PRIVACY NOTICE
This privacy notice for CNT Friends Oy (“Company,” “we,” “us,” or “our”) explains how we collect, store, use, and share your information when you use appsecsanta.com (the “Website”).
Questions? Contact us at suphi@cnt.fi.
1. What Information Do We Collect?
Information you provide directly
If you use our contact form , we collect your name, email address, the topic you select, and the message you write, so we can respond to your enquiry.
We don’t ask for a phone number, but any personal details you choose to include in the message are processed too. The form is submitted through Web3Forms (see the sharing table below).
Newsletter subscription
If you subscribe to our free weekly newsletter, AppSec Santa Weekly, we collect and store:
- Your email address โ so we can send you the newsletter and a confirmation (double opt-in) email.
- Your IP address and browser user-agent โ recorded at signup as an anti-abuse and consent record.
- Subscription status and confirmation token โ to manage the opt-in, sending, and unsubscribe lifecycle.
This data is stored in Cloudflare D1 and KV. Emails are sent through Resend , and the signup form is protected by Cloudflare Turnstile .
We use your email only to send the newsletter and related operational messages โ never for advertising, profiling, or sale. You can unsubscribe at any time using the link in every issue, which removes your record from our list.
Free security tools
We offer five free security tools (Security Headers Checker, SSL/TLS Checker, Subdomain Finder, DNS Security Checker, and CSP Header Generator). When you use these tools:
What we process during your scan:
- Domain or URL you enter โ sent to our Cloudflare Worker to perform the scan, and on to the third-party data sources listed below.
- Your IP address โ used to generate a short-lived HMAC authentication token (held in memory only, not stored) and for rate limiting (see below).
Rate limiting via Cloudflare KV:
To prevent abuse, we store a counter keyed to your IP address (e.g., rl:ssl:203.0.113.5) in Cloudflare Workers KV. This counter tracks how many scans you’ve performed in the current hour.
It auto-deletes after 1 hour (TTL-based expiration).
Subdomain Finder result cache:
To keep the Subdomain Finder fast and reduce load on upstream data sources, we cache its results โ keyed to the domain you entered (e.g., cache:sub:example.com) โ in Cloudflare Workers KV. This cache auto-deletes after 6 hours (TTL-based expiration). The other four tools do not cache results.
What we do NOT store server-side:
- Scan results from the Security Headers, SSL/TLS, DNS Security, and CSP tools
- Any grades or findings tied to your IP address
- Any personal information beyond the ephemeral rate-limit counter
Client-side storage (your browser only):
Your scan history (domain, score/grade, timestamp) is saved in your browser’s localStorage so you can see previous results. This data never leaves your browser and is not sent to us. You can clear it at any time through your browser settings.
Third-party services contacted during scans:
| Service | Data Sent | Purpose |
|---|---|---|
| Target domain’s server | HTTP/HTTPS requests with our user-agent | Headers, SSL/TLS, and DNS checks |
| crt.sh (Sectigo) | Domain name | Certificate Transparency log queries (SSL/TLS Checker, Subdomain Finder) |
| Certspotter (SSLMate) | Domain name | Certificate Transparency log queries (SSL/TLS Checker, Subdomain Finder) |
| HackerTarget | Domain name | Subdomain enumeration (Subdomain Finder) |
| AnubisDB | Domain name | Subdomain enumeration (Subdomain Finder) |
| Cloudflare DoH | Domain name | DNS record lookups (DNS Security Checker) |
These third-party services have their own privacy policies. We do not control how they process the domain names we query.
Information collected automatically
When you visit the Website, certain data is collected automatically:
Cloudflare Web Analytics
We use Cloudflare Web Analytics, a privacy-first analytics service. It does not use cookies, does not track individual visitors, and does not collect personal data.
It only measures aggregate, anonymized metrics like page views, visits, and referrers. No data is stored on your device. For details, see Cloudflare Web Analytics privacy .
Microsoft Clarity
We use Microsoft Clarity for cookieless, masked heatmaps and session recordings. These help us see which sections visitors read, where they click, and which parts of the layout are confusing.
Clarity runs in cookieless mode on this site โ it does not set _clck or _clsk cookies. It still collects behavioural data (mouse movement, clicks, scrolls, viewport size, and masked page content), which Microsoft processes on its servers.
Data masking. Clarity masks form fields, password inputs, and visible text it classifies as sensitive by default. We have not enabled any custom unmasking, so we cannot see your email, payment details, or other personally identifying input from a recording.
Opt out of Clarity. You can block clarity.ms via your browser’s privacy controls or a tracker blocker. Microsoft also describes its data-handling at privacy.microsoft.com
.
Google Analytics 4
We use Google Analytics 4 (measurement ID G-QJC0D3QBWW) to see which pages and guides are useful. It runs under Google Consent Mode, and what it does depends on where you are.
In the EU/EEA, UK, Switzerland, and Brazil, analytics is off by default โ GA4 sends only cookieless signals until you accept the consent banner. If you accept, it sets _ga and _ga_* cookies; if you reject or ignore the banner, it stays cookieless.
Elsewhere (including the US), analytics is on by default and GA4 may set _ga and _ga_* cookies. We always honour the Global Privacy Control signal โ if your browser sends GPC, analytics stays cookieless wherever you are.
