Privacy policy

Last updated: 2026-06-10.

OutOfBits is an invitation-only, out-of-band application security testing (OAST) platform operated by a single individual. This policy explains what data we collect, why, who we share it with, and how to have it deleted. It covers both account data (how you sign in) and captured data (the callbacks the platform records on your behalf).

Account data we collect when you sign in

Sign-in is handled by Google or GitHub using OAuth. We never see or store your password for those providers. When you authenticate, we receive and store only:

• Your email address (used to match you against our access allowlist and to contact you).
• Your name or username as reported by the provider (for display).
• A stable, provider-specific account identifier (the OAuth sub / user id), so we can recognize you on return visits.

We request only the basic openid, email, and profile scopes. We do not request access to your email, files, contacts, repositories, or any other data held by Google or GitHub, and we do not store OAuth refresh tokens or make ongoing API calls to those providers after sign-in.

How we use account data

Account data is used only to authenticate you, enforce the invitation allowlist, display your identity in the app, and send you service-related email (for example security or operational notices). We do not sell it, share it for advertising, use it for profiling, or feed it to any third-party analytics or ad network.

Captured callback data

The core function of the platform is to capture the DNS, HTTP, and SMTP requests that arrive at hosts you claim. These captures are stored against your account and may include qnames, request headers and bodies, query strings, mail envelopes and message content, and the source IP addresses of whoever contacted your host. Anyone on the public internet can send arbitrary data to your hosts — that is the OAST use case — so treat captured data as untrusted, attacker-controlled input. Do not deliberately route production credentials or other people's personal data through your hosts; see the Terms of use.

Cookies

We set a single session cookie after you sign in to keep you logged in. It is essential to the service and is not used for tracking or advertising. We use no third-party tracking cookies.

Who we share data with

We do not sell or rent your data. It is shared only with the infrastructure providers required to run the service:

• Google and GitHub — identity providers for sign-in (they receive the authentication request; we receive your basic profile).
• Our hosting and DNS providers — the servers and network that store data and answer callbacks.
• Resend — transactional email delivery (operational and security notices).

We may also disclose data if required by law, or to investigate suspected abuse of the service.

Data retention

• Captured interactions (DNS, HTTP, SMTP), chain execution logs, and rate-limit records are deleted after 30 days.
• Audit events (sign-ins, host claims, modifier edits, admin actions) are kept long-term.
• Account records persist while your account exists; if access is revoked, data remains subject to the retention schedule above.
• Database backups are taken weekly and retained for several months. Deleted data disappears from the UI and API immediately but may persist in older backups until those are rotated.

Your choices

You can delete your data yourself at any time from your account page: "Purge captured data" removes all your captured interactions while keeping your account, and "Delete account" removes your account and everything you own and takes you off the access list. You can also request access, correction, or deletion using the contact below. You can revoke OutOfBits' access from your Google account permissions or your GitHub authorized applications page, which prevents future sign-in.

Children

OutOfBits is a professional security-testing tool and is not directed to children. We do not knowingly collect data from anyone under 16.

Changes to this policy

This policy may change. The "last updated" date above reflects the current version; material changes will be noted in the app.

Contact

Privacy questions, data access requests, or deletion requests: chs@outofbits.com.