Your data,
handled with care.
What we collect, what we never collect, and the controls you have.
What we collect
When you use CQwerty Shield, we collect: the domain name you submit for scanning, your email address (if provided), your IP address for rate limiting, and payment information processed through Stripe. We do not store credit card numbers on our servers.
How we use your data
We use your data to perform security scans on the domains you submit, deliver scan reports to your email, process payments, send follow up emails about your scan results (you can unsubscribe at any time), and improve the service.
What we scan
CQwerty Shield only analyses publicly available information about your domain. This includes DNS records, TLS certificates, HTTP security headers, WHOIS registration data, and known breach databases. We do not access your servers, internal networks, or any private data.
Data storage
Scan results are stored on servers located in Australia. Reports are retained for 90 days for free scans and indefinitely for paid reports. You can request deletion of your data at any time by emailing support@cqwerty.com.
Third party services
We use Stripe for payment processing, Resend for email delivery, Vercel for frontend hosting, Cloudflare for edge networking, and OpenAI for AI analysis. Each service has its own privacy policy governing your data.
Cookies
CQwerty Shield uses minimal cookies. We store an authentication token in your browser local storage to keep you signed in. We do not use third party tracking cookies or advertising pixels.
Email communications
If you provide your email address we may send: your scan report, follow up emails about your security findings (day 3, 7, 14 after the scan), monthly monitoring reports if subscribed, and important service updates. You can unsubscribe from non essential emails using the link in each one.
Chrome extension
The CQwerty Shield Chrome extension shows the security posture of each site you visit. When you click the icon or the toolbar badge updates, the extension sends only the hostname of the current tab (e.g. example.com, never the full URL, page content, form data, cookies, or any other tab data) to api.cqwerty.com to fetch its public security grade. The extension caches recent scan results locally for 24 hours, stores up to 6 recently scanned domains, and (if signed in) keeps a copy of your authentication token in chrome.storage. None of that local data leaves your browser. The extension does not read pages, does not track browsing history, and does not run on third party sites. Uninstall via chrome://extensions to clear everything.
Data security
We protect your data with TLS in transit, bcrypt for password hashing, restricted database access, and 2FA on all administrator accounts. Payment processing is handled entirely by Stripe and we never see or store your card details.
Your rights
You have the right to access the data we hold about you, request correction or deletion, withdraw consent for email communications, and export your scan history. Email support@cqwerty.com for any data request.
Changes
We may update this privacy policy from time to time. We notify registered users of material changes by email. Continued use of the service after changes constitutes acceptance.
Contact
For privacy questions or data requests, email support@cqwerty.com. CQwerty Shield is operated from Melbourne, Australia.