Privacy Policy

Effective 2026-04-22

1. What this document is

This page tells you exactly what scsipub — operated by Defensible Logic, Inc. — records about you, what it doesn't, and for how long. It's intentionally short and concrete. If you want the formal terms of use, see our Terms of Service.

2. What we store

If you register an account, we keep:

  • your email address (used for sign-in, password reset, and transactional notices);
  • a bcrypt hash of your password — we never see or store the password itself;
  • your tier and, if you have an active subscription, the Stripe customer and subscription IDs that identify you inside Stripe's systems (we do not store card numbers — Stripe does);
  • API keys you create, stored as bcrypt hashes of the secret portion (the raw key is shown once, at creation).

For every iSCSI session, whether anonymous or authenticated, we keep:

  • the session's IQN, CHAP credentials (for authenticated sessions), creation and last-activity timestamps;
  • the client IP address that provisioned the session (for abuse handling);
  • the write-overlay file on our server's disk, until the session ends or its TTL expires — see the Terms for retention rules by tier.

For every page you view on the web app, the analytics system records:

  • the URL path, status code, and response time;
  • the referrer URL, if your browser sends one;
  • your user-agent string and coarse geolocation (country / region, if a MaxMind database is configured); we do not store your IP address — it is mixed with your user-agent, the date, and a secret salt to produce a daily-rotating hash, then discarded;
  • we do not set third-party cookies and do not send any telemetry to Google or similar ad networks.

3. What we don't store

We do not inspect the contents of your overlay writes. We don't scan, index, or copy the bytes you put on your block devices. We don't sell data to anyone. We don't run third-party trackers.

4. How long we keep it

  • Session overlays: non-persistent sessions are deleted when they disconnect; persistent sessions when you destroy them or their TTL elapses.
  • Session metadata (IQN, creation time, client IP): kept for 30 days after the session is destroyed, then permanently deleted by the janitor.
  • Page-view analytics: 90 days, then permanently deleted.
  • Audit log (admin actions, subscription changes, session adoptions): retained for the life of the account.
  • Account data: kept as long as your account exists. Deleting your account via the Danger Zone on your account page removes email, password hash, API keys, and active sessions immediately.

5. Who we share it with

  • Stripe — payment processor. Handles card data entirely on their servers; we see tier + subscription state.
  • SMTP provider (Zoho, in our current deployment). Handles outgoing mail — verification links, magic links, receipts. Your email address passes through their servers as the envelope destination.
  • MaxMind — geolocation is resolved locally against a downloaded database; no requests leave our infrastructure.
  • Nobody else. No advertising networks, no cross-site trackers, no resale.

We may disclose information if compelled by valid legal process or to protect the rights, property, or safety of users or the service.

6. Cookies

We set one first-party cookie — _scsipub_key — which holds your signed login session. It's HTTP-only, SameSite=Lax, and cleared on logout. We do not set third-party cookies.

7. Your rights

You can:

  • see and change your email and password on your account page;
  • see and destroy your sessions on My Sessions;
  • delete your account — including all session records, API keys, and identifying data — from the Danger Zone on the account page;
  • email us at privacy@defensiblelogic.com for anything else, including data-portability requests or questions about what we hold on you.

8. Children

scsipub is not directed at children under 13 and we don't knowingly collect data from them.

9. Changes

Material changes will be announced by email to registered users at least 30 days before they take effect. The effective date at the top of this page always reflects the current version.

10. Contact

Privacy questions: privacy@defensiblelogic.com.