Basan
Log inSign up

Privacy Policy

Last updated: June 9, 2026

This Privacy Policy explains how Basan ("Basan", "we", "us", or "our") collects, uses, and shares information when you use our website and the Basan security platform (together, the "Service"). By using the Service, you agree to the practices described here.

Information we collect

Information you provide

  • Account information. When you create an account we collect your name, email address, organization name, and the authentication details needed to sign you in.
  • Scan configuration. The targets you ask us to test (domains, hosts, URLs, and related scope settings), the verification records you publish to prove control of those targets, and any scheduling or instruction details you attach to a scan.
  • Target credentials. If you choose to give Basan credentials so it can test authenticated surfaces, we store them in a per-target encrypted vault (see "How we protect your information" below).
  • Billing information. Payments are processed by our payment provider. We receive billing metadata such as plan, credit balance, and transaction status, but we do not store full payment card numbers on our systems.
  • Communications. When you contact us, subscribe to updates, or fill in a form, we keep the information you send so we can respond and improve the Service.

Information we generate or collect automatically

  • Scan results. Findings, evidence, logs, and reports produced when the Service tests your targets.
  • Usage and device data. Log data such as IP address, browser type, pages viewed, timestamps, and diagnostic and performance telemetry used to operate, secure, and improve the Service.

Cookies and analytics

The application uses strictly necessary cookies to keep you signed in and to keep your session secure. Our marketing website uses cookies and similar technologies, including analytics technologies that help us understand how visitors find and use the site so we can improve it. You can control or block cookies through your browser settings; blocking strictly necessary cookies may prevent parts of the application from working. Where required by law, we will seek your consent before setting non-essential cookies.

How we use information

  • To provide, operate, and maintain the Service, including running the scans you request.
  • To verify that you control the targets you ask us to test.
  • To generate findings, reports, and notifications.
  • To process billing, manage credits, and administer your plan.
  • To secure the Service, detect abuse, and enforce our Terms of Service.
  • To respond to your requests and send you service and product communications.
  • To comply with legal obligations.

How we share information

We do not sell your personal information. We share information only as described below:

  • Service providers (sub-processors). We rely on trusted vendors to run the Service. These act on our behalf under contractual confidentiality and security obligations, and we limit what they receive to what they need to perform their function. They fall into a small number of categories: cloud hosting and infrastructure; authentication and identity; payment processing; transactional and notification email; product and website analytics; and the AI model providers that power our report generation and automated testing. A current list of our sub-processors is available on request at support@basan.ai.
  • Integrations you enable. If you connect a third-party destination, such as a messaging tool for notifications, we share the relevant information with that destination at your direction.
  • Legal and safety. We may disclose information if required by law or to protect the rights, property, or safety of Basan, our users, or the public.
  • Business transfers. If we are involved in a merger, acquisition, or sale of assets, information may be transferred as part of that transaction.

To generate reports and run automated testing, the Service may process your scan configuration and findings using AI model providers acting on our behalf under the terms above.

How we protect your information

We apply technical and organizational measures appropriate to the sensitivity of the data. Information is encrypted in transit using TLS. Target credentials are encrypted at rest in a per-target vault using authenticated AES-256-GCM encryption, with support for master-key rotation; plaintext credentials are shown to you only once, at the moment you create or rotate them, and are never displayed again. Access to production systems is restricted and logged. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.

Data retention

We retain information for as long as your account is active or as needed to provide the Service, and afterward as required to comply with our legal obligations, resolve disputes, and enforce our agreements. You can ask us to delete your account and associated data as described below; some records may be retained where retention is legally required.

Legal bases for processing

If you are in the European Economic Area or the United Kingdom, we process your personal information where we have a legal basis to do so: to perform our contract with you (to provide the Service), for our legitimate interests (to secure, operate, and improve the Service in ways that do not override your rights), to comply with a legal obligation, or with your consent where consent is required.

Your rights

Depending on where you live, you may have rights under laws such as the EU and UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), including the right to access, correct, export, or delete your personal information, and to object to or restrict certain processing. We do not sell or share your personal information for cross-context behavioral advertising. To exercise any of these rights, contact us at support@basan.ai. We will not discriminate against you for exercising them. If you are in the EEA or UK, you also have the right to lodge a complaint with your local data protection authority.

International transfers

Basan operates from the United States and may process information in the United States and other countries where our service providers operate. Where required, we use appropriate safeguards for international transfers of personal information.

Children

The Service is not directed to individuals under 18, and we do not knowingly collect personal information from children. If you believe a child has provided us information, please contact us so we can delete it.

Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above and, where appropriate, provide additional notice. Your continued use of the Service after an update means you accept the revised policy.

Contact us

If you have questions about this Privacy Policy or how we handle your information, email us at support@basan.ai.