Legal

Privacy Policy

This page describes the personal information SafeScan Now collects, why we collect it, how long we keep it, and what rights you have under EU GDPR, UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and other applicable privacy laws. It is written in plain English on purpose. If anything is unclear, write to dpo@safescannow.com and we will rewrite it.

Last updated · April 25, 2026·By Maria Volkov (Privacy Analyst)·Reviewed by Liang Chen

Direct answer

SafeScan Now collects three categories of personal data: (1) request metadata that all websites collect (IP address, user agent, timestamp); (2) cookies and similar identifiers used for affiliate-link attribution and basic analytics; and (3) information you actively submit through our forms (name, email, contribution text). We do not sell personal data. We honour GDPR, UK GDPR, and CCPA rights requests within 30 days, free of charge.

1. Who is responsible (data controller)

The data controller for personal information collected through safescannow.com is SafeScan Now Editorial, an independent publishing entity. The trading address, the registered business address, and the postal address for written privacy correspondence are listed on /contact/.

The Data Protection Officer (DPO) for SafeScan Now is Maria Volkov (CIPP/E). The DPO is reachable at dpo@safescannow.com for any privacy-related question and at legal@safescannow.com for source-protected material. Our DPO is the named contact for supervisory-authority correspondence under Article 38 of the GDPR.

2. What personal data we collect

We collect three categories of personal data, each described separately below.

2.1 Data we collect automatically when you visit

IP address (truncated after 30 days for analytics; full IP retained for 14 days for abuse and security investigation only).
User-agent string (browser type, browser version, operating system, device class).
Referrer URL (the page you arrived from, including search terms only when the search engine forwards them).
Pages viewed on safescannow.com, the timestamp of each view, and the approximate time spent on each page.
Country and approximate region inferred from IP — never the full geocoordinates returned by your device's GPS.

2.2 Cookies and similar identifiers

A first-party session cookie used to remember your cookie-consent choice and your preferred display settings.
A first-party affiliate-attribution cookie set when you click an outbound affiliate link, used solely so the merchant can attribute the eventual purchase to SafeScan Now.
Third-party affiliate cookies set by affiliate networks (Impact, CJ Affiliate, ShareASale, Awin) when you click an outbound affiliate link. These are disclosed in detail in section 6.
A first-party analytics cookie (privacy-respecting analytics — no cross-site tracking, no fingerprinting, no advertising IDs).

2.3 Data you actively submit

Name (or alias) and email address when you submit through the /contribute/ form, the /contact/ form, or correspond by email.
The free-text content of your submission, correction, or message.
Any documents or attachments you choose to send (renewal invoices, screenshots, transcripts).
Newsletter email address if you subscribe — Phase 2 only; the newsletter is not yet active.

3. Why we collect it (lawful bases under GDPR)

Under Articles 6 and 9 of the EU GDPR and the equivalent provisions of the UK GDPR, every category of processing must rest on a named lawful basis. Ours are as follows.

3.1 Legitimate interests (Art. 6(1)(f))

Serving the page you requested, defending the site against denial-of-service attacks, and preventing abuse of our forms.
Aggregate, non-identifying analytics used to improve content and site reliability.
Internal record-keeping of editorial corrections, including the editor responsible for the response.

3.2 Consent (Art. 6(1)(a))

Non-essential cookies (analytics, affiliate attribution, and any future advertising integrations).
Newsletter subscriptions (Phase 2).
Permission to cite a reader contribution under your alias on the site.

3.3 Contractual necessity (Art. 6(1)(b))

Processing your message, answering your question, or following up on a correction you submitted is necessary to take steps at your request before entering into a 'contract' (broadly construed) — namely, the editorial review of your contribution.

3.4 Legal obligation (Art. 6(1)(c))

Where we are obliged to retain communications by tax, regulatory, or law-enforcement requirements (for example, retention of advertising disclosures under FTC 16 CFR Part 255 record-keeping practice).

4. How we use your data

We use the categories listed in section 2 for the following purposes only:

4.1 To run and protect the site

Serve the page you requested, manage caching, and deliver the assets a normal browser needs.
Detect and block abusive traffic (bot networks, scrapers, brute-force form abuse).
Investigate suspected breaches or misuse — full IP addresses are retained 14 days for this purpose only.

4.2 To improve the editorial product

Aggregate analytics — which pages are useful, which are confusing, which links lead nowhere — to inform editorial planning.
Reading, replying to, and (where relevant) acting on the contributions you send through /contribute/ and /contact/.
Logging corrections inline on the affected page, including the date and the editor responsible.

