// privacy
Privacy notice
This is a self-hosted platform. “We” means the operator who deployed NeoShieldSecurity QUANTUM X on their own server. This notice explains, in plain language, what the platform collects, why, who it shares data with, how long it keeps it, and the choices you have. Our design principle is least-data: we hold the minimum that still makes a feature work, and inputs to offline analyzers are processed in memory and never stored.
Quick summary
- Sign-in is by one-time email code — there are no passwords, and codes are stored only as a salted hash.
- AI features send the text you submit to Anthropic to generate a result; we don’t attach your email or IP, and we don’t store the content.
- Payments run entirely on Stripe’s hosted checkout — card numbers never reach this server.
- The site uses one functional session cookie (
NSS_SID). Google advertising — and analytics, where enabled — set their own third-party cookies. - Offline security tools (Vault, hashing, header checks, secret/PII scanners, and similar) never store, log, or transmit what you paste.
- You can ask us to access, export, or delete your data at any time via Contact.
Who is responsible for your data
For your account, purchases, and general use of the site, the operator is the data controller. For the SOC Console (a Team feature), the workspace owner is the controller of the log data and assets they ingest, and this platform acts as a processor that stores and analyses that data on their behalf, isolated per workspace.
What we store
- Account email. The email you sign in with, your sign-in timestamps, and your role (admin or user) are stored in
auth/users.json(or theuserstable when the database is enabled). - Tools you create. The title, description, chosen library tool, and config of tools you build are stored in
data/tools.json, tagged with your email as owner. - Plan & entitlement records. Pro, Team, and Founder grants — and Pro windows earned from a qualifying donation — are stored against your email with the plan reference, start date, and expiry (
data/pro_users.json/data/team_users.json, including seat count for Team). This is how access is granted and when it lapses. - Add-on pack balances. Purchased top-ups (extra scans, AI ops, builds, or a verified-certificate credit) are stored against your email in
data/packs_balance.jsonwith a short purchase log so credits can be applied and audited. - Payment reconciliation. Completed purchases and donations are recorded in
data/donations.json(Stripe checkout session id, amount, currency, status, and receipt email). To stop a payment being granted twice, fulfilled session ids are kept indata/processed_sessions.json(most recent 500 only). - Academy progress. If you use the Academy, your XP, rank, per-module completion, quiz scores, and certificate links are stored against your account so your progress and certificates persist.
- Messages you send us. If you use the contact form, your name, email, message, and a timestamp are stored in an admin inbox so we can reply; the form is CSRF-protected, rate-limited, and bot-filtered.
- Content you submit. Blog submissions and similar contributions are stored with your email as the author for review and, if approved, publication.
- SOC Console data (Team). When you use the multi-tenant SOC Console, the platform stores the log events you ingest (which can include source IPs, hostnames, and message text), the incidents and alerts derived from them, any device/asset inventory you add, and the alert channels and API keys you configure — all scoped to your workspace. You can clear your workspace at any time, which purges its events and incidents.
- Activity & security logs. Security-relevant events (sign-ins, tool create/publish/delete, purchases and grants, API errors, rate-limit and blocklist triggers) are stored in
data/logs.jsonwith a timestamp, event type, your email, your IP address, and a truncated browser user-agent. - Rate-limit counters. Short-lived per-email/IP timestamps are kept in
data/ratelimit.jsonto enforce usage limits and abuse protection.
When the optional database is enabled, the records above
are stored in equivalent MariaDB tables (for example pro_users, team_users,
pack_balances, donations, soc_log_events, academy_progress)
instead of JSON files. The information held is the same.
What we never store
- Raw sign-in codes. Each one-time code is kept only as a salted hash (
password_hash), is single-use, and expires after 5 minutes. It is discarded the moment it is used or expires. - Passwords. There are none — sign-in is code-based.
- Your AI/API keys and the operator’s Claude API key. These live in server configuration, outside the web root, and never in stored data.
- Card numbers. Card data is entered on Stripe’s hosted page and never touches this server.
- Offline-tool input. Tools that run locally — Quantum Vault, hashing/HMAC, header checks, secret and PII scanners, JWT/phishing/Sigma analyzers, and similar — process your input in memory only. They never log or store your text, payloads, or passphrases.
- Your full password in the exposure check. The password breach check uses k-anonymity: only the first five characters of your password’s SHA-1 hash leave the server, so the password itself and its full hash are never transmitted.
