Privacy Policy
Effective date: May 10, 2026
1. Who We Are
R2T Technologies, LLC, a Washington limited liability company, operates the Scantonomous public marketing website and the authenticated Scantonomous product website (“Service”). Scantonomous is the product and brand name for the Service. For the personal information described in this Privacy Policy, R2T Technologies, LLC is the controller or business responsible for deciding how and why that information is processed.
Our designated privacy official is the Scantonomous Privacy Officer, who acts on behalf of R2T Technologies, LLC. You can contact the Privacy Officer at privacy@scantonomous.ai or through our contact page.
2. Categories of Personal Information We Collect
We collect the following categories of personal information, depending on how you use the Service. The examples below are illustrative rather than exhaustive, and we may not collect every category from every person.
| Category | Examples | Sources | Purposes |
|---|---|---|---|
| Identifiers and contact information | Name, email address, billing email, and contact details you submit through account, demo, or support flows | Directly from you, invited users, or account administrators | Create and secure accounts, send service messages, respond to requests, manage account administration, and screen relevant account identifiers against applicable export-control and sanctions lists to comply with U.S. law |
| Organization and account information | Organization name, team membership, role, account settings, and subscription tier or entitlements | Directly from you or your account administrators, and from account configuration inside the Service | Provide the Service, manage team access, enforce plan limits, and support billing and account operations |
| Service inputs and customer content | Source code, repository metadata, asset selections, scan configuration, AI prompts or context assembled from scan inputs, and related materials you submit for scanning | Directly from you or through integrations you authorize, such as source-control connections | Run security scans, provide AI Scan features through approved AI model providers, generate findings, deliver remediation guidance, and troubleshoot scan failures |
| Service-generated security data | Findings, remediation suggestions, scan metadata, exports, AI model outputs, and other artifacts generated by the Service | Generated by the Service from your submitted scan inputs and activity | Display results, support exports, provide remediation guidance and AI-assisted analysis, investigate incidents, and maintain Service operations |
| Usage, device, and log data | Feature usage, scan frequency, service logs, browser or device data, and optional performance telemetry if you enable it | Collected automatically from your use of the marketing website or product website | Operate, secure, debug, and improve the reliability and performance of the Service, and prevent abuse |
| Communications and support data | Demo requests, support inquiries, privacy requests, feedback, and email correspondence with us | Directly from you, invited users, or account administrators | Respond to inquiries, onboard customers, resolve issues, and handle privacy rights requests |
3. Business and Commercial Purposes
We use the categories of information above to:
- Provide, maintain, and support the Service
- Create and secure accounts, authenticate users, and manage team access
- Process security scans and deliver findings and remediation guidance
- Provide AI Scan features through approved AI model providers that are configured not to train or improve their general models on customer code, findings, prompts, or outputs
- Communicate with you about your account, scans, and policy updates
- Operate billing and account-administration workflows
- Monitor performance, troubleshoot issues, and improve reliability
- Detect, investigate, and prevent fraud, abuse, or security incidents
- Screen relevant account information against applicable export-control and sanctions lists, including OFAC and BIS restricted-party lists, to comply with U.S. law
- Comply with legal obligations and enforce our policies and terms
These service communications include emails such as authentication messages, team invitations, findings export notifications, and scan failure alerts. We do not use these emails for newsletters, marketing campaigns, or unsolicited outreach. Additional detail is available on our email policy page.
4. AI and Third-Party Data Sharing
Some AI Scan features use approved third-party AI model providers, including Inception AI, Inc. (“Inception Labs”), as service providers. Approved AI model providers may also include AWS Bedrock and the AI model providers it hosts for specific scan features, such as Anthropic Claude or Amazon Nova when those models are enabled for the relevant feature. When those features run, we may transmit selected service inputs and service-generated security data—such as source code excerpts, repository metadata, scan configuration, findings, prompts, remediation context, and model outputs—to those providers as necessary to provide the Service.
We configure third-party AI model providers that process customer code, findings, prompts, or outputs for Scantonomous not to use that customer data to train or improve their general models. We also restrict the data sent to what is reasonably needed for the requested feature and use contractual, technical, and organizational controls designed to protect customer content. Those providers may process transient copies of submitted request and response data as needed to provide, secure, debug, or comply with legal obligations for their services.
We share personal information and customer content with service providers only as necessary for the purposes described in this Privacy Policy and under contractual confidentiality, security, and use restrictions appropriate to the processing. Depending on how you use the Service, recipient categories may include cloud hosting and infrastructure providers; authentication and access-management providers; email delivery providers; payment processors and billing providers where applicable; optional performance-monitoring providers if you enable those features; AI model providers used to provide AI Scan features; source-control and other integration providers you authorize; and professional advisers, regulators, or authorities where required by law or reasonably necessary to protect our rights, users, or the Service. We do not sell personal information or share it for cross-context behavioral advertising.
5. Data Retention
We retain your data for the minimum time necessary to provide the Service:
- Source code: Stored temporarily during scanning and automatically deleted within 1 day.
- Scan results and artifacts: Retained for up to 14 days, then automatically deleted.
- Logs: Retained for 30 days.
- Account information: Retained for the duration of your account. Account administrators may use the Service’s self-service account-closure controls or contact us to request deletion of associated account data. Once account closure is initiated, associated account data is deleted on an asynchronous basis and is generally removed within 24 hours, except where we need to retain limited information for legal, security, fraud-prevention, or billing recordkeeping purposes.
6. Cookies
Marketing website: We do not use advertising cookies or third-party tracking cookies on the public marketing website.
Product website: We use strictly necessary cookies and similar browser storage to maintain authentication, session state, and core product behavior. If you allow optional performance monitoring in the product website’s cookie settings, we also use AWS CloudWatch RUM to measure frontend errors and page performance using cookies and local storage. We do not use advertising cookies. For full details, see our Cookie Policy.
7. Security
We use administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These safeguards include encryption in transit and at rest, role-based and least-privilege access controls, authentication protections, logging and monitoring, and secure software-development and vulnerability-management practices. For more detail, see our Security page. However, no method of transmission over the internet or electronic storage is 100% secure.
8. Your Rights
You have the right to:
- Request information about the categories of personal information we collect, the sources of that information, and the purposes for which we use it
- Access the personal information we hold about you
- Request and, where available through the Service, download an electronic copy of the personal information we hold about you
- Request correction of inaccurate information
- Request deletion of your personal information and, if you are an account administrator, close your account and request deletion of associated account data
- Withdraw consent where processing is based on consent
You can use the Service’s self-service controls to export your information and, if you are an account administrator, initiate account closure. You can also exercise these rights by contacting the Scantonomous Privacy Officer at privacy@scantonomous.ai or use our contact page.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify customers by email before material changes take effect and will post the updated policy on this page with a revised effective date. Continued use of the Service after changes take effect constitutes acceptance.
10. Contact
Questions about this Privacy Policy? Contact us at privacy@scantonomous.ai or use our contact page. Privacy requests to R2T Technologies, LLC are handled by the Scantonomous Privacy Officer.