Legal Document

Privacy Policy

Effective March 14, 2026 Applies to MRichard333.com & ZeroTrust Extensions

Introduction

MRichard333 ("we," "us," or "our") is a registered non-profit organization incorporated under the laws of Canada, committed to protecting your personal information. This Privacy Policy describes how we collect, use, and safeguard your data when you use MRichard333.com, our tools (ZeroTrust Scanner, CVE Tracker, Breach Monitor), and the ZeroTrust Browser Extensions for Chrome and Firefox. Our Service is operated from Canada but hosted on servers located in the United States of America. This policy complies with Quebec Law 25, Canada's PIPEDA, and respects the principles of the GDPR.

§01 Information We Collect

1.1 Information You Provide

Account Registration: Full name and email address. Passwords are never stored in plain text — hashed using Argon2id.
Scan Data: Target URLs and generated security reports linked to your User ID, powering your Scan History feature.
Support Communications: Any information you provide when contacting us by email or chat.

1.2 Automatically Collected Data

Access & Security Logs: IP address, browser type, OS, and request timestamp — used strictly for rate limiting, DDoS protection, and brute-force detection.
Login Logs: Each login records your IP address, a calculated risk score (see §1.4), and associated risk details. Retained for fraud and account-takeover prevention.
Authentication Events: All auth actions — login, logout, 2FA attempts, password resets, email verifications — are logged with IP and user-agent for security auditing.
Analytics: We use Google Analytics on MRichard333.com to collect aggregated, anonymized usage statistics. This data is not linked to your account.

1.3 Browser Extension Data

Extension Users — Please Read

By installing the ZeroTrust browser extension, the following data handling applies. You may uninstall the extension at any time to stop this collection.

URLs of Pages You Visit: The extension sends every http:// and https:// URL you navigate to our scan API to display a real-time safety score. These are stored as scan history linked to your account.
JWT Authentication Token: Your session token is stored in chrome.storage.local (Chrome) or Firefox extension storage, and sent with every API request.
Scan Results: Safety scores and full analysis results are saved in your scan history, identical to manual scans.
No Keystroke or Form Data: The extension does not read, capture, or transmit anything you type, including passwords or form inputs on third-party sites.

1.4 Automated Risk Profiling at Login

When you log in, our system calculates a risk score based on:

Detection of VPN, proxy, or Tor exit node usage
Detection of datacenter or cloud-provider IP ranges (e.g., AWS, DigitalOcean, Hetzner)
Presence of known proxy-related HTTP request headers

A score of 75 or above blocks login. Disable your VPN and retry to resolve this. Scores and details are stored in our login_logs table.

1.5 IP Blocking

Five or more failed login or 2FA attempts from a single IP within 15 minutes triggers an automatic 1-hour block stored in our blocked_ips table.

§02 How We Use Your Information

⚙️

Service Delivery

Authenticate logins, generate reports, display scan history, power the extension's real-time scoring.

🛡️

Security & Fraud Prevention

Detect brute-force attacks, block malicious IPs, prevent account takeovers, enforce rate limits.

✉️

Communication

Transactional emails only: resets, verification, subscription updates. Newsletters require explicit opt-in.

💳

Billing

Process payments via Gumroad and enforce subscription tier limits (Free / Premium / Enterprise).

§03 Data Retention

Data Type	Retention	Purpose
Account profile	Until deletion	Account access
Scan history & reports	Until deletion	Historical analysis
Authentication event logs	90 days	Security auditing
Login logs (IP + risk score)	90 days	Fraud prevention
Blocked IPs	1 hour (auto-expiry)	Brute-force protection
Password reset tokens	1 hour (auto-expiry)	Secure recovery
Deleted accounts	Purged within 30 days	Right to erasure

§04 Data Storage & Security

4.1 Encryption

All data in transit is protected by SSL/TLS. Passwords are hashed with Argon2id. Session tokens are HS256-signed JWTs with a 30-day expiry, stored in extension local storage — not browser cookies. Data is stored on servers in the United States operated by Namecheap. We apply Canadian security standards to all data regardless of storage location.

4.2 Security Incident Protocol

In accordance with Quebec Law 25, if a confidentiality incident presents a risk of serious injury, we will notify you and the Commission d'accès à l'information du Québec promptly.

§05 Third-Party Sharing

We do not sell your data. We share data only with providers required to operate the platform:

Gumroad: Payment processing and subscription management.
Namecheap / Cloudflare: Hosting infrastructure and DDoS protection.
Google Analytics: Anonymized, aggregated usage statistics on MRichard333.com. No personal account data is shared.
NIST NVD: Detected technology names/versions may be sent to NIST's CVE API during scans. No personal data included.
ip-api.com: The IP of a scanned target (not your IP) is sent for geographic lookup during scans.
Spamhaus DNSBL: Target IPs are checked against the Spamhaus blocklist during scans.

§06 International Data Transfers

Your personal information is primarily stored in Canada. Some providers (Cloudflare, Google Analytics, NIST NVD, ip-api.com) may process data in the United States or other jurisdictions. By using the Service, you consent to such transfers, which may be governed by different data protection rules.

§07 Your Rights

Right to Access: View your profile and full scan history in your dashboard.
Right to Rectification: Update your name or email in account settings.
Right to Erasure: Contact us to request permanent deletion of your account and all associated data within 30 days.
Right to Portability: Request an export of your scan history and profile data in JSON format.
Right to Object to Profiling: Contact us to opt out of automated risk scoring. This may affect login from certain network types.
Right to Withdraw Consent (Extension): Uninstall the ZeroTrust extension at any time to stop URL collection. Existing history can be deleted on request.
Quebec Residents — Additional Rights: Under Quebec Law 25, you have the right to be informed of any automated decision-making affecting you (including our risk scoring at login), the right to request human review of such decisions, and the right to be notified of any privacy incident. Contact us to exercise these rights.
EU/UK Residents: You have the right to lodge a complaint with your local data protection supervisory authority at any time.

§08 Cookies & Local Storage

Website

MRichard333.com uses a session cookie for login state and a CSRF protection token. These are essential. Google Analytics places optional analytics cookies which require your consent where applicable.

Browser Extension

The ZeroTrust extension does not use browser cookies. Your JWT is stored in chrome.storage.local (Chrome) or the Firefox extension storage API — sandboxed to the extension and inaccessible to websites you visit.

§09 Contact & Responsible Person

To exercise your rights, request data deletion or export, or ask questions about this policy, contact MRichard333's designated Person Responsible for the Protection of Personal Information, as required under Quebec Law 25:

Matthieu Richard-Levesque

Administrator & Data Protection Officer — MRichard333.com

[email protected]

§10 Changes to This Policy

If we make material changes — such as sharing data with new third parties or collecting new data categories — we will notify you via email or a dashboard alert at least 14 days before the change takes effect. The date at the top of this document reflects the last revision.