Cookies, advertising & analytics
Functional cookie (first-party). We set a single session cookie, NSS_SID, to
keep you signed in. It is HttpOnly, SameSite=Strict, marked
Secure over HTTPS, expires when your session ends, and times out when idle. It is
not used for advertising or cross-site tracking.
Advertising (third-party). The site loads Google AdSense, which may set its own cookies and use device identifiers to show and measure ads. Google may use this data per its own policies. You can manage or opt out of personalised ads at Google’s Ads Settings and via aboutads.info, and you can control cookies in your browser.
Google’s handling of ad and analytics data is governed by the Google Privacy Policy. Third-party cookies are set by Google, not by us.
AI processing (Anthropic Claude)
Several features are powered by the Anthropic Claude API: drafting a tool, the AI SOC Copilot, the Phishing Email Analyzer, the AI Code Reviewer, the AI Security Consultant, the SOC “ask the analyst” feature, and AI-assisted vulnerability scanning. When you use them, the text you submit (for example a pasted email, a code snippet, a log excerpt, or your question) is sent to Anthropic to generate the response. We send only the content needed for that request; your account email and IP are not included. The content is processed in memory to produce your result and is not stored by this platform. Review Anthropic’s privacy policy for how they handle API requests.
Exposure & breach checks
The Exposure Check helps you find out whether a password or email appears in known breaches. Password checks use the Have I Been Pwned Pwned Passwords range API with k-anonymity, so your password and its full hash never leave the server. Email breach lookups are optional and only performed when the operator has configured a provider key; in that case the email address you enter is sent to that provider to perform the lookup. We don’t store the results against your account.
Plans, payments & donations
Paid plans (Pro, Team, Founder), add-on packs, and donations are processed by Stripe using Stripe Checkout. Card details are entered on Stripe’s own hosted page and never touch this server. We store only the Stripe checkout session id, the amount and currency, the payment status, and the email associated with the purchase — used to apply your entitlement and reconcile payments. We never receive or store card numbers. See Stripe’s privacy policy.
If you make a qualifying donation (¥1,000 or more), we use the email you are signed in with — or, if you are not signed in, the email you give Stripe for your receipt — to grant a time-boxed Pro window as a thank-you. Donations below the threshold are recorded for accounting but grant no access.
Emails & communications
Sign-in codes are delivered by email using the server’s mail configuration (PHP mail()
or SMTP) and contain only the 6-digit code and its expiry — no tracking pixels. If you opt into the
daily threat briefing, we send it to your email; every briefing includes a one-click
unsubscribe link, and you can resubscribe at any time. Account and
transactional emails (such as receipts or important security notices) may still be sent while your
account is active.
How long we keep it
- Activity and security logs are pruned automatically: events older than 30 days are removed, and only the most recent 2,000 events are retained.
- Plan and Team records are kept while active and remain after expiry as a lapsed record (so renewals extend rather than duplicate). Add-on pack balances are kept until the credits are used.
- Payment reconciliation records are retained for accounting; processed-session ids are capped at the most recent 500.
- SOC Console events and incidents persist until you clear your workspace or ask us to delete them.
- One-time codes are discarded the moment they are used or expire. Deleting a tool removes its record and review artifact immediately.
Your rights & choices
- Access & export. Ask us for a copy of the account data we hold about you.
- Correction & deletion. Ask us to correct or delete your account, entitlement records, messages, Academy progress, or SOC workspace data.
- Advertising. Opt out of personalised ads via Google’s Ads Settings and your browser’s cookie controls.
- Email. Unsubscribe from the daily briefing with one click from any briefing email.
- How to ask. Use the Contact form. Depending on where you live, you may also have rights under laws such as the GDPR or CCPA; we’ll honour applicable requests.
International transfers
Some processors we rely on — Anthropic, Stripe, and Google — operate in the United States and other countries. Using those features may involve transferring the relevant data to those providers, who handle it under their own privacy terms linked above.
Children
This platform is intended for security professionals and learners and is not directed to children under 16. We don’t knowingly collect data from children. If you believe a child has provided data, contact us and we’ll remove it.
How we protect your data
We assume breach and minimise what we retain. Protections include AES-256-GCM encryption and
argon2id hashing where applicable, prepared statements, CSRF protection on every form, SSRF guards
on outbound requests, a strict Content-Security-Policy and security headers, a hardened
HttpOnly/SameSite=Strict session cookie with idle timeout, and the rule
that no AI-authored code is ever executed on the server. No method is perfectly secure, but the
platform is built to be auditable rather than trusted on faith.
Changes to this notice
We may update this notice as the platform evolves. Material changes will be reflected here with a new date below.
Last updated: July 2026.