剣 KENSAI
Back to Home

Privacy Policy

Last updated: February 24, 2026 · Effective: February 24, 2026

This document is available in English only. · Dieses Dokument ist nur auf Englisch verfügbar. · Ce document est disponible uniquement en anglais. · Este documento está disponible solo en inglés. · Dit document is alleen beschikbaar in het Engels.

1. Introduction & Data Controller

This Privacy Policy explains how Techfunder World AG ("KENSAI", "we", "us", or "our") collects, uses, stores, and protects your personal data when you use our website at kensai.app, our security scanning platform, APIs, and related services (collectively, the "Services").

Data Controller

Techfunder World AG
Industriestrasse 9
6302 Zug, Switzerland
Registration: CHE-191.216.273 (Canton of Zug)

Email: Contact us

Data Protection Officer: Contact us

2. Scope

This policy applies to all personal data processed through:

  • The KENSAI website (kensai.app)
  • The KENSAI security scanning platform and dashboard
  • Our REST API and integrations
  • Automated and on-demand security scans
  • Email communications and support channels

It does not apply to third-party websites linked from our Services. We encourage you to review the privacy policies of any third-party services you interact with.

3. Data We Collect

3.1 Account Data

When you create an account, we collect: name, email address, company name, job title (optional), and authentication credentials (hashed).

3.2 Scan Data

When you run security scans, we process: target URLs/domains/IPs you submit, scan configurations and schedules, scan results including discovered vulnerabilities, severity ratings, and remediation recommendations. Scan data is encrypted at rest and logically isolated per customer.

3.3 Usage Data

We automatically collect: IP address, browser type and version, operating system, pages visited, time spent on pages, referring URL, and feature usage patterns. This is collected via server logs and analytics tools.

3.4 Payment Data

Payments are processed by Stripe, Inc. We do not store your full credit card number, CVV, or bank account details on our servers. We receive and store only: billing name, billing address, last four digits of your card, card expiry date, and transaction history.

3.5 Cookies & Tracking Technologies

We use the following categories of cookies:

  • Essential cookies — Required for authentication, session management, and security (always active)
  • Analytics cookies — Google Analytics 4 to understand usage patterns (with your consent)
  • Preference cookies — Language and display preferences

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect platform functionality.

4. Legal Basis for Processing (GDPR Art. 6)

We process your personal data based on the following legal grounds:

Contract Performance (Art. 6(1)(b))

Providing scanning services, managing your account, processing payments, delivering scan reports.

Legitimate Interest (Art. 6(1)(f))

Platform security, fraud prevention, analytics for service improvement, anonymized security research.

Consent (Art. 6(1)(a))

Marketing communications, analytics cookies, optional newsletters. You may withdraw consent at any time.

Legal Obligation (Art. 6(1)(c))

Tax records, compliance with lawful government requests, NIS2 compliance documentation.

5. How We Use Your Data

We use the data we collect to:

  • Provide, operate, and maintain our security scanning services
  • Generate vulnerability reports and remediation recommendations
  • Process transactions and send billing-related communications
  • Improve and optimize the platform based on usage patterns
  • Conduct anonymized security research to improve detection capabilities
  • Send service-related notifications (scan completions, critical findings, scheduled maintenance)
  • Send marketing communications (only with your explicit consent)
  • Respond to support requests and inquiries
  • Detect, prevent, and address technical issues and abuse

6. Data Sharing & Third Parties

We do not sell your personal data. We share data only with the following categories of recipients, and only as necessary:

Stripe, Inc.

Payment processing. Subject to Stripe's Privacy Policy.

Google LLC (Analytics)

Website analytics via Google Analytics 4 with IP anonymization enabled. Only with your consent.

AI/LLM Providers (via OpenRouter)

Anonymized and aggregated scan data may be processed by AI models for vulnerability analysis. No personally identifiable information is transmitted.

Infrastructure Providers

EU-based hosting and CDN providers for service delivery. All bound by data processing agreements.

We may disclose personal data if required by law, court order, or to protect the rights, property, or safety of KENSAI, our users, or the public.

7. International Data Transfers

🇪🇺 Our primary infrastructure is hosted in Frankfurt, Germany (EU). Your data is processed and stored within the European Economic Area (EEA) whenever possible.

Where data transfers outside the EEA are necessary (e.g., Stripe for payment processing, certain AI providers), we ensure adequate protection through:

  • EU adequacy decisions (e.g., Switzerland, EU-U.S. Data Privacy Framework)
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data processing agreements with all sub-processors

8. Data Retention

We retain your data for the following periods:

  • Account data — Duration of your account plus 30 days after deletion
  • Scan results — 90 days by default; configurable per plan (up to 1 year for enterprise)
  • Usage logs — 12 months, then anonymized
  • Payment records — As required by applicable tax law (typically 7–10 years)
  • Support correspondence — 24 months after resolution

You may request earlier deletion of your data at any time (see Section 9).

9. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the right to:

  • Access — Request a copy of the personal data we hold about you
  • Rectification — Correct inaccurate or incomplete data
  • Erasure — Request deletion of your personal data ("right to be forgotten")
  • Restriction — Request restriction of processing under certain conditions
  • Portability — Receive your data in a structured, machine-readable format
  • Objection — Object to processing based on legitimate interest
  • Withdraw consent — At any time, without affecting prior lawful processing

To exercise any of these rights, contact us at Contact us. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC).

10. Data Security

We implement industry-standard technical and organizational measures to protect your data, including:

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for data at rest
  • Logical tenant isolation — scan data is separated per customer
  • Role-based access controls and audit logging
  • Regular security assessments of our own infrastructure
  • SOC 2 Type II–aligned security practices

No system is 100% secure. If we become aware of a data breach affecting your personal data, we will notify you and the relevant supervisory authority in accordance with GDPR Article 33/34.

11. Children's Privacy

Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us at Contact us and we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on our website at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

Continued use of the Services after the effective date constitutes acceptance of the updated policy.

13. Contact Us

For any privacy-related questions or requests:

Techfunder World AG
Attn: Data Protection Officer
Industriestrasse 9
6302 Zug, Switzerland

Email: Contact us · Contact us