Skip to main content
ONEROXE
Sign In
We attack so others can't

Privacy Policy

Last updated: May 2026

ONEROXE PRIVATE LIMITED ("ONEROXE", "we", "us") operates the security testing tools at tools.oneroxe.com(the "Tools"). This policy explains what we collect when you use the Tools, how we use it, and the choices you have. It applies to the Tools only — engagements with our consulting practice at oneroxe.com are covered by that site's separate privacy policy.

1. Information we collect

Account information. The Tools use passwordless sign-in — an email magic link, or Google sign-in (OAuth). We store your email address and, if you use Google, the basic profile Google returns (name, email, profile image). We never receive or store your password.

Scan inputs & results. The target domains and URLs you submit, your scan configuration (scope and options), and the resulting findings, scores, and reports. For Active and Deep scans we also record your domain-ownership verification and explicit consent.

Material you upload.Any API specifications (OpenAPI / Swagger) or HAR files you choose to provide to widen a scan's coverage. These are parsed to discover endpoints. Do not upload secrets or credentials you are not authorised to share — strip sensitive tokens from HAR files before uploading.

Technical data. Your IP address and browser user-agent, used for security, abuse prevention, and rate-limiting.

2. How we use your information

We use it only to operate the Tools: to run scans, queue and track jobs, and show your scan history; to generate scores, findings, AI-written summaries, and downloadable PDF reports; to secure the service (abuse detection and rate-limiting); and to email you sign-in links and scan-completion notifications. We do not sell your data or use it for advertising.

3. AI-generated reports

When you request an AI report, summaries of the relevant scan findings (such as the target, finding type, and short evidence snippets) are sent to our AI provider, Anthropic (Claude), to produce the written report. Your data is not used to train third-party models. Because finding evidence can include page content, avoid running AI reports over material containing secrets you are not authorised to share.

4. Storage & third-party processors

We rely on a small set of processors to deliver the Tools:

  • Anthropic (Claude) — AI report generation.
  • Amazon Web Services (S3) — encrypted storage of generated report PDFs in a private bucket (server-side encryption); files are served only through short-lived, account-scoped signed links.
  • Email / SMTP provider — delivery of sign-in links and scan notifications.
  • Google — optional Google sign-in (OAuth).
  • Google Analytics 4 — privacy-respecting, IP-anonymised aggregate usage statistics (sets first-party _ga / _ga_* cookies).

Account details and scan history are held in our application database. We do not share your data with any other party except as required by law.

5. Cookies & local storage

The Tools set a session cookie to keep you signed in, and store your light/dark theme preference in your browser's local storage. We also use Google Analytics 4 (with IP anonymisation) for aggregate usage statistics; it sets first-party _ga / _ga_* analytics cookies. We do not use advertising or cross-site tracking cookies. Disabling cookies will prevent sign-in but otherwise leaves the public pages accessible.

6. Data retention

Your account and scan history are kept while your account is active so you can revisit past results. You can delete your account at any time from Settings, which removes your account and its associated scan records; generated report files are deleted alongside the records they belong to. We may retain minimal logs where required for security or legal compliance.

7. Your rights

You may access the data associated with your account, request correction, and delete your account and its data (self-service via Settings, or by contacting us). Where applicable law grants further rights — for example under India's DPDPA 2023 or frameworks aligned to GDPR principles — we will honour them.

8. Security

Sign-in is passwordless. Report files are encrypted at rest and downloadable only through short-lived signed URLs scoped to your account. We apply access controls and the same security standards we recommend to others. No system is perfectly secure, but we take reasonable measures to protect your data.

9. Children

The Tools are intended for professional and business use and are not directed at children under 16.

10. Changes to this policy

We may update this policy from time to time. Material changes will be reflected here with a new "last updated" date.

11. Contact

Privacy enquiries: contact@oneroxe.com. Security or abuse reports: security@oneroxe.com.
ONEROXE PRIVATE LIMITED · Rohini, New Delhi 110042, India.
← Back to Tools HubLegal & Acceptable Use →