Privacy Policy

Last updated: May 2026

1. Introduction

BrandSecOps (“we”, “our”, or “us”) is committed to protecting your privacy and ensuring that your personal data is handled securely and responsibly. This Privacy Policy outlines how we collect, use, and protect your information when you use our Vulnerability Assessment and Penetration Testing (VAPT) platform.

2. Information We Collect

Domain Input: We collect the domain name you submit for scanning to analyze vulnerabilities.
Email Address (Optional): Providing your email is optional but required to unlock visibility for all severity levels, including Critical and High issues. Without an email, these high-severity issues remain masked.
Technical Data: Includes IP address, browser type, and activity logs for system monitoring and platform improvement.

3. How We Use Your Information

To perform vulnerability scans and generate reports.
To unlock full Light Scan results when you verify your email.
To enhance accuracy, performance, and user experience.
To send updates or notifications related to your scans.

4. Security Scan Data Policy (Light Scan and Deep Scan)

For performing Deep Scans and accessing all results — including those from anonymous (non-signed-in) Light Scans — users are required to create an account and be logged in on brandsecops.com.

5. Data Retention

Scan data is stored securely and retained only as long as needed to deliver the service. Users may request the deletion of their data at any time by contacting us at info@brandcrock.com or info@brandcrock.com.

6. Data Security

We use industry-standard security measures to protect your information from unauthorized access, alteration, or disclosure. However, as with any online service, absolute security cannot be guaranteed.

7. Sharing of Data

BrandSecOps does not sell, rent, or trade user data. We may share limited information with trusted service providers who assist us in delivering platform functionality, under strict confidentiality agreements.

8. Use of Google reCAPTCHA v3 on this website

We use Google reCAPTCHA v3 ("reCAPTCHA"), provided to us by Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043, USA (and, for users in the EEA, UK, and Switzerland, by Google Ireland Limited, 4 Gordon House, Barrow Street, Dublin 4, Ireland), to protect brandsecops.com (operated by BrandCrock GmbH, Max-Planck-Straße 5, 85716 Unterschleißheim, Germany) from automated abuse, spam, fraud, credential stuffing, and other malicious activity.

8.1. Who is the controller?

BrandCrock GmbH is the sole controller of personal data processed via reCAPTCHA on this website (GDPR Art. 4(7)). Google LLC acts as our processor under the Google Cloud Data Processing Addendum and the reCAPTCHA Service Specific Terms, in line with Google's reCAPTCHA role change effective April 2, 2026.
You can contact our Data Protection Officer at info@brandcrock.com

8.2. How does reCAPTCHA v3 work?

reCAPTCHA v3 runs invisibly in the background on our login page. It does not display a checkbox or puzzle. Instead, it analyses signals from your browser session and assigns a risk score between 0.0 (likely a bot) and 1.0 (likely a human), which our backend uses to allow, challenge, or block the action.

8.3. What data is processed?

When reCAPTCHA loads on a protected page, the following categories of personal and technical data are sent to Google for risk analysis:

Category	Examples
Network identifiers	IP address, referrer URL, the URL of the page on which reCAPTCHA is embedded
Device & browser information	Browser type and version, language, installed plugins/extensions, screen resolution and window size, operating system and version, time zone
Behavioral signals	Mouse movements, click patterns, scroll behavior, keystroke timing, touch events, length of stay on the page, pauses between actions
Cookies	The strictly-necessary _GRECAPTCHA and AEC cookies set by Google on the google.com or recaptcha.net domain; other Google cookies (e.g. NID) only if you are already signed in to a Google service in the same browser, see also our cookie policy.
Transaction signals	Frequency and pattern of purchase attempts, basic transaction metadata used solely for bot detection

We do not intentionally transmit form contents, account credentials, payment card numbers, or other application-layer data to reCAPTCHA. Google has contractually committed that this information will not be used for personalized advertising.

8.4. Purpose of processing

We process this data exclusively for:

detecting and blocking automated/bot traffic,
preventing spam, scraping, brute-force and credential-stuffing attacks,
preventing fraudulent submissions and (where applicable) fraudulent transactions,
maintaining the security, availability, and integrity of brandsecops.com.

