consistent with our disaster-recovery practices.

7. Your Rights

Depending on your location, you may have rights under GDPR, PIPEDA, CCPA/CPRA, and other laws, including:

  • Access/Portability: obtain a copy of personal data you provided.
  • Correction: update inaccurate or incomplete personal data.
  • Deletion: request deletion of personal data, subject to legal/operational constraints.
  • Restriction/Objection: restrict or object to certain processing based on legitimate interests.
  • Consent: withdraw consent where processing relies on consent (e.g., certain cookies/communications).
  • California (CCPA/CPRA): right to know, delete, correct, and opt-out of “sale”/“sharing.” We do not sell or share personal information as defined by CPRA.

To exercise rights, contact us at support@warin.io. We may need to verify your identity and tenancy before responding.

8. Cookies and Tracking

On our marketing site, we do not use non-essential cookies. In the app, we may set strictly necessary cookies (e.g., session/auth) required for core features; disabling them may break login.

Web Analytics. We use Cloudflare Web Analytics (cookieless; no client-side storage) to measure aggregate performance. We do not currently use advertising cookies. If this changes, we will request your consent where required and update this Policy.

9. Security

We implement administrative, technical, and physical safeguards proportionate to the sensitivity of the data we process, including access controls, encryption in transit, isolated environments, and monitoring. No system is 100% secure; you are responsible for safeguarding your credentials, selecting strong passwords, and limiting access within your organization.

10. Children’s Privacy

The Platform is intended for use by adults and is not directed to children under 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data, please contact us to request deletion.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our services, technology, or legal requirements. We will post the updated Policy with a new “Last updated” date. Your continued use of the Platform after an update constitutes acceptance of the revised Policy.

12. Contact

Warin Security Inc.
3909 University Ave, NW Suite 1002
Calgary, AB T3B 6K3
Canada
support@warin.io