Privacy Policy — PM::OFFSEC

Last updated: January 2026 · Effective: January 1, 2026

    Summary: PM::OFFSEC collects only what is necessary to provide security scanning services. We do not sell your data. Scan results belong to you. We use industry-standard encryption for all data in transit and at rest.
  

1. WHO WE ARE

PM::OFFSEC Security Dashboard ("we", "us", "our") is operated by Prakash Mijar, a cybersecurity professional originally from Nepal, currently based in the United States. Our platform is accessible at erprakashmijar.com.

Contact: contact@erprakashmijar.com

2. INFORMATION WE COLLECT

Account Information

Name and email address (required for account creation)
Hashed password (we never store plain-text passwords)
Company name and phone number (optional)
IP address at time of registration

Scan Data

IP addresses and hostnames you choose to scan
SSH credentials you provide (used only during the scan, never stored)
Scan results, vulnerability findings and security scores
Device metadata (OS version, open ports, services)

Usage Data

Pages visited and features used (for product improvement)
Login timestamps and session data
API requests and rate limit counters

What We Do NOT Collect

Payment card numbers (handled by Stripe/Lemon Squeezy directly)
SSH private keys or credentials after scan completion
Personal health information
Location data beyond IP-based country

3. HOW WE USE YOUR DATA

Provide and operate the security scanning service
Send email alerts for critical vulnerability findings
Process subscription payments through our payment providers
Improve platform features and fix bugs
Comply with legal obligations
Respond to support requests

We do not sell, rent or trade your personal information to any third party.

4. DATA STORAGE AND SECURITY

All data is stored on Railway-hosted PostgreSQL databases located in the United States. We implement:

TLS 1.2+ encryption for all data in transit
AES-256 encryption for data at rest
bcrypt hashing for all passwords
Regular security assessments of our own infrastructure
Access controls limiting who can access production data

In the event of a data breach affecting your account, we will notify you within 72 hours via the email address on your account.

5. DATA RETENTION

Account data: Retained while your account is active, deleted within 30 days of account closure
Scan results: Retained for 90 days (Free plan), 1 year (Starter/Pro), or as long as account is active (Enterprise)
Email logs: Retained for 30 days for deliverability purposes
Audit logs: Retained for 1 year for legal compliance

6. THIRD-PARTY SERVICES

We use the following third-party services which have their own privacy policies:

Stripe — Payment processing (stripe.com/privacy)
SendGrid — Transactional email (sendgrid.com/privacy)
Railway — Infrastructure hosting (railway.app/legal/privacy)
Anthropic Claude — AI analysis features (anthropic.com/privacy)
Have I Been Pwned — Breach checking (anonymized k-anonymity API)

7. YOUR RIGHTS

You have the right to:

Access — Request a copy of all data we hold about you
Correction — Update inaccurate information via your profile settings
Deletion — Request deletion of your account and all associated data
Portability — Export your scan data as JSON at any time
Opt-out — Unsubscribe from marketing emails at any time

To exercise any of these rights, email contact@erprakashmijar.com. We will respond within 30 days.

8. COOKIES

PM::OFFSEC uses only essential session cookies necessary for authentication. We do not use tracking cookies, advertising cookies, or analytics cookies. No third-party tracking scripts are loaded on our platform.

9. SECURITY SCANNING DATA

By using our scanning services, you confirm that you have explicit authorization to scan the systems and networks you submit. Scan results are stored securely and are only accessible to your account. We do not share your infrastructure details with any third party.

    SSH credentials you provide for remote scanning are used only during the active scan session and are never written to disk or logged. They exist in memory only and are discarded immediately after the scan completes.
  

10. CHANGES TO THIS POLICY

We will notify registered users by email at least 14 days before any material changes to this privacy policy. Continued use of the platform after changes constitutes acceptance of the updated policy.

11. CONTACT

For privacy questions, data requests, or concerns:

Email: contact@erprakashmijar.com
Subject line: "Privacy Request — [your request type]"
Response time: Within 30 days