8.5. Legal basis (GDPR Art. 6)

Consent (Art. 6(1)(a) GDPR + Art. 5(3) ePrivacy Directive / §25 TDDDG (Germany) Your consent, which you give via our cookie/consent banner. You can withdraw consent at any time with effect for the future at https://brandsecops.com/manage_cookies. If you withdraw consent, the protected forms on this site may be unavailable to you; in that case please contact us at info@brandcrock.com.

8.6. Recipients & international transfers

The recipient of the data is Google LLC in the United States, with onward processing by Google's affiliates and authorized sub-processors as listed in the Google Cloud sub-processor list. Personal data is transferred from the EEA / UK / Switzerland to the United States. The transfer is governed by:

the EU-U.S. Data Privacy Framework (and its UK Extension and Swiss-U.S. equivalent), under which Google LLC is self-certified, and
the EU Standard Contractual Clauses (Module 2: Controller → Processor) incorporated into the Google Cloud Data Processing Addendum, as a fallback,
supplementary technical and organizational measures implemented by Google.

8.7. Retention

Data	Retention
_GRECAPTCHA cookie	Up to 6 months from the last interaction (browser-side)
Risk-analysis signals	Up to 90 days, after which the data is deleted or anonymized
Risk score logs	90 days for security investigation

9. Microsoft Clarity

9.1. Provider and role of the parties

On brandsecops.com we use Microsoft Clarity, a behavioral analytics service provided by Microsoft Ireland Operations Limited ("Microsoft"), with onward processing by Microsoft Corporation, USA. Microsoft acts as an independent controller for Clarity. We, BrandCrock GmbH, are also an independent controller for the data we transmit to Microsoft and for the analytics output we receive.

9.2. What we use Clarity for

We use Clarity to understand how visitors interact with brandsecops.com to identify usability issues (rage clicks, dead clicks, JavaScript errors), to optimize pages and forms, and to improve overall site performance.

9.3. What data is processed

Category	Specific data
Cookies	_clck, _clsk, CLID, MUID, ANONCHK, MR, SM (see our cookie policy)
Behavioral data	Mouse movements, clicks, taps, scroll depth, dwell time, navigation patterns
Session recordings	Reconstructed playback with masked form inputs (Balanced masking)
Heatmaps	Aggregated click, scroll, and attention maps
Technical info	Browser, OS, resolution, language, truncated IP (approximate geolocation)

9.4. Legal basis

Your consent under Art. 6(1)(a) GDPR. You give consent through our consent banner. Without consent, the Clarity script is not loaded and no cookies are set.

9.5. Withdrawing consent

You can withdraw your consent at any time with effect for the future:

via the link: https://brandsecops.com/manage_cookies,
by deleting cookies in your browser,
by writing to info@brandcrock.com

9.6. Recipients and international transfers

Recipient: Microsoft Corporation in the United States. The transfer is safeguarded by the EU-U.S. Data Privacy Framework and EU Standard Contractual Clauses.

9.7. Retention

Individual session recordings are kept up to 30 days by default. Aggregated analytics are kept up to 13 months. Reports we export are stored for 3 months.

10. Automated decision-making and profiling

10.1. Google reCAPTCHA: reCAPTCHA v3 produces a probabilistic risk score (profiling). This score is one input into our security decision-making and does not, on its own, produce legal effects. You can request human review at info@brandcrock.com.

10.2. Microsoft Clarity: Clarity does not make automated decisions producing legal effects. Data is used for aggregated UX analysis only.

11. Your rights under the GDPR

Please exercise the following rights directly with us at info@brandcrock.com:

Right of access (Art. 15 GDPR) — obtain confirmation and a copy of your data.
Right to rectification (Art. 16 GDPR) — have inaccurate data corrected.
Right to erasure (Art. 17 GDPR) — "right to be forgotten".
Right to restriction of processing (Art. 18 GDPR).
Right to data portability (Art. 20 GDPR).
Right to object (Art. 21 GDPR).
Right to withdraw consent (Art. 7(3) GDPR) — at any time.
Right to lodge a complaint (Art. 77 GDPR) — with a supervisory authority (e.g., BayLDA).

12. Changes to this notice

We will update this section if Google or Microsoft change their data processing, or if our retention or transfer arrangements change. The most recent version will always be available on this page.

By using BrandSecOps, you agree to the terms of this Privacy Policy.