Privacy Policy
Last updated July 2026
Draft — under counsel review.This is a plain-language description of how the service actually works today. The data-controller entity is a placeholder to be finalized with counsel before hammering.ai's public launch.
hammering.ai is built to collect as little as possible. There are no accounts, no login, no cookies, and no analytics or advertising trackers.
What we process
The URL you scan.We fetch the page and its public JavaScript to run the checks, exactly as a visitor's browser would. We only request resources that are already publicly served.
Your IP address. Used transiently to rate-limit abuse of the scanner. It is not tied to an identity and is not stored in a database by us. Our hosting provider (Vercel) processes request metadata, including IP, in its standard server logs.
Scan reports. A report is encoded into the shareable /r link itself (cryptographically signed) — it is not saved on our servers. Anyone you share that link with can view the report, so treat a deep-scan report as sensitive.
What we don't do
We don't sell or share your data, don't build advertising profiles, and don't store the contents of the sites you scan beyond what's needed to produce your report in that session.
Sub-processors
The service is hosted on Vercel, which processes requests and logs on our behalf. The deep database check talks directly to your own Supabase project when you authorize it.
Legal basis & retention
Where the GDPR applies, we process the limited data above under our legitimate interest in operating and protecting the service (for example, using an IP address transiently to rate-limit abuse). We don't retain scan contents in a database — a report exists only inside the signed link you were given — and we don't keep IP addresses in a store of our own; our host retains standard request logs under its own policy.
Your rights
Depending on where you live, you may have rights to access, correct, or delete personal data, or to object to its processing (GDPR), and rights to know and delete, and not to be discriminated against for exercising them (CCPA/CPRA). Because we hold no accounts and no data store, there is usually little for us to act on — but you can exercise any of these, or ask us to block a URL that was scanned without your authorization, by emailing privacy@hammering.ai. We don't sell or "share" personal information as those terms are defined under US state privacy laws.
The data controller / business responsible for this processing is being finalized with counsel and will be named here before public launch.