Privacy Policy

1. Who We Are

MulikaScans is a professional web vulnerability scanning platform operated by IklwaLabs, based in Tanzania. We provide automated security scanning tools to help organisations identify and fix web security issues.

For privacy questions, contact us at privacy@mulikascans.com.

2. What We Collect

We collect the following categories of information:

• Account information — name, email address, password (hashed with bcrypt), organisation name.
• Billing information — payment method details are handled by our payment processor (PesaPal) and are not stored on our servers.
• Scan data — target URLs you submit, scan configurations, and vulnerability findings generated from those scans.
• Usage data — pages visited, features used, scan counts, and timestamps.
• Technical data — IP address, browser type, operating system, and referrer URL collected automatically via server logs.

3. How We Use Your Data

We use collected data to:

• Create and manage your MulikaScans account.
• Execute vulnerability scans on targets you authorise and display results to you.
• Process subscription payments and send billing receipts.
• Send service emails (email verification, password reset, scan completion notifications).
• Enforce plan limits, rate limits, and terms of service.
• Detect abuse, investigate security incidents, and protect the platform.
• Improve scanner accuracy and product features (using aggregate, anonymised statistics).

We do not use your scan results or target URLs for marketing purposes.

4. Data Sharing

We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:

• Payment processors (PesaPal) — to process subscription payments. Their privacy policies apply to data they handle.
• Email delivery — we use a transactional email service to deliver account emails. Only your email address and the email content are shared.
• Legal requirements — if required by law, court order, or to protect the rights and safety of our users or the public.
• Business transfer — in the event of a merger or acquisition, data may transfer to the acquiring entity, who will be bound by this policy or notify you of any changes.

5. Data Storage & Security

Your data is stored on servers in East Africa (Tanzania / Kenya region). We implement industry-standard security measures including:

• Passwords hashed with bcrypt (cost factor 12).
• JWT tokens for session management, transmitted over HTTPS only.
• HttpOnly, SameSite=Lax cookies to prevent XSS token theft.
• Database access restricted to application processes; no public database endpoints.
• Rate limiting and two-factor authentication (2FA) available on all accounts.

Despite our safeguards, no system is 100% secure. If you suspect a security breach affecting your account, contact us immediately at security@mulikascans.com.

6. Cookies

We use the following cookies:

• access_token — an HttpOnly session cookie used to authenticate you. Expires when your browser closes or after 8 hours of inactivity.
• session — a Flask session cookie used as a secondary authentication fallback. Expires at the end of your browser session.

We do not use advertising cookies or third-party tracking cookies. You can disable cookies in your browser, but this will prevent you from logging in.

7. Your Rights

You have the right to:

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to fix inaccurate or incomplete data.
• Deletion — delete your account and all associated data from your account settings, or by emailing us.
• Portability — request an export of your scan history in machine-readable format.
• Objection — object to processing based on our legitimate interests.
• Restriction — ask us to restrict processing while a dispute is resolved.

To exercise any of these rights, email privacy@mulikascans.com. We will respond within 30 days.

8. Data Retention

We retain your data for as long as your account is active. Specifically:

• Account data is retained until you delete your account.
• Scan results are retained for the duration of your account plus 90 days after deletion.
• Server logs (IP, access records) are retained for 30 days.
• Billing records are retained for 7 years as required by financial regulations.

9. Children's Privacy

MulikaScans is intended for professional use by individuals aged 18 and over. We do not knowingly collect data from children. If you believe a child has registered, contact us and we will delete the account promptly.

10. Policy Changes

We may update this policy from time to time. When we make material changes, we will notify registered users by email and update the "Last updated" date at the top of this page. Continued use of MulikaScans after a change constitutes acceptance of the updated policy.