Zero-Knowledge Architecture: SPCTR is built so that your sensitive data — passwords, TOTP secrets, and vault contents — is encrypted on your device before it ever leaves it. Bruiser CyberSec LLC cannot read, access, or recover your vault data. This policy describes what limited data we do collect and why.
1. Who We Are
SPCTR is a privacy-first security application developed and operated by Bruiser CyberSec LLC, a limited liability company organized under the laws of the State of Arizona. Questions about this policy: [email protected]
2. Scope of This Policy
This Privacy Policy applies to all users of SPCTR worldwide, including Guest mode, Free, Plus, Pro, and Admin accounts. It covers data collected through the SPCTR web application, installable PWA, associated Netlify serverless functions, and any email correspondence with Bruiser CyberSec LLC.
3. Information We Collect
3.1 Information You Provide Directly
- Email address — required to create an account. Used for authentication, security notifications, and account recovery.
- Display name — optional, collected at signup if provided.
- Master password — used locally to derive your encryption key via PBKDF2-SHA256 (310,000 iterations). We never receive, store, or transmit your master password.
- Email mask forward address — the real email address to which your spctrmail.com alias forwards incoming mail. Stored in our database and used solely to route forwarded email.
- Referral codes — if you use or share a referral/invite code, we record the association to apply any applicable rewards.
3.2 Information Collected Automatically
- IP address — logged on each sign-in event and on rate-limit checks. Used to detect geographic anomalies, enforce rate limits, and prevent abuse.
- Device fingerprint (HMAC'd) — a one-way HMAC-SHA256 fingerprint derived from your browser's user agent string and related signals. Used to identify trusted devices without storing raw device identifiers. Cannot be reversed.
- Browser / operating system — parsed from your user agent string for human-readable display in security notification emails. Not stored independently.
- Login events — each sign-in records a timestamp, device fingerprint hash, IP address, approximate country, and whether the device was trusted. Retained for 90 days.
- Subscription and entitlement data — your current subscription tier is stored in your user profile and synchronized with RevenueCat.
- Theme preference — your selected UI theme is stored in your user profile for persistence across devices.
3.3 Data We Explicitly Do Not Collect
- Your plaintext passwords, TOTP secrets, or vault entries.
- Your master password at any point.
- Password hashes submitted to Have I Been Pwned — only the first 5 hex characters of a SHA-1 hash are transmitted via the k-anonymity model. Your browser contacts HIBP directly.
- Your real email address when checking breaches — breach email lookups are performed by your browser connecting directly to haveibeenpwned.com.
3.4 Encrypted Sync Data (Pro and Admin Tiers)
If you enable cloud sync, your vault, TOTP secrets, and email masks are encrypted on your device using AES-256-GCM before being uploaded to Supabase. We store only opaque ciphertext. We have no ability to decrypt this data and hold no copies of your encryption keys.
4. Third-Party Service Providers
| Provider | Purpose | Data Shared |
|---|
| Supabase | Authentication, user profiles, encrypted sync blobs, email masks, login events, trusted devices | Email, user ID, encrypted blobs, IP, device fingerprint hash, mask forward address |
| Netlify | Application hosting, serverless function execution | IP address, HTTP request data |
| RevenueCat | Subscription and entitlement management | User ID, subscription tier |
| Resend | Transactional security notification emails | Email address, IP address, approximate location, device name |
| Have I Been Pwned | Password breach checking via k-anonymity API | 5-character SHA-1 hash prefix only |
| Cloudflare | Turnstile CAPTCHA for bot protection | Browser signals for CAPTCHA verification |
| Google Fonts | UI typography delivery | IP address (standard CDN request) |
We do not sell, rent, or trade your personal information to any third party for marketing or advertising purposes.
5. How We Use Your Information
- To provide and operate the service — authenticating you, enforcing tier feature limits, routing email mask forwarding, and storing encrypted sync data.
- To protect account security — detecting new or untrusted device sign-ins, sending security notification emails, rate-limiting failed login attempts, and enabling session revocation.
- To manage subscriptions — verifying your subscription tier via RevenueCat.
- To prevent abuse — enforcing mask creation limits, referral anti-abuse rules, and blocking self-referrals.
- To comply with legal obligations — retaining data to the extent required by applicable law.
6. Legal Bases for Processing (GDPR / UK GDPR)
For users in the EEA or United Kingdom:
- Contract performance (Article 6(1)(b)) — processing necessary to provide the SPCTR service.
- Legitimate interests (Article 6(1)(f)) — security monitoring, fraud prevention, rate limiting, and abuse detection.
- Legal obligation (Article 6(1)(c)) — retaining data to comply with applicable legal requirements.
7. Data Retention
- Account data — retained for the life of your account, deleted within 30 days of account deletion.
- Login events — retained for 90 days, then automatically purged.
- Trusted device records — retained for 30 days from last confirmation, or deleted immediately upon session revocation.
- Rate-limit records — retained for the 15-minute lockout window, then purged.
- Email masks — retained until you delete the mask or close your account.
- Encrypted sync blobs — retained until you delete the data within the app or close your account.
8. Data Security
- All vault data is AES-256-GCM encrypted client-side before transmission. Encryption keys are derived using PBKDF2-SHA256 at 310,000 iterations and never leave your device.
- Device fingerprints are stored only as HMAC-SHA256 digests.
- All data in transit is protected by TLS. Supabase Row Level Security (RLS) ensures each user can only access their own data.
- Authentication requests are rate-limited to 5 attempts per 15-minute window per IP address.
9. Children's Privacy (COPPA)
SPCTR is available to users aged 13 and older. We do not knowingly collect personal information from children under the age of 13. If you believe your child under 13 has created an account, contact us at [email protected] and we will promptly delete the account.
10. Your Privacy Rights
Depending on your jurisdiction, you may have the following rights:
- Access — request a copy of the personal data we hold about you.
- Correction — request correction of inaccurate data.
- Deletion ("Right to be Forgotten") — request deletion of your account and associated personal data.
- Portability — request your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests.
- Opt-out of sale/sharing (CCPA/CPRA) — we do not sell or share personal data for cross-context behavioral advertising.
To exercise any of these rights, contact [email protected]. We will respond within 30 days.
11. International Data Transfers
Bruiser CyberSec LLC is based in the United States. If you access SPCTR from outside the United States, your data may be transferred to and processed in the United States. For transfers from the EEA or UK, we rely on our service providers' Standard Contractual Clauses (SCCs). Supabase and Netlify maintain current SCCs.
12. Guest Mode
In Guest mode, all data is stored exclusively in your browser's IndexedDB and localStorage. We do not collect any personal information in Guest mode. No data is transmitted to our servers except for static asset delivery. Guest mode data is not backed up and will be lost if you clear your browser data.
13. Changes to This Policy
When we make material changes, we will update the Effective Date and, for registered users, send a notification to the email address on file at least 14 days before the changes take effect.
14. Contact Us
Bruiser CyberSec LLC
Email: [email protected]
If you are located in the EEA and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.