4.3 To meet our affiliate-disclosure obligations

Attributing purchases made through outbound affiliate links so we can audit our own disclosures.
Reconciling affiliate-network reports with our own logs (we do not see who you are; we see that 'visit X clicked affiliate link Y at time Z').
Holding affiliate networks accountable when their reporting disagrees with ours.

5. Cookies, pixels, and similar trackers

We use the smallest cookie set we can manage and we name every cookie below. Optional cookies require your active consent through the cookie banner, which appears the first time you visit and is reachable from the footer at any time.

Cookie	Purpose	Duration	Category
av_consent	Stores your cookie-consent choice	12 months	Strictly necessary
av_session	Maintains your form state during a single visit	Session only	Strictly necessary
av_affiliate_click	Marks an outbound affiliate-link click for our internal audit log; does not contain personal data	30 days	Affiliate
_pa	First-party privacy-respecting analytics — page count, broad referrer category, no fingerprinting	13 months (anonymised after 30 days)	Analytics
Affiliate-network cookies	Set by Impact / CJ Affiliate / ShareASale / Awin when you click an outbound affiliate link, so the merchant can credit the sale	30 - 90 days, varies by network	Affiliate (third-party)

We do not use advertising cookies, behavioural-advertising pixels, social-media share trackers, or third-party fingerprinting libraries. There are no Facebook Pixel, Google Ads, or LinkedIn Insight tags on this site.

6. Affiliate cookies, disclosed in detail

When you click an outbound link to an antivirus vendor, you may be redirected through one or more affiliate networks (Impact, CJ Affiliate, ShareASale, Awin) before landing on the vendor's checkout page. Those networks set their own cookies in your browser. Their purpose is to credit the eventual purchase to SafeScan Now so the vendor pays a commission on the sale.

What the affiliate-network cookie sees: the fact that you arrived at the vendor through SafeScan Now, a transaction reference if you complete a purchase, and the timestamp of the click. The cookie does not see your name, email, address, payment details, or any of the form data you fill in on the vendor's site. The vendor sees those — under the vendor's own privacy policy, not ours — but the affiliate cookie itself does not.

You can prevent affiliate cookies from being set by declining 'Affiliate (third-party)' in our cookie banner, by using a tracker-blocker (uBlock Origin, Privacy Badger, Brave Shields), or by opening the link in a private/incognito window. Doing any of these will deprive SafeScan Now of the commission on that purchase but will not change your price; the price you pay is the same either way.

7. Third-party services we share data with

We are deliberately conservative with third-party integrations. Each third party listed below has a specific purpose, a contract under Article 28 GDPR (where applicable), and a privacy policy you can verify.

Hosting & content delivery

Cloudflare Pages (hosting, edge cache, DDoS mitigation). Acts as our processor under Art. 28 GDPR. Cloudflare's privacy policy is at cloudflare.com/privacypolicy/.
Cloudflare may transfer request metadata internationally as part of its global network — see section 8.

Analytics

A privacy-respecting first-party analytics product (no cross-site tracking, no fingerprinting). Aggregated metrics only; no individual reader is profiled.
We do not use Google Analytics, Adobe Analytics, or Heap.

Affiliate networks

Impact, CJ Affiliate, ShareASale, Awin and direct in-house programmes operated by individual antivirus vendors.
Each network is a separate independent controller for the data it collects through its own cookie.

Email service provider

For the Phase 2 newsletter and our editorial inbox routing, we use a privacy-respecting transactional email provider with EU data residency. The provider is named and linked in section 8.

Tool APIs

VirusTotal v3 API for the /tools/free-online-scanner/ utility (Phase 2). VirusTotal is operated by Google LLC; see virustotal.com/gui/privacy.
Have-I-Been-Pwned k-anonymity API for the /tools/password-strength-checker/ utility (Phase 3). HIBP receives a five-character hash prefix only, not the full password.

8. International data transfers

SafeScan Now is operated from the United States with a primarily English-speaking audience including readers in the EU and the UK. Personal data may be transferred to, and processed in, the United States and other jurisdictions outside the EEA / UK.

Where Cloudflare or any other processor moves data outside the EEA, we rely on the European Commission's Standard Contractual Clauses (2021/914) and, where applicable, the EU-US Data Privacy Framework. Copies of the SCCs we have signed with each processor are available on request to dpo@safescannow.com.

For UK readers, the equivalent transfers rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs.

