Data Handling Policy

Platform: CloviScan  |  Effective Date: June 10, 2026  |  Governing Law: State of Delaware, USA

This Data Handling Policy describes the technical and operational practices CloviTek AI uses to collect, process, store, protect, and delete data within the CloviScan platform. It supplements our Privacy Policy and Terms of Service, and is intended to provide transparency for users, enterprise customers, and compliance reviewers.

Authorized Use Only: CloviScan may only be used to scan systems you own or for which you hold explicit written authorization from the system owner. This policy applies exclusively to data generated through authorized use of the Service. Data generated through unauthorized scanning activity is subject to immediate deletion and may be disclosed to affected parties or law enforcement authorities.
Security Estimates Disclaimer: All scan results, security scores, vulnerability findings, and remediation recommendations produced by CloviScan are based on automated analysis of publicly observable signals and known vulnerability databases. They are computational estimates only, not guarantees of security status. A passing scan result does not certify that a system is free from vulnerabilities. CloviScan is not a substitute for professional penetration testing or a formal security audit.

1. Data Categories and Sources

Data CategorySourcePurposeRetention
Account identity data (name, email, organization) User-provided at registration Authentication, communication, support Duration of account + 90 days post-closure
Payment and billing data User-provided; processed by payment processor Subscription management 7 years (legal/financial compliance)
Scan targets (domains, URLs, identifiers) User-submitted via Service UI or API Security scanning, monitoring, reporting 24 months from last scan, then de-identified
Authorization attestations User-provided or recorded at scan initiation Compliance, abuse investigation, legal 5 years from submission
Scan result data (SSL, headers, DNS, vulnerability matches, scores) Automated scan of submitted targets Security analysis, historical trending, reporting 24 months from scan date, then deleted or de-identified
Third-party vulnerability and threat intelligence data Licensed vulnerability databases and threat feeds Vulnerability matching, risk scoring Per provider license terms; refreshed periodically
Usage and telemetry data Automatically collected from Service interaction Product improvement, performance monitoring 13 months, then aggregated/de-identified
Support and communication records User-initiated support channels Issue resolution, quality assurance 3 years from ticket closure

2. Data Processing Principles

CloviTek AI processes data in accordance with the following principles:

3. Scan Data Handling

3.1 Target Submission and Authorization

When a user submits a target for scanning, CloviScan records the target identifier, the initiating account, and the timestamp of submission. By submitting a target, the user implicitly attests to ownership or written authorization, consistent with the Terms of Service. CloviScan may optionally capture explicit authorization attestation where required by the user's plan tier or organizational policy settings.

3.2 Scan Execution

Scans are executed by automated systems that query publicly observable characteristics of the submitted target, including:

CloviScan does not perform active exploitation, credential testing, or intrusive probing of submitted targets. All scan methods rely on passive observation of publicly reachable signals or authorized protocol handshakes.

3.3 Scan Result Storage and Isolation

Scan results are stored per-account and per-target. Results from one account are not accessible to or shared with other accounts. Scan history enables trend analysis and alert comparisons within the user's own account. After 24 months, scan result data is either permanently deleted or de-identified such that it cannot be linked to the originating account or target.

3.4 No Cross-Customer Data Sharing

Scan configurations, targets, and results are treated as confidential account data. CloviTek AI does not share individual scan data with other CloviScan users or customers. Aggregate and anonymized signal data (e.g., prevalence of specific vulnerability types across the user base) may be used internally for product improvement purposes and never identifies individual accounts or targets.

4. Automated Processing and Algorithmic Analysis

CloviScan uses automated algorithms and, in some features, AI-assisted analysis to generate security scores, vulnerability matches, and remediation recommendations. Key disclosures:

Users should engage qualified security professionals before making security decisions based solely on CloviScan output.

5. Data Security Measures

CloviTek AI implements the following security controls for CloviScan data:

6. Sub-Processors and Third-Party Vendors

CloviTek AI engages the following categories of sub-processors in the delivery of CloviScan. All sub-processors are bound by data processing agreements that require data protection standards consistent with applicable law:

A current list of sub-processors is available upon request at [email protected].

7. Abuse Detection and Unauthorized Use Handling

CloviTek AI operates controls to detect scanning patterns that may indicate unauthorized use, including anomalous target submission volumes, patterns inconsistent with legitimate security auditing, or targets flagged by third parties as not owned or authorized by the submitting account. Where unauthorized use is suspected:

8. Data Deletion and Erasure Requests

Users may request deletion of their personal data and account at any time. Upon a verified deletion request:

To submit a deletion request, contact [email protected] from the email address associated with your account.

9. Data Portability

Upon request, CloviTek AI will provide a structured, machine-readable export of personal data associated with your account (e.g., account information and scan history in JSON or CSV format). Requests will be fulfilled within 30 days.

10. International Transfers

CloviTek AI's primary infrastructure is located in the United States. For users in the European Economic Area, United Kingdom, or other regions with cross-border transfer restrictions, CloviTek AI relies on appropriate legal mechanisms (such as Standard Contractual Clauses) to authorize data transfers. Contact [email protected] for transfer mechanism documentation.

11. Breach Notification

In the event of a data breach that is likely to result in a risk to the rights and freedoms of affected users, CloviTek AI will:

12. Compliance and Audit

Enterprise or business customers requiring data processing agreements (DPAs), security questionnaires, sub-processor lists, or audit documentation should contact [email protected]. CloviTek AI will work in good faith to accommodate reasonable compliance review requests.

13. Changes to This Policy

This Data Handling Policy may be updated from time to time to reflect changes in our practices, technology, legal requirements, or operational needs. Material changes will be communicated to registered users via email or in-Service notice at least 14 days before they take effect.

14. Contact

For questions, requests, or concerns relating to this Data Handling Policy:

CloviTek AI Legal & Privacy
[email protected]