Privacy Policy

Last updated: 11 June 2026

Who we are

Bastion is run by Amish, a UK-based sole trader. For anything in this policy, we're the data controller, which is the legal way of saying the responsibility stops with us. Email privacy@bastion.wiki.

The short version

We built a security tool. It would be hypocritical to spy on you. We collect the minimum needed to run accounts, take payments, and stop abuse, and nothing about your code or your scan results ever reaches us.

What we collect, and why

  • CLI scans: nothing comes to us. The CLI runs on your machine and never sends anything to Bastion's servers. To do its job it talks directly to other places: the site you're scanning for the URL checks, your DNS resolver for things like DMARC lookups, and the npm registry for the dependency check. None of that goes through us, and nothing about your project comes back to us. There's no telemetry in the CLI.
  • URL scanner: your URL, briefly. When you scan a URL on the website, we send it to our server to run the HTTP checks and return the results to your browser. The URL isn't stored. To stop abuse we keep two small pieces of operational data: rate-limit counters keyed to your IP address, which expire on their own within minutes, and, if you're signed in, a daily count of how many scans you've run, which is a timestamp tied to your account and nothing more. Neither records what you scanned. We don't build a history of the URLs you've checked.
  • Your account: an email address. If you create an account, Supabase, our authentication provider, stores your email address and what's needed to keep you signed in. We also hold your subscription status so the site knows what plan you're on.
  • Payments: handled by Lemon Squeezy. Card details go straight to Lemon Squeezy as merchant of record. We never see or store them. What we get back is your subscription status.
  • Hosting, honestly. The site runs on Vercel, and like any host, Vercel processes requests in order to serve them, under its own privacy policy. We don't use that for tracking, and we don't run analytics on top of it.

What we don't collect

Your source code, your scan results, your file contents, your dependency trees. None of it ever reaches us. There's no telemetry in the CLI, no analytics on this site, and no tracking pixels.

Why we're allowed to do this

UK data protection law asks us to name a legal basis for each thing we do. Ours are simple. We process your email and subscription status because we have a contract with you, your account. We process rate-limit and scan-counter data because we have a legitimate interest in keeping the scanner working and stopping abuse. We don't process anything based on consent harvested through pop-ups, because we don't collect anything that would need one.

Cookies

If you sign in, we set one authentication cookie so the site remembers you. It's strictly necessary for the service to work, which is why there's no cookie banner. No tracking cookies, no advertising cookies, no third-party analytics.

Third-party services

We use four:

  • Supabase for authentication and account data, hosted in the UK (AWS London, eu-west-2).
  • Lemon Squeezy for subscriptions and payments, as merchant of record, under its own privacy policy.
  • Vercel for hosting and serverless functions, under its own privacy policy.
  • Sentry for error monitoring, so we find out when the site breaks. An error event can include your IP address, browser user-agent, and the page URL at the moment of the error. Performance tracing, session replay, and log forwarding are all switched off.

Where your data lives

Your account data stays in the UK: Supabase hosts it in the AWS London region (eu-west-2). Our other providers (Lemon Squeezy, Vercel, Sentry) process some data outside the UK; where they do, they rely on recognised legal safeguards for international transfers, and each provider's own policy linked above sets out its arrangements.

How long we keep things

URL scan data lives for minutes in the rate-limit counters described above, then it's gone. The signed-in scan counter keeps its timestamps so plan limits work; they're deleted with your account. Account information stays for as long as your account is active. Delete your account and we delete what we hold about you. The one honest caveat: payment records sit with Lemon Squeezy, and tax law requires transaction records to be kept for some years, so those outlive an account deletion. They're billing records, not your data trail.

How we protect what little we hold

Everything between you and Bastion travels over HTTPS. Account data sits in Supabase's managed database with encryption at rest (AES-256). And our main protection is structural: we can't lose what we never collected, which is why the lists above are so short.

Your rights

You can ask us what data we hold about you, ask us to correct it, delete it, or hand it over in a portable format, and you can object to processing based on our legitimate interests. Email privacy@bastion.wiki and we'll respond within a month, usually much faster.

If you're unhappy with how we've handled something, you can complain to the UK's data protection regulator, the Information Commissioner's Office, at ico.org.uk. We'd appreciate the chance to fix it first, but that's your right either way.

Changes to this policy

If we change this policy in a way that matters, we'll email account holders and update the date at the top. Small clarifications just get updated here.

Questions

Email privacy@bastion.wiki and we'll clarify anything.