Last updated: December 2025
This Privacy Policy explains how Menetray OÜ, a company registered in Estonia ("we", "us", "our"), collects, uses, and protects your personal information when you use DruScan.
We are committed to protecting your privacy and processing your personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
1. Information We Collect
Account Information
When you create an account on DruScan, we collect your name, email address, and billing information (for paid subscriptions). This information is necessary to provide you with access to our service, manage your account, and process payments.
Server Logs
When you access DruScan, our servers automatically record certain information including your IP address and the date and time of your requests. This information is collected for security purposes, to prevent abuse, and to ensure the proper functioning of our service.
Website Scan Data
DruScan scans websites that you connect to the service through our Drupal module. The data collected from these scans includes technical information such as software versions, security configurations, performance metrics, and SEO-related data.
We do not collect any personal data from the websites you scan. Our scans only retrieve available technical information about the Drupal installation and its configuration.
2. How We Use Your Information
We use the information we collect for the following purposes:
To provide and maintain the DruScan service, including processing your scans and generating reports.
To manage your account and provide customer support when you contact us.
To process payments for paid subscriptions through our payment provider.
To send you transactional emails related to your account, such as login links, scan notifications, and service updates.
To send you occasional marketing communications about new features, offers, or changes to our service. You can unsubscribe from these communications at any time using the unsubscribe link included in each email.
To monitor and prevent abuse of our service, including detecting excessive API usage or unauthorised access attempts.
To comply with legal obligations where required.
3. Legal Basis for Processing
Under GDPR, we process your personal data based on the following legal grounds:
Contract performance: Processing your account information and scan data is necessary to provide you with the service you have signed up for.
Legitimate interests: We process server logs and IP addresses for security purposes and to prevent abuse of our service. We also send marketing communications to existing customers about similar services based on our legitimate interest, while always providing an easy way to opt out.
Legal obligations: We may process and retain certain data where required by law, such as billing records for tax purposes.
4. Data Sharing
We do not sell your personal data to third parties. We share your data only with the following service providers who help us operate DruScan:
Hetzner Online GmbH provides our hosting infrastructure. Your data is stored on their servers located in the European Union.
Sendgrid provides our transactional email service. They process your email address to deliver account-related emails and marketing communications.
Stripe, Inc. processes payments for paid subscriptions. They receive your billing information when you subscribe to a paid plan.
All our service providers are bound by data processing agreements that require them to protect your data in accordance with GDPR.
5. Analytics
We use Plausible Analytics to understand how visitors use our website. Plausible is a privacy-focused analytics tool that does not use cookies and does not collect personal data. All analytics data is processed on our own infrastructure and is not shared with third parties.
6. Data Retention
We retain your personal data for as long as your account remains active.
If you request deletion of your account, we will delete your personal data from our systems. Some data may be retained for a limited period where required by law, such as billing records for tax compliance purposes.
Server logs containing IP addresses are retained for a limited period necessary for security purposes and are then automatically deleted.
7. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction.
All data transmitted between your browser and DruScan is encrypted using HTTPS. User authentication is handled through secure email-based magic links, eliminating the risks associated with password storage. Access to our systems and your data is restricted to authorised personnel only.
8. International Data Transfers
All personal data processed by DruScan is stored within the European Union on servers provided by Hetzner.
Some of our service providers, such as Stripe, may transfer data outside the EU. Where this occurs, appropriate safeguards are in place, such as Standard Contractual Clauses, to ensure your data remains protected in accordance with GDPR requirements.
9. Your Rights
Under GDPR, you have the following rights regarding your personal data:
Right of access: You can request a copy of the personal data we hold about you.
Right to rectification: You can request that we correct any inaccurate or incomplete data.
Right to erasure: You can request that we delete your personal data.
Right to data portability: You can request to receive your data in a structured, commonly used format.
Right to object: You can object to the processing of your data for marketing purposes at any time.
Right to restrict processing: You can request that we limit how we use your data in certain circumstances.
To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.
10. Marketing Communications
If you have an account with DruScan, we may send you occasional emails about new features, special offers, or changes to our service. These communications are related to the service you are already using.
You can opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email or by contacting us at [email protected]. Please note that even if you opt out of marketing emails, we will still send you transactional emails related to your account and the service.
11. Age Requirement
DruScan is intended for use by individuals who are at least 18 years old. We do not knowingly collect personal data from anyone under the age of 18. If you are under 18, please do not create an account or use our service.
If we become aware that we have collected personal data from someone under 18, we will take steps to delete that information.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any significant changes by email or by posting a notice on our website. The updated policy will indicate the date it was last revised.
Your continued use of DruScan after any changes to this Privacy Policy constitutes your acceptance of the updated policy.
13. Contact Us
If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at [email protected].
If you are not satisfied with our response to any privacy-related concern, you have the right to lodge a complaint with a supervisory authority. As we are based in Estonia, our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).