Privacy Policy
Last updated: July 16, 2026
This Privacy Policy explains what information Mitsumono ("we," "us," or "our") collects when you use the Mitsumono security-scanning service (the "Service"), how we use it, and who we share it with. It's part of, and should be read alongside, our Terms of Service.
Mitsumono is operated by Lorenzo Fenderico, an individual based in Naples, Italy, who is the data controller for the personal information described below. If you have questions, you can reach us at wraithnet0x@gmail.com.
1. Information We Collect
Account information
When you sign up, we collect your email address and, if you sign in with Google, your name and profile photo as provided by Google. Authentication and password storage are handled by our identity provider; we never see or store your password in plain text.
Project and scan-target information
We store the URLs you submit for scanning, and whether and when you attested that you own or are authorized to test each target. This attestation is timestamped and tied to your account, since it's the basis on which we run active probing against that target (see our Terms, Section 4).
Scan evidence
Each scan produces structured technical evidence about the target, which we store and show back to you. Depending on the target and your authorization status, this can include: HTTP response headers, cookie names and security flags (never cookie values), detected backend platform (e.g. Supabase or Firebase), discovered API paths, database table and column names, row-count estimates, and whether an anonymous request against a table returned data. Where an exposed API key is found in client-facing code, we store only its role (e.g. "anon" or "service_role") and a truncated prefix — never the full key.
We do not store the actual contents of any rows returned during a scan. When a check confirms a table is readable without authorization, we record that fact, the table name, and its column names — not the data in those rows.
Agent-chat messages
If you use the chat feature to ask the agent crew about a scan, we store the messages you send and the AI replies, tied to the relevant project, so the conversation has history and context on later visits.
Billing information
Subscription payments are handled entirely by Stripe. We store your Stripe customer and subscription IDs, your plan, subscription status, and billing-period dates — never your full card number, which Stripe never shares with us.
Usage and log data
We track scan counts, agent-chat message counts, and timestamps to enforce plan limits, and we keep standard server logs (IP address, browser/user-agent string, request timestamps) for security, abuse prevention, and debugging.
Cookies and local storage
We use cookies and browser local storage for authentication sessions and to remember your light/dark theme preference. We do not use third-party advertising or cross-site tracking cookies.
2. How We Use Information
- To operate the scanning pipeline and generate findings, scores, and fix prompts.
- To power agent chat about your scan results.
- To enforce the limits of your plan (projects, scans, and messages) and to process subscription payments.
- To authenticate you and secure your account.
- To detect abuse, enforce our Terms of Service (particularly the authorization requirement for active probing), and prevent the Service from being used as a proxy against systems it shouldn't reach.
- To communicate with you about your account, billing, or material changes to the Service.
- To maintain and improve the Service.
3. How Scan Data Reaches Our AI Providers
Generating a score, findings, and fix prompts — and powering agent chat — requires sending the evidence described above (and, for chat, your message and recent conversation history) to a third-party AI model provider. We currently use GitHub Models, an OpenAI-compatible inference gateway; the underlying models are OpenAI models. This vendor may change over time as the underlying infrastructure evolves, but our commitment stays the same: only scan evidence and chat context needed to answer the request is sent, account credentials and payment information are never included, and we do not knowingly send raw secret keys or actual row-level data to these providers, consistent with what we store as described in Section 1.
4. Who We Share Information With
We share information with the following categories of service providers, solely to operate the Service:
- Database, authentication, and hosting infrastructure — stores your account, project, scan, and chat data, and enforces per-user access control at the database level.
- Stripe — processes subscription payments and stores your payment method on our behalf.
- AI model providers (currently GitHub Models / OpenAI) — process scan evidence and chat messages to generate findings, scores, fix prompts, and chat replies, as described in Section 3.
We do not sell your personal information, and we do not share it with data brokers or advertisers. We may disclose information if required by law, or in connection with a merger, acquisition, or sale of assets, in which case we'll require the recipient to honor this Policy for previously collected data.
5. Scanning Targets You Don't Fully Control
If you submit a URL for scanning, technical information about that target's backend — as described in Section 1 (Scan evidence) — becomes part of your account's data, whether or not the target belongs to you personally (e.g. an employer's or client's site you're authorized to test). We do not attempt to identify or separately notify the operator of a scanned target; under our Terms, that's on the person who submitted the scan to have the right to do so in the first place. If you are the operator of a site that someone else has scanned and you have concerns, contact us at the address in Section 1.
6. Data Retention
We retain account, project, scan, evidence, and chat data for as long as your account is active, so your scan history and conversations remain available to you. If you delete a project, its scans, evidence, and chat history are deleted with it. If you delete your account, we delete your personal data within a reasonable period, except where we're required to retain billing records for tax, accounting, or legal purposes.
7. Your Rights
Because we're based in Italy, the EU General Data Protection Regulation (GDPR) applies to our processing of your personal information regardless of where you live. You have the right to access, correct, export, or delete the personal information we hold about you, to object to or restrict certain processing, and to withdraw consent where processing is based on it. You can access and delete most of your data directly from your dashboard; for anything else, contact us at wraithnet0x@gmail.com and we'll respond within a reasonable time. You also have the right to lodge a complaint with a data-protection authority — in Italy, the Garante per la protezione dei dati personali (garanteprivacy.it), or the supervisory authority in your own EU country of residence. If you're a California resident, you have rights under the CCPA to know, delete, and opt out of the sale of personal information — we do not sell personal information.
8. Data Security
Access to your project and scan data is restricted at the database level so that only your authenticated session can read it, and traffic to and from the Service is encrypted in transit. No method of storage or transmission is 100% secure, and we can't guarantee absolute security — if you ever have reason to believe your account has been compromised, contact us immediately.
9. International Data Transfers
Our infrastructure and service providers may process data in countries other than your own. Where we transfer personal information across borders, we rely on the safeguards our providers make available (such as standard contractual clauses) to keep it protected.
10. Children's Privacy
The Service is not directed at children under 16, and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, contact us and we'll delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We'll post the updated version here with a new "Last updated" date, and if a change is material, we'll notify you by email or an in-app notice before it takes effect.
12. Contact Us
For any question about this Policy or your personal information, email wraithnet0x@gmail.com.