9. How long we keep data

Data category	Retention period
Raw IP address (security investigation)	14 days
Truncated IP address (analytics)	13 months
Server access logs (full request)	30 days, then aggregated
Form submissions / contributions	Until reviewed and replied to, then archived 24 months
Email correspondence	24 months from last reply
Newsletter subscriber email (Phase 2)	Until you unsubscribe, then 30 days
Affiliate-attribution cookies (first-party)	30 days
Affiliate-network cookies (third-party)	Set by the network — typically 30 to 90 days
Cookie consent record	12 months
Editorial correction logs	Indefinite (legitimate-interests retention for accountability)

10. Your rights under GDPR / UK GDPR

If you are in the EU, the EEA, or the UK, you have the rights set out in Articles 15-22 of the GDPR / UK GDPR. We will action any rights request within 30 days, free of charge, and confirm the action in writing. If we cannot identify you from the data we hold, we may ask for limited proof of identity.

Right of access (Art. 15) — receive a copy of the personal data we hold on you.
Right to rectification (Art. 16) — have inaccurate data corrected.
Right to erasure / right to be forgotten (Art. 17) — have your data deleted, subject to limited exceptions.
Right to restriction of processing (Art. 18) — pause our processing while a dispute is resolved.
Right to data portability (Art. 20) — receive your data in a machine-readable format.
Right to object (Art. 21) — object to processing based on legitimate interests, including direct marketing.
Right to withdraw consent (Art. 7(3)) — withdraw any consent you previously gave, including cookie consent.
Right to lodge a complaint with a supervisory authority (Art. 77) — write to your national data-protection authority, with no requirement to contact us first.

Send rights requests to dpo@safescannow.com. The DPO acknowledges every request within three working days and resolves the request within thirty calendar days. Postal address available on /contact/.

11. Your rights under CCPA / CPRA (California residents)

If you are a California resident, you have the rights set out in California Civil Code §§ 1798.100-1798.199.100. Those rights are summarised below in the language the statute uses.

Right to know — request the categories and specific pieces of personal information we collected about you in the preceding 12 months.
Right to delete — request deletion of personal information we collected from you, subject to statutory exceptions.
Right to correct — request correction of inaccurate personal information.
Right to limit use of sensitive personal information — we do not collect sensitive personal information as defined by CPRA, so no opt-out is needed.
Right to opt-out of 'sale' or 'sharing' — SafeScan Now does not sell or share personal information for cross-context behavioural advertising. We honour the Global Privacy Control (GPC) signal.
Right to non-discrimination — exercising your rights will not change the price you pay or the level of service you receive.

To exercise CCPA rights, write to dpo@safescannow.com or use the postal address on /contact/. We do not require an account to honour these rights. We action verifiable requests within 45 days as required by Cal. Civ. Code § 1798.130.

12. Do Not Track / Global Privacy Control

SafeScan Now honours the Global Privacy Control (GPC) signal as a valid opt-out under CCPA/CPRA and as a valid withdrawal of consent under GDPR/UK GDPR. If your browser sends GPC, we will not set any non-essential cookies and will treat the visit as if 'reject all' had been chosen in the cookie banner.

We do not currently honour the older Do Not Track (DNT) header because the W3C has formally archived the specification, but if your browser sends both DNT and GPC, the GPC signal still triggers the opt-out behaviour.

13. Children under 16

SafeScan Now is written for adult readers and the products we cover are general-purpose consumer software. We do not knowingly collect personal data from children under 16. If you believe a child has submitted personal data through our forms, write to dpo@safescannow.com and we will delete it on receipt without further verification.

14. Security measures

All traffic to safescannow.com is HTTPS-only with HSTS preload. Our edge provider terminates TLS 1.2+ and we do not accept pre-1.2 ciphers. Our origin servers are not internet-reachable; the only inbound traffic is from the Cloudflare edge.

Form submissions are written to an encrypted store with at-rest encryption. Editor accounts use hardware-key-backed two-factor authentication (FIDO2). Privileged operations require a second editor's review.

In the event of a personal-data breach affecting EU/UK readers, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Art. 33 GDPR) and notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Art. 34 GDPR).

15. Changes to this policy

We will update this policy when we change our processing in a way that affects your rights, when the legal landscape changes, or when a reader points out something that needs clearer language. Material changes are signposted at the top of this page and announced in the next newsletter cycle (Phase 2). The 'Last updated' date below the title always reflects the most recent revision.

A diff log of every revision to this policy — including the editor responsible — is available on request to dpo@safescannow.com. Quiet edits to the privacy policy are not allowed.

16. Contact the Data Protection Officer

The Data Protection Officer at SafeScan Now is Maria Volkov (CIPP/E). The DPO is the named privacy contact under Articles 37-39 of the GDPR. The DPO answers questions about this policy, processes rights requests, and serves as the point of contact for supervisory-authority correspondence.

Email: dpo@safescannow.com — typical response within three working days, full resolution within 30 calendar days. Postal address: see /contact/. EU representative under Article 27: requests can also be sent to the email above and will be forwarded to our representative if one becomes legally required.