Trust

Security & data protection

Short version: TLS everywhere, data in France, no cookies, nothing kept longer than needed. The details:

01

Encryption in transit

All traffic is served over TLS (HTTPS only), with HSTS enforced — browsers refuse to ever downgrade the connection. Certificates are issued and rotated automatically.

02

Data hosted in France

Screenshots, heatmaps, reports and account data are stored on infrastructure located in France and never leave the EU. We are a French company, subject to GDPR by default — not as an afterthought.

03

Cookieless analytics by design

Pulse, our behavioral snippet, uses no cookies and no fingerprinting. Mouse positions are aggregated into coarse grids in the browser before they are sent; we never store individual trajectories, IP-based profiles or anything that identifies a visitor.

04

What we keep, and for how long

Anonymous score scans are purged after 30 days. Email verification codes expire after 10 minutes and are purged within the hour. Your projects and reports stay until you delete them — deleting a project deletes its captures.

05

Payments

Payments are processed by Stripe. Your card number never touches our servers — we only store the subscription state.

06

Hardened by default

Strict security headers (CSP, HSTS, nosniff), rate limiting on every endpoint, bounded and validated uploads, and SSRF protection on our capture service. The Pulse SDK source is small enough to read in five minutes — audit it yourself.

Independently verified

Don't take our word for it — these checks are public and re-runnable by anyone:

This website runs on green hosting — verified by thegreenwebfoundation.orgASSL Labs
TLS 1.3 · PQC
🇫🇷 Data hosted in France

Responsible disclosure

Found a vulnerability? Tell us first — we answer fast, fix fast, and credit you if you want. Contact and policy: /.well-known/security.txt