Privacy Policy
This privacy policy applies to the vulnerability scanner service operated by blueredix GmbH at scan.blueredix.com (the “Service”). It describes what personal data we collect, on what legal basis, for how long, and what rights you have under the General Data Protection Regulation (GDPR).
For privacy information relating to the main blueredix.com website, please refer to our Legal Notice.
1. Data Controller
The controller responsible for data processing within the meaning of the GDPR is:
blueredix GmbH
Diemersgraben 1
98574 Schmalkalden
Germany
E-mail: privacy@blueredix.com
2. Data We Process
When you use the Service we process the following personal data:
| Data | Purpose | Legal basis |
|---|---|---|
| E-mail address | Send magic-link for identity verification; deliver result link; communicate about your request | Consent — Art. 6(1)(a) GDPR |
| Scan target (IP address or hostname) | Execute the vulnerability scan you requested | Consent — Art. 6(1)(a) GDPR; contract performance — Art. 6(1)(b) GDPR |
| Scan findings | Deliver results to you | Contract performance — Art. 6(1)(b) GDPR |
| Session token (cookie) | Keep you authenticated during your session | Legitimate interest — Art. 6(1)(f) GDPR |
| Audit log entries | Immutable record of service actions for security and accountability | Legitimate interest — Art. 6(1)(f) GDPR |
| Server access logs (IP address, timestamp, request path) | Security monitoring, abuse prevention | Legitimate interest — Art. 6(1)(f) GDPR |
We do not process special categories of personal data (Art. 9 GDPR).
3. Retention Periods
| Data | Retention period |
|---|---|
| E-mail address, scan target, scan findings | 90 days after scan completion, then permanently deleted |
| Unverified e-mail (magic link not clicked) | Never stored — discarded immediately |
| Session cookies | 7 days |
| Result access tokens | 30 days from scan completion |
| Audit log entries | Retained indefinitely; anonymised (actor/target replaced with “[deleted]”) upon a deletion request |
| Server access logs | 7 days, then automatically purged |
4. Data Recipients and Sub-processors
We engage the following sub-processors under data processing agreements:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Server hosting (scan.blueredix.com runs on a Hetzner server in Germany) | Germany (EU) |
| Resend Inc. | Transactional e-mail delivery (magic links, result notifications) | United States — Standard Contractual Clauses apply |
Your data is not sold or disclosed to any other third party.
5. Data Transfers Outside the EU
Resend Inc. is based in the United States. We have entered into Standard Contractual Clauses (EU Commission Decision 2021/914) with Resend to ensure an adequate level of protection for your data. All other data processing takes place exclusively within the EU.
6. Your Rights
Under the GDPR you have the following rights with respect to your personal data:
- Right of access (Art. 15 GDPR) — obtain confirmation of whether we process data about you and receive a copy.
- Right to rectification (Art. 16 GDPR) — have inaccurate data corrected.
- Right to erasure (Art. 17 GDPR) — request deletion of your data (“right to be forgotten”).
- Right to restriction of processing (Art. 18 GDPR) — request that we restrict, but not delete, your data.
- Right to data portability (Art. 20 GDPR) — receive your data in a structured, machine-readable format.
- Right to object (Art. 21 GDPR) — object to processing based on legitimate interest.
- Right to withdraw consent (Art. 7(3) GDPR) — withdraw consent at any time without affecting the lawfulness of prior processing.
7. Deletion Requests
To request deletion of your data, send an e-mail to privacy@blueredix.com with the subject “Deletion request” and the e-mail address you used when submitting your scan. We will process your request within 30 days and confirm deletion by e-mail.
A deletion link is also included in every scan result notification e-mail.
Upon deletion: your e-mail address, scan target, and findings are permanently removed. Audit log entries referencing your actions are anonymised — they are retained for security accountability but no longer identify you.
8. Right to Complain
You have the right to lodge a complaint with the competent data protection supervisory authority. For blueredix GmbH the competent authority is:
Thüringer Landesbeauftragter für den Datenschutz und die Informationsfreiheit
Häßlerstraße 8
99096 Erfurt
Germany
E-mail: poststelle@tldi.thueringen.de
9. Changes to This Policy
We may update this policy to reflect changes in the Service or applicable law. The date at the top of this page indicates when it was last revised.
Last updated: 4 May 2026