Privacy Policy

Last updated: 2026-04-21

1. Data Controller

Starsol Ltd (company number 06002018), with registered office at Unit D10 Upper Lounge, Pinetrees Road, Norwich, England, NR7 9BB, is the data controller for personal data processed via Agent Disco.

Contact us via the contact form.

Starsol Ltd is registered with the UK Information Commissioner's Office under registration number ZA083698.

2. What We Collect

At MVP we operate the Service without user accounts. We collect:

  • IP address of scan submitters, used for per-IP rate limiting and abuse prevention. Held in application logs for 30 days, then purged.
  • Submitted URLs and scan outputs (findings, evidence excerpts, grade). Retained while the Service operates so repeat scans of the same host can be compared over time. Scan records older than 90 days are pruned automatically, with one most-recent scan retained per host to keep embedded badges valid. The right-to-delete endpoint (below) removes everything for a given host on request.
  • Server access logs (standard Apache request logs: IP, timestamp, path, user-agent, referer). Retained for 30 days.

3. What We Do NOT Collect

We do not use analytics, marketing cookies, behavioural trackers, or third-party advertising pixels. We do not integrate with Google Analytics, Facebook Pixel, LinkedIn Insight, Hotjar, or equivalent. This is a deliberate design choice, not an oversight — if you see third-party scripts loading, something is wrong and we'd like to know.

4. Cookies

The Service sets only strictly-necessary cookies (session identifier, CSRF token). No non-essential cookies are set. Under the UK Privacy and Electronic Communications Regulations (PECR), a cookie banner is not required because the cookies we set are strictly necessary for the Service to function.

We process the data above under UK GDPR Article 6(1)(f) — legitimate interests — specifically, operating and defending a public scanning service against abuse. The legitimate interests have been assessed as proportionate to the limited scope of data collected and the short retention of IP addresses.

6. Your Rights

Under UK GDPR you have the right to:

  • Request access to personal data we hold about you.
  • Request rectification of inaccurate personal data.
  • Request erasure ("right to be forgotten"). For scan records, the public endpoint DELETE /api/v1/websites/{host} lets you remove a host's scan history self-service; for IP-address log data, use our contact form.
  • Object to processing based on legitimate interests.
  • Request portability of your data in a machine-readable format.
  • Complain to the UK Information Commissioner's Office (ico.org.uk).

Exercise any right via our contact form.

7. Sharing

We do not sell personal data. We share it only with processors strictly necessary to operate the Service: our hosting provider (cPanel-hosted Apache), our domain registrar, and our email provider. These processors are bound by contract to process data only on our instructions.

8. International Transfers

Data is stored in the United Kingdom. Where a processor is located outside the UK or the European Economic Area, we rely on UK International Data Transfer Agreements or equivalent safeguards.

9. Changes

We may update this policy to reflect changes in the Service or in the law. Changes are versioned in git and the last-updated date at the top of this page is bumped on every change.