Privacy Policy

Who controls your information

KORDU LTD, registered in England and Wales with company number 16836154, is responsible for personal data processed through isitready.dev. Our registered office is First Floor Office, 3 Hornton Place, London, United Kingdom, W8 4LZ. Contact us at legal@kordu.gg.

ICO data protection fee registration is in progress. We will publish the registration reference here once the ICO public register is updated.

Information we process

We process submitted scan URLs, normalized target URLs, selected check IDs, generated scan results, report IDs, report paths, report timestamps, request metadata, and operational logs needed to run and protect the service.

Generated reports may include public evidence from the target site, such as HTTP status codes, response headers, titles, meta descriptions, canonicals, robots.txt and sitemap references, structured-data types, DNS and Cloudflare-related signals, public performance evidence, affected public URLs, and remediation text.

We use Cloudflare Workers Analytics Engine for high-volume product analytics such as scan status, report views, prompt-copy activity, integration import outcomes, and API timing buckets. Product analytics events use hashed workspace or domain scope identifiers where needed and do not store raw IP addresses, raw user-agent strings, email addresses, full submitted URL query strings, request bodies, OAuth identifiers, tokens, or stack traces.

When rate limiting is active, we may process a hashed key derived from the client IP address and scan endpoint. We do not store the raw IP address in the fallback rate-limit record. Authenticated session records store minimized IP addresses for security signal evaluation: IPv4 is truncated to /24 before it reaches Better Auth, and IPv6 is truncated to /64 by Better Auth. When Cloudflare Turnstile is enabled, Cloudflare may process verification tokens, IP address, hostname, action, and device or browser signals needed to distinguish humans from automated abuse.

We store first-party cookies for authentication, last-used login method, theme preference, and dashboard sidebar preference. The exact names and retention periods are listed in our Cookie Policy.

Sources of information

We receive submitted scan URLs and optional check selections from the person or tool starting the scan.

We obtain scan evidence from publicly accessible target websites, DNS responses, HTTP responses, and configured public data providers such as Google PageSpeed Insights, Chrome UX Report, MDN Observatory, and Cloudflare DNS-over-HTTPS where those checks are enabled or reachable.

We receive request metadata, security signals, hosting logs, and Turnstile verification results from Cloudflare and the Cloudflare Workers platform.

How we use information

We use this information to provide public scan results, prevent abuse, debug service reliability, enforce rate limits, maintain security, and improve scanner accuracy.

We use account profile, authentication, dashboard, billing, saved-site, API-key, Search Console, and Google Analytics integration data only to provide the product features you choose to use. We do not intentionally collect website login credentials or private target-site credentials through the public scanner.

Lawful bases

We process scan submissions and reports to provide the service requested by the user and to take steps requested before any contract is formed.

We process rate-limit data, security logs, Turnstile verification data, abuse evidence, and reliability data based on our legitimate interests in securing, operating, debugging, and improving a public scanner.

We may process and retain notices, correspondence, and enforcement records where needed for legal obligations, legal claims, or legitimate business administration.

Retention

Public scan reports are stored in Cloudflare KV for up to 7 days. Report IDs and report paths are unlisted but not account-protected, so a person with the report link can view the report during that retention period.

Disposable product analytics events in Cloudflare Workers Analytics Engine are used as a 90-day trend/event store and are not the source of truth for billing, quotas, audit records, or support records.

Reusable report indexes are stored for the same report-retention period. Public enrichment-cache entries, such as PageSpeed or CrUX check results for a site scope, are normally cached for about 12 hours plus a short expiry buffer. Negative scan-failure cache entries are normally retained for minutes.

Fallback rate-limit records expire shortly after the rate-limit window. In-memory operational caches may exist for the lifetime of a Worker isolate and are bounded by entry count.

Some security, platform, and delivery logs may be retained by infrastructure providers for their standard operational periods.

Sharing and processors

We use service providers such as Cloudflare to host, cache, secure, rate-limit, verify, deliver, and measure product usage for isitready.dev. These providers process information only as needed to provide their services and protect the platform.

When Sentry error monitoring is configured, server-side Worker exceptions may be sent to Sentry with request metadata needed to debug reliability issues. We disable default PII collection and strip request cookies, headers, bodies, query strings, and user data before events leave the Worker.

When configured checks use external public-data providers, the normalized public target URL or hostname may be sent to those providers to retrieve performance, field-metric, DNS, or security-observatory evidence.

We may disclose information when required by law, to enforce our policies, to investigate abuse or security incidents, or to protect rights, users, and the service.

International transfers

We operate a globally reachable Cloudflare-hosted service. Cloudflare and other providers may process data in the UK, EEA, United States, or other locations where they or their subprocessors operate, using their applicable transfer safeguards and data-processing terms.

Your choices and obligations

You do not have to submit a URL, but the scanner cannot produce a report without one. Do not submit private URLs, credentials, access tokens, or targets you are not authorized to test.

You can delete or block the theme cookie in your browser. If Turnstile is required and blocked, fresh scans may not start.

Automated decisions and children

The scanner automatically calculates technical scores and report findings from public evidence, but it does not make decisions with legal or similarly significant effects about individuals.

isitready.dev is not directed to children, and we do not knowingly collect children's personal data through the scanner.

Your rights

Depending on where you live, you may have rights to access, correct, delete, restrict, object to, or receive a copy of personal data. Send privacy requests to legal@kordu.gg.

If you are in the UK, you may also complain to the Information Commissioner's Office. We ask that you contact us first so we can try to resolve the issue.