Privacy Policy

Crestline Defence (Pty) Ltd ("we", "us", or "our") operates GuardianScan, an automated cybersecurity assessment platform for South African businesses. Our registered contact is cd@thereggiesmith.com.

GuardianScan performs passive and active security assessments of internet-facing infrastructure — including HTTP headers, DNS records, open ports, and publicly accessible endpoints — on domains you have verified ownership of. This Privacy Policy explains what personal information we collect, why we collect it, and how we protect it.

By using GuardianScan you agree to the collection and use of information as described in this policy.

We collect the following categories of information:

• Account information — Your name and email address, collected when you create an account via Clerk.
• Domain names — Domains you submit for scanning and the DNS TXT verification records we generate.
• Payment information — Payment is processed by PayFast. We never receive, store, or transmit your card number, CVV, or banking credentials. We retain only the PayFast transaction reference, the scan tier purchased, and the amount paid.
• Scan results and security findings — The full output of every security assessment you commission, stored and linked to your account.
• Usage data and logs — Pages visited, features used, and timestamps of key actions (scan initiated, report viewed, payment made).
• IP addresses — Your IP address when accessing the platform, used for rate limiting and fraud prevention.
• Consent logs — A timestamped record of your acceptance of the Rules of Engagement before each scan, retained as evidence of authorisation.

We use your information solely to:

• Perform security scans of domains you have authorised us to assess.
• Generate and deliver your security report.
• Process payments via PayFast and issue receipts.
• Send scan completion and payment confirmation notifications by email.
• Improve the accuracy and coverage of our scanning engine.
• Comply with legal obligations under South African law, including POPIA.

We do not sell your personal information. We do not use your data for advertising or behavioural profiling. We do not share your scan results with any third party except as required by law.

GuardianScan is subject to the Protection of Personal Information Act 4 of 2013 ("POPIA"). Crestline Defence (Pty) Ltd is the responsible party. You are the data subject.

We process your personal information on the following lawful grounds:

• Your consent (account creation, Rules of Engagