Legal
Privacy Policy
Last updated: June 19, 2026
The short version: We collect as little data as possible. We don't sell your data. Files you upload for scanning are deleted immediately after scanning. The desktop app runs entirely on your machine.
1. Desktop Application
The Threat-Op desktop application and screensaver run entirely on your local machine. We do not collect, transmit, or store any data from your local scans. Specifically:
- Scan results stay on your computer — we never see them
- Quarantined files stay in your local quarantine folder
- No telemetry or usage data is sent to our servers
- Your OTX API key is stored locally on your machine only
2. Web-Based File Scanner
When you use the online file scanner at threatop.io/scan:
- Your file is uploaded over an encrypted HTTPS connection
- The file is scanned against ClamAV virus definitions
- The file is deleted immediately after scanning — within seconds
- We do not store, analyze, or share your file contents
- We log the scan result (clean/infected, file size, file type) but not the file itself
- Scan logs are retained for 30 days for abuse prevention, then deleted
3. Information We Collect
We collect minimal information:
- Scan metadata — file size, file type, scan result (not the file itself)
- IP address — retained for 30 days for rate limiting and abuse prevention
- API account information — email address and usage statistics for paid API users
- Server logs — standard web server logs (IP, timestamp, request) retained for 30 days
We do not collect names, payment card details (handled by Stripe), or any personal information beyond what's listed above.
4. Cookies
We use minimal cookies:
- No tracking cookies
- No advertising cookies
- Session cookies only — required for API authentication
5. Third-Party Services
Threat-Op integrates with the following third-party services:
- AlienVault OTX — threat intelligence data. Your IP may be shared with OTX when fetching threat data. See AlienVault's privacy policy.
- Stripe — payment processing for API subscriptions. We never see your card details. See Stripe's privacy policy.
- GitHub — source code hosting. See GitHub's privacy policy.
- Netlify — website hosting. See Netlify's privacy policy.
6. Data Security
We implement reasonable security measures including:
- HTTPS encryption for all data in transit
- Immediate deletion of uploaded files after scanning
- Minimal data collection to reduce attack surface
However, no security system is perfect. We cannot guarantee absolute security of any data transmitted to our service.
7. Children's Privacy
Threat-Op is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us personal information, please contact us and we will delete it.
8. Your Rights
You have the right to:
- Request deletion of any data we hold about you
- Request a copy of data we hold about you
- Opt out of any communications from us
To exercise these rights, contact us through GitHub.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will update the "Last updated" date when changes are made. Continued use of the Service after changes constitutes acceptance of the new policy.
10. Contact
For privacy questions or data deletion requests, contact us through the GitHub repository at github.com/pscstahl-dev/threatop.