You can change your choice anytime via “Cookie preferences” in the footer, or block googletagmanager.com and google-analytics.com with a tracker blocker. Ad and personalization storage is denied in every region. Google describes its data handling in the Google Analytics privacy documentation
.
Cloudflare Pages
The Website is hosted on Cloudflare Pages. Cloudflare automatically processes visitor IP addresses and standard HTTP request data (browser user-agent, requested URL, timestamp) to serve content and protect against abuse. See Cloudflare’s Privacy Policy for details.
Cookies
Cloudflare Web Analytics and Microsoft Clarity run in cookieless mode and set no cookies. Google Analytics can set cookies only when analytics is enabled โ by consent in the EU/EEA/UK, or by default elsewhere (see above). It uses no advertising cookies.
Cloudflare may set its own cookies for security and performance purposes (e.g., bot detection, DDoS protection). See Cloudflare’s cookie policy for specifics.
2. How Do We Use Your Information?
We use the information we collect to:
- Run and improve the Website. Analytics help us see which pages are useful, what content to add, and where visitors come from.
- Respond to enquiries submitted through the contact form.
- Protect the Website through Cloudflare’s security features.
We do not use your information for marketing, profiling, or automated decision-making.
3. Who Do We Share Your Data With?
We share data with the following service providers, each of which processes data as described in their own privacy policies:
| Service | Data Processed | Purpose |
|---|---|---|
| Cloudflare | IP addresses, request data, anonymized analytics; newsletter subscriber records (email, status, IP, user-agent) in Cloudflare D1/KV | Hosting, security, analytics, and newsletter storage |
| Microsoft Clarity | Cookieless interaction data (clicks, scrolls, viewport, masked page content) | Heatmaps and session recordings |
| Google Analytics 4 (Google) | Anonymized usage events; _ga/_ga_* cookies by consent (EU/UK) or default (US/elsewhere) | Aggregate traffic and content analytics |
| Web3Forms | Contact-form fields (name, email, topic, message) | Delivering contact-form submissions to us by email |
| Resend | Subscriber email address | Sending newsletter confirmation and issue emails |
| Cloudflare Turnstile | A challenge token (no personal data) | Bot/abuse protection on the newsletter signup form |
| crt.sh (Sectigo), Certspotter (SSLMate), HackerTarget, AnubisDB | Domain names entered in tools | Certificate Transparency and subdomain lookups |
| Cloudflare DNS (1.1.1.1) | Domain names entered in tools | DNS record lookups |
We do not sell, rent, or trade your personal information. We may disclose information if required by law or to protect our legal rights.
4. Data Retention
- Security tool rate-limit counters are auto-deleted after 1 hour (Cloudflare KV TTL).
- Subdomain Finder result cache auto-deletes after 6 hours (Cloudflare KV TTL). The other four tools retain no scan data.
- Newsletter subscriber records are kept for as long as you stay subscribed. When you unsubscribe, your record is removed from our active list.
- Cloudflare Web Analytics retains only aggregate, anonymized data. No personal data is stored.
- Microsoft Clarity retains recordings and heatmap data for up to 13 months by default, after which Microsoft deletes them per its data-retention policy .
- Google Analytics 4 retains event data per the property’s data-retention setting (Google’s default of 2 months, configurable up to 14 months), after which Google deletes or aggregates it.
- Contact form submissions are kept until we’ve responded to your enquiry, then deleted.
- Cloudflare edge logs follow Cloudflare’s standard retention periods (typically 72 hours for request logs).
5. Your Privacy Rights
If you’re in the EEA, UK, or Switzerland
Legal bases for processing (Article 6 GDPR). We rely on:
- Consent โ for the newsletter subscription, and for analytics cookies in the EEA, UK, Switzerland, and Brazil (set only after you accept the consent banner). You can withdraw consent at any time.
- Legitimate interests โ for keeping the Website secure and free from abuse (rate limiting, Cloudflare Turnstile, bot protection), for cookieless aggregate analytics, and for responding to enquiries you submit through the contact form. We balance these against your rights and freedoms.
- Legal obligation โ where we must retain or disclose information to comply with applicable law.
Under GDPR, you have the right to:
- Access your personal data and request a copy
- Rectify inaccurate information
- Erase your personal data (“right to be forgotten”)
- Restrict processing in certain circumstances
- Data portability, i.e. receive your data in a machine-readable format
- Object to processing based on legitimate interests
- Withdraw consent at any time where processing is based on consent
To exercise these rights, email us at suphi@cnt.fi. We will respond within 30 days.
You also have the right to lodge a complaint with your local data protection authority.
For all visitors
You can disable cookies in your browser settings at any time, though this may affect site functionality.
6. International Data Transfers
Your data may be processed outside the EEA by our service providers (e.g., Cloudflare). These companies use Standard Contractual Clauses and other safeguards for international transfers.
7. Children’s Privacy
The Website is not directed at anyone under 18 years of age. We do not knowingly collect personal information from children.
8. Do-Not-Track Signals
There is no uniform standard for handling Do-Not-Track browser signals. We do not currently respond to DNT signals.
9. Changes to This Notice
We may update this privacy notice from time to time. The “Last updated” date at the top of the page shows when it was last revised.
10. Contact Us
If you have questions about this privacy notice or want to exercise your data protection rights, contact us:
CNT Friends Oy Hitsaajankatu 13 Helsinki 00810 Finland
Email: suphi@cnt.fi
You can also reach us through our contact page .