Privacy Policy

Last updated: 5 May 2026

1. Who we are

Xrayfy ("we", "our", "us") is a website diagnostic service operated at xrayfy.com. We provide independent audits of website health covering security, legal compliance, technical posture, and user experience.

We collect only what's needed to run your scan. We don't sell your data.

2. What data we collect

• Domain name — the website you submit for scanning
• Email address — to deliver your report and access code
• Industry — to contextualise findings
• IP address — to detect your country for compliance-law matching and to prevent abuse. Anonymised after 90 days.
• Country (geo-detected) — derived from your IP address

We do not collect passwords, payment card numbers, or any data from the websites we scan beyond what is publicly accessible.

3. How we use your data

• To run the diagnostic scan and generate your Xrayfy Report
• To deliver your report and 6-digit access code by email
• To apply the correct jurisdiction's compliance laws to your scan
• To prevent abuse (rate limiting, duplicate scan detection)
• We do not sell, share, or rent your personal data to third parties

4. Data retention

• Scan results and reports: retained for 30 days, then deleted
• Email address: retained for 90 days, then deleted
• IP address: anonymised after 90 days
• Access codes: expire after 30 days

5. Third-party sub-processors

We use the following sub-processors to operate the service. Some are based outside India. By using Xrayfy you consent to your data being processed by these services solely for the purposes stated.

• Resend Inc. (USA) — email delivery of your scan report. Data transmitted: your email address and report content. Resend is SOC 2 Type II certified.
• Cloudflare Inc. (USA) — email routing and DNS infrastructure. Data transmitted: email headers only. Cloudflare is ISO 27001 and SOC 2 certified.
• Cloud infrastructure (India and Germany) — server hosting. Scan data and reports are stored on servers in India and Germany.
• ip-api.com — IP geolocation for compliance-law matching. No personal data retained by this service.
• ipinfo.io (USA) — identifies the hosting provider of scanned domains via server IP lookup. No Xrayfy user personal data is transmitted; only the scanned domain's IP is queried.
• Cloudflare Turnstile (Cloudflare Inc., USA) — bot protection on the scan form. A challenge token is generated client-side; no personal tracking cookies are set.

Cross-border transfers to the USA are made on the basis of your explicit consent given at the point of scan submission, and are limited strictly to scan delivery purposes.

6. Your rights under DPDP Act 2023 (India)

If you are an Indian resident, you have the following rights as a Data Principal under the Digital Personal Data Protection Act, 2023:

• Right to access — request a summary of personal data we hold about you
• Right to correction — request correction of inaccurate personal data
• Right to erasure — request deletion of your personal data
• Right to data portability — request a copy of your personal data in a portable, machine-readable format by emailing [email protected]; we will respond within 30 days
• Right to grievance redressal — lodge a complaint with our Grievance Officer (see below)
• Right to nominate — nominate another person to exercise rights on your behalf

To exercise any right, email [email protected]. We will respond within 30 days.

7. Grievance Officer (IT Rules 2021 / DPDP Act)

In accordance with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 and the DPDP Act 2023, the details of the Grievance Officer are:

• Name: Madhur
• Organisation: Xrayfy
• Email: [email protected]
• Response time: Complaints acknowledged within 48 hours, resolved within 30 days

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the affected Data Principals and the Data Protection Board of India within 72 hours of becoming aware of the breach, as required under the DPDP Act 2023. Notification will include the nature of the breach, data affected, likely consequences, and remedial measures taken.

9. Cookies

We do not use tracking cookies. We do not use advertising or analytics cookies. The only browser storage we use is session-level and strictly necessary for the service to function.

10. Data Processing Agreement (DPA)

If you are a business (Data Fiduciary) using Xrayfy to scan domains on behalf of your clients, you may request a Data Processing Agreement. Our standard Data Processing Agreement covers: lawful basis for processing, data minimisation, sub-processor obligations, and breach notification timelines — aligned with the Digital Personal Data Protection Act 2023 (India) and GDPR principles.

To request a Data Processing Agreement, email [email protected] with your business name and registered address. We will countersign and return within 5 working days.

11. Contact

For any privacy-related questions: [email protected]