Privacy policy for Decloak Session Capture
Decloak Session Capture by Stephen Gray
Privacy policy for Decloak Session Capture
Decloak (decloak.dev) is operated by Sparrow Technology Ltd, a company registered in England and Wales under company number 15676284 (“Sparrow Technology”, “we”, “us”, “our”). This policy explains what data we collect when you use Decloak, why, and how you can control it.
- What we collect
Account data - email address, and authentication data if you register a passkey. We use Supabase for authentication; sign-in is passwordless (magic link or passkey).
Scan data - the URL you submit, and the findings, evidence snippets, and metadata (response headers, script URLs, detected library versions, third-party domains contacted, etc.) produced by scanning it. Free-tier scans can be created without an account; if you're signed in, scans are associated with your account.
Billing data - if you subscribe to a paid plan, payment is processed by Stripe. We store your Stripe customer and subscription IDs and plan status - we do not receive or store your full card details.
Usage data - basic request metadata (e.g. IP address) used for free-tier rate limiting and abuse prevention. - How we use it
To run scans and generate your report.
To let you save, view, and compare your scan history if you have an account.
To send scan-complete email notifications, if enabled (you can opt out in Account Settings).
To process billing and manage your subscription.
To enforce rate limits and prevent abuse of the service. - AI processing
Findings from your scan are sent to a third-party AI provider to generate the plain-English executive summary and, on paid scans, to guide the investigation agent and produce remediation text. Only scan findings and evidence are sent for this purpose - not your account credentials or billing information. - Third-party processors
We rely on the following third parties to run the service. Each processes only the data necessary for its function:
Supabase - authentication and database hosting
Stripe - subscription billing and payment processing
Browserless - headless browser rendering used to analyse the pages you scan
An AI model provider - generates report summaries and remediation guidance
An email delivery provider - sends scan-complete and account notification emails
NVD (National Vulnerability Database) - queried for CVE data matched against detected software versions; no personal data is sent
5. Cookies and local storage
Decloak does not use advertising cookies. Your session token is stored in your browser's local storage to keep you signed in - it is not shared with third parties and is cleared when you sign out.
We use Google Analytics to understand aggregate site usage (pages viewed, referral source, approximate location and device type). It does not load, and no Google Analytics cookies (e.g. ga, _ga*) are set, until you accept the cookie banner shown on your first visit. This data is processed by Google under its own privacy terms; we do not use it to identify individual visitors or combine it with scan results. You can withdraw consent at any time by clearing your browser's local storage for this site, which shows the banner again.
- Browser extension (Session Capture)
Enterprise customers can optionally install the Decloak Session Capture browser extension (Chrome and Firefox) to run an authenticated scan - one that crawls a site as a logged-in user, including sites using passkey/WebAuthn sign-in. The extension only acts when you click its “Capture” button, and only against the one site open in your current tab - it does not run in the background and does not have standing access to your browsing.
When you click Capture, the extension reads that tab's cookies and local/session storage and holds them in memory in the extension popup only - nothing is written to disk or synced. That data is sent to Decloak only if you separately paste a single-use capture code (shown in your Enterprise scan setup) and click “Send to Decloak,” over HTTPS directly to our API. Closing the popup without sending discards the capture entirely.
A capture code and the session it carries expire after 15 minutes and can be used once. Once a scan consumes it, we delete the captured cookies/storage from our systems immediately - it is not retained as a stored credential, and it is never shared with third parties. It exists solely to let that one scan crawl your target as an authenticated user.
The exception is a capture you explicitly link to a scheduled recurring scan: since there is no one there to click “Capture” again before each automated run, that capture is retained (encrypted at rest) and re-validated for liveness before every run, rather than deleted after one use. You can revoke it at any time from the schedule's settings, which deletes the stored session immediately.
- Data retention
Scans and their findings are retained so you can view report history and run comparisons over time. If you delete a scan or your account, the associated data is removed from active storage. Billing records are retained as required for tax and accounting purposes even after cancellation. - Your rights
If you're in the UK or EEA, you have rights under UK GDPR / GDPR including access to, correction of, and deletion of your personal data, and the right to object to or restrict certain processing. To exercise any of these, email support@sparrowtechnology.ai. - International transfers
Some of the third-party processors listed above may process data outside the UK/EEA. Where they do, we rely on their own compliance mechanisms (such as Standard Contractual Clauses) for that transfer. - Changes to this policy
We may update this policy from time to time. Material changes will be reflected by updating the effective date at the top of this page. - Contact
Questions about this policy or your data can be sent to support@sparrowtechnology.ai.