Privacy Policy

The data controller is Mex Strategic Intelligence Center, S.A. de C.V. (commercial name SICenter), with address at Periférico Sur 4118, Piso 8, Jardines del Pedregal, CDMX, México. For any privacy request or to exercise your rights, contact legal@sicenter.io.

This Policy covers personal information we process as a controller through www.sicenter.io, our applications, and our marketing. Where we process scan data on behalf of an account holder, we act as a processor on their behalf (see Controller vs processor). It does not cover third-party websites or services we link to, which have their own policies.

You provide

• Account & contact data: name, email, company, role, password/authentication identifiers, and organization/workspace details.
• Billing data: plan, subscription status, and payment metadata. Card details are handled directly by our payment processor (Stripe) — we do not store full card numbers.
• Scan inputs: the domains, hosts, and configuration you submit, and the report pages you request.
• Communications: messages, support requests, and marketing/consent preferences.

Collected automatically

• Usage & device data: IP address, browser/device information, pages and interactions, and timestamps.
• Service-generated data: logs, queue and telemetry data, and operational metrics produced as you use the Services.
• Cookies and similar technologies (see Cookies & analytics).

Scan results

When you run a scan, we collect technical information about the target asset (IP addresses, open ports, services and versions, TLS certificates, DNS records, and known-vulnerability matches). This may incidentally include personal data published about that asset — for example registrant emails in WHOIS, contact addresses in DNS records, or names in TLS certificates. See Scan data & third-party information.

• To operate the public scan/report experience and the continuous monitoring platform.
• To create and administer accounts, organizations, subscriptions, and billing.
• To deliver reports, alerts, and account/transactional communications.
• To secure the Services, prevent abuse, debug, and verify scanning authorization.
• To rate-limit and briefly cache the free public tools and scans (by IP address and submitted target) to prevent abuse and reduce load.
• To improve reliability and develop features, including with aggregated or de-identified data.
• To send product, research, or event communications where you have opted in or as permitted by law.
• To comply with legal obligations and protect our rights, users, and systems.

Depending on the context, we rely on one or more of:

• Performance of a contract — to provide the Services you request and your subscription.
• Consent — e.g. for marketing emails or where required for certain cookies; you may withdraw it at any time.
• Legitimate interests — to secure, operate, and improve the Services, balanced against your rights.
• Legal obligation — to comply with applicable law.

We do not sell your personal information. We share it with service providers (subprocessors) who process data on our behalf, under contracts requiring appropriate safeguards, solely to operate the Services:

• Supabase — database hosting and authentication (account data, scan results). United States.
• Vercel — website/app hosting and product analytics. United States.
• Railway — the scanning compute fleet that runs scans. United States.
• Upstash — managed Redis for job queues, rate-limiting, and short-lived caching of free-tool inputs and results. United States.
• Stripe — payment processing and billing. United States.
• Resend — transactional and report-delivery email. United States.
• Geolocation provider — IP geolocation enrichment of discovered assets.

We may also disclose information when required by law or legal process, to protect rights or safety, or in connection with a corporate transaction such as a merger, financing, or sale of assets (subject to this Policy). This list may change as our infrastructure evolves; the current list lives on this page.

SICenter is an external attack-surface tool: when you scan an asset, results may incidentally contain personal data published about that asset (WHOIS registrant emails, DNS contacts, certificate subject information). By submitting a target, you confirm you are authorized to assess it and to have us process such incidental data on your behalf for security purposes. We process it only to produce your results, apply data-minimization, and make it available to your organization. If you believe your personal data appears in a scan result without basis, contact legal@sicenter.io.

To map a target's external footprint, we may query third-party certificate-transparency, DNS, and threat-intelligence data sources. These receive only the target identifier you submit (a domain or IP) — never your account credentials or personal data.

We are the controller of personal data relating to your use of the Services (account, billing, usage). For the scan results and inventory we generate for your organization, we generally act as a processor on your instructions — you are the controller of that Customer Data and are responsible for having a lawful basis and authorization for the assets you scan.

We operate from Mexico, and our subprocessors process data primarily in the United States. When we transfer personal data across borders, we rely on appropriate safeguards such as standard contractual clauses or equivalent mechanisms. By using the Services, you understand your data may be processed outside your country, subject to those safeguards.

We keep personal information only as long as necessary for the purposes in this Policy:

• Account & billing data — for the life of your account and as required for tax, accounting, and legal records afterward.
• Scan results & inventory — for as long as your organization keeps monitoring active, so we can show change over time. Continuous monitoring stores a living inventory that updates with each scan.
• Logs & telemetry — for a limited operational period.

You can export or request deletion of your data at any time. On account closure, we delete or anonymize your organization's data (scans, inventory, schedules, and membership) within a commercially reasonable period, except where retention is required by law. Aggregated or de-identified data that no longer identifies you may be retained.

We apply reasonable administrative, technical, and organizational measures to protect personal information, including access controls, row-level data isolation between organizations, encryption in transit, and least-privilege service credentials. No system is perfectly secure, so we cannot guarantee absolute security. Report any concern to security@sicenter.io.

We use cookies and similar technologies to keep you signed in, remember preferences, secure the Services, and measure usage (including via Vercel Analytics). You can control non-essential cookies through your browser; disabling some may affect parts of the experience.

The Services automatically analyze technical scan data — for example matching detected software against a vulnerability mirror to flag potential CVEs and computing a posture score. These are informational signals to help you prioritize, not decisions that produce legal or similarly significant effects about individuals. You remain responsible for validating and acting on findings.

Subject to applicable law, you may have rights to access, rectify, delete (cancel), or object to / limit the processing of your personal data, to data portability, and to withdraw consent.

• Mexico (LFPDPPP — derechos ARCO): acceso, rectificación, cancelación y oposición, plus limitation of use/disclosure and revocation of consent.
• EEA / UK (GDPR): access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority.
• California (CCPA/CPRA): to know, access, delete, correct, and opt out of "sale"/"sharing" (we do not sell personal information), without discrimination.

To exercise any right, or to unsubscribe from marketing, contact legal@sicenter.io. We may ask for information to verify your identity before fulfilling a request, and will respond within the timeframe required by applicable law.

The Services are not directed to anyone under 16, and we do not knowingly collect their personal data. If you believe a minor has provided us data, contact us and we will delete it.

We may update this Policy from time to time; the updated version is effective when published here, unless a later date is stated. For privacy questions or to exercise your rights, contact legal@sicenter.io.