Security & data protection
Short version: TLS everywhere, data in France, no cookies, nothing kept longer than needed. The details:
Encryption in transit
All traffic is served over TLS (HTTPS only), with HSTS enforced — browsers refuse to ever downgrade the connection. Certificates are issued and rotated automatically.
Data hosted in France
Screenshots, heatmaps, reports and account data are stored on infrastructure located in France and never leave the EU. We are a French company, subject to GDPR by default — not as an afterthought.
Cookieless analytics by design
Pulse, our behavioral snippet, uses no cookies and no fingerprinting. Mouse positions are aggregated into coarse grids in the browser before they are sent; we never store individual trajectories, IP-based profiles or anything that identifies a visitor.
What we keep, and for how long
Anonymous score scans are purged after 30 days. Email verification codes expire after 10 minutes and are purged within the hour. Your projects and reports stay until you delete them — deleting a project deletes its captures.
Payments
Payments are processed by Stripe. Your card number never touches our servers — we only store the subscription state.
Hardened by default
Strict security headers (CSP, HSTS, nosniff), rate limiting on every endpoint, bounded and validated uploads, and SSRF protection on our capture service. The Pulse SDK source is small enough to read in five minutes — audit it yourself.
Independently verified
Don't take our word for it — these checks are public and re-runnable by anyone:
Responsible disclosure
Found a vulnerability? Tell us first — we answer fast, fix fast, and credit you if you want. Contact and policy: /.well-known/security.txt
