Privacy Policy

Last updated: April 3, 2026

Short version: We collect minimal data. Anonymous/free scans do not store your source code. Registered users' source code is stored securely to enable scan history and rescan. If you use Magic Link login, we collect your email address solely to issue and manage your API key. We do not sell or share your data for advertising.

Applicable Privacy Frameworks

This policy is designed to comply with:

  • Korean PIPA (Personal Information Protection Act) — as the operator is registered in the Republic of Korea
  • EU GDPR — for users accessing the Service from within the European Economic Area. Where GDPR applies, you have rights of access, rectification, erasure, restriction, portability, and objection
  • California CCPA — for California residents, we do not sell personal information as defined under CCPA

Data We Collect

  • Session identifiers — anonymous, cookie-based, used to track free scan quota per browser session
  • Scan usage statistics — count and timestamps, aggregated and anonymized
  • IP address — used for rate limiting only; not stored beyond the immediate request window
  • Blockchain address & network — when you initiate a scan via contract address, we collect the address and the specific blockchain network (e.g., Ethereum, Polygon) to fetch the source code from public explorers.
  • Payment information — processed entirely by Paddle.com, our Merchant of Record; we receive only a license key and subscription status, not card details
  • Email address — collected only when you use Magic Link login. Purpose: to issue and manage your API key and authenticate your account. Providing an email is entirely optional; the free scan tier requires no login.
  • Session tokens — short-lived cryptographic tokens issued upon Magic Link authentication, stored in a secure HTTP-only cookie. Used solely for session management.
  • API key usage — scan counts and timestamps linked to your API key, used for quota enforcement and billing.
  • Smart contract source code (registered users) — when you are logged in, your submitted source code is stored in our database to enable scan history and rescan functionality. This data is stored securely and is not used for AI training. You may request deletion at any time (see Your Rights below).

Data We Do NOT Collect

  • Smart contract source code (anonymous scans) — for scans performed without logging in, your source code is processed ephemerally and not stored on our servers. Third-party AI providers process your code ephemerally under their respective API data policies (see Third-Party Services below). Your code is never used for AI training.
  • Personal identification beyond email — we do not require name, phone number, or any other identifying information
  • API keys (BYOK) — single-use only, never stored on our servers

Data Retention (PIPA Article 21)

  • Session data: retained for the duration of the browser session; expires on cookie expiry
  • Aggregated scan statistics: retained indefinitely in anonymized form for service improvement
  • Source code (registered users) — retained for as long as your account is active to enable scan history and rescan. Deleted upon account deletion or upon your request.
  • Payment records: retained as required by Korean tax law (generally 5 years)
  • IP rate-limiting data: not retained beyond the request window
  • Email address & account data — retained for as long as your account is active. If your account is inactive for more than 1 year, we will notify you and delete your account data within 30 days of that notification, in accordance with PIPA Article 21 (destruction of personal information). You may also request deletion at any time (see Your Rights below).
  • Session tokens — expire after 30 days and are permanently invalidated on logout or account deletion.

Third-Party Services & International Data Transfers (PIPA Article 22)

PIPA Notice: Your smart contract source code is transmitted outside the Republic of Korea to AI analysis providers in the United States each time you perform a scan. You will be asked to provide explicit consent before your first scan.
  • Anthropic Claude API — your smart contract source code is sent to Anthropic's servers in the United States for AI-assisted analysis. Governed by Anthropic's Privacy Policy. Not used for model training under enterprise API terms.
  • Google Gemini API — your smart contract source code is sent to Google's servers in the United States for AI-assisted analysis. Governed by Google's Privacy Policy. Not used for model training under API terms.
  • OpenAI GPT API — your smart contract source code is sent to OpenAI's servers in the United States for AI-assisted analysis. Governed by OpenAI's Privacy Policy. Not used for model training under API terms.
  • Blockchain Explorers (Etherscan, Polygonscan, Arbiscan, etc.) — contract addresses and public data are transmitted to these services to retrieve source code for analysis. Governed by their respective privacy policies.
  • Payment provider — payment processing; governed by their privacy policy; data may be stored in the United States
  • Gmail SMTP (Google LLC) — used to deliver Magic Link authentication emails. Your email address is transmitted to Google's mail servers in the United States solely for the purpose of sending the login link. Governed by Google's Privacy Policy. Email is discarded immediately after transmission.

Where data is transferred outside the Republic of Korea or the EEA, we rely on the AI providers' Standard Contractual Clauses (SCC) as the legal transfer mechanism. For EU users, transfers to Google and Anthropic are covered by their respective SCCs with EU supervisory authority approval.

Your Rights

Depending on your jurisdiction, you may have the right to access, correct, or delete any personal data we hold about you. Because we collect minimal identifiable data, most requests can be satisfied by clearing your browser cookies.

Account & Email Deletion (Right to be Forgotten): If you have a Magic Link account, you may request complete deletion of your account, email address, session tokens, and API key usage records at any time. To do so:

  1. Submit a deletion request via our feedback form or by emailing contractscan.raccoonworld@gmail.com.
  2. Include the email address associated with your account.
  3. We will permanently delete all associated personal data within 30 days and confirm by email.

Note: Deletion of your account will immediately invalidate all active API keys associated with it. Anonymized, non-identifiable scan statistics (which cannot be linked back to you) may be retained.

Data Protection Officer (PIPA Article 31)

The Data Protection Officer is responsible for handling all matters related to the protection of personal information, including processing complaints and remedying damages related to personal data processing.

Contact

For privacy-related inquiries or to exercise your data rights, please use one of the following:

We aim to respond within 30 days.