PRIVACY POLICY

Last updated: March 31, 2026

KillSesh ("we", "us", "our") operates the KillSesh security platform at killsesh.com. This policy explains what data we collect, why, and how we protect it.

1. What We Collect

Account information: Email address and authentication tokens when you sign up.

Email metadata (with your permission): When you connect a Gmail or Outlook account, we access email headers, sender addresses, and subject lines to scan for breach notifications and phishing indicators. We do not read or store email body content beyond what is needed for threat analysis.

Breach scan results: Records of which breaches your email appears in, threat scores, and scan timestamps.

Session data: Connected app/session information from your Google or Microsoft account to detect unauthorized access.

Account registry: Services you've registered with (discovered via inbox scanning or manually added).

Payment information: Processed by Stripe. We never see or store your card number.

2. How We Use Your Data

Scan your email accounts for breach exposure and phishing threats
Detect unauthorized sessions and suspicious login activity
Build your account registry to identify at-risk services
Send you alerts when new breaches or threats are detected
Process subscription payments via Stripe

3. What We Don't Do

We don't sell your data to third parties
We don't use your data for advertising
We don't read full email bodies — only headers and metadata for threat detection
We don't store your email OAuth tokens longer than your active session
We don't share breach results with anyone except you

4. Third-Party Services

We use the following services to operate KillSesh:

Supabase — Database hosting (data stored in Supabase's SOC 2 compliant infrastructure)
Cloudflare — API hosting and DDoS protection
Stripe — Payment processing (Stripe Privacy Policy)
Google OAuth / Microsoft OAuth — Email account connection (read-only access)
XposedOrNot, LeakCheck, BreachDirectory — Public breach databases (we send only your email address hash, not your email)

5. Data Retention

We retain your data for as long as your account is active. When you delete your account:

All breach scan results are permanently deleted
All account registry entries are permanently deleted
All session data is permanently deleted
Email OAuth tokens are revoked and deleted
Your Stripe subscription is cancelled

Deletion is completed within 30 days of your request.

6. Your Rights

You can at any time:

Export your data — Request a full export of your breach results and account registry
Delete your account — Permanently remove all your data from our systems
Disconnect email — Revoke our access to your Gmail or Outlook account
Opt out of emails — Unsubscribe from breach alert notifications

For GDPR (EU) and CCPA (California) requests, email [email protected].

7. Security

All data is encrypted in transit (TLS 1.3) and at rest. Database access is protected by Row-Level Security — each user can only access their own data. API endpoints require authentication. We conduct regular security reviews of our codebase.

8. Children

KillSesh is not intended for use by anyone under 18. We do not knowingly collect data from minors.

9. Changes

We may update this policy. Material changes will be communicated via email to active subscribers. Continued use after changes constitutes acceptance.

10. Contact

Questions about this policy: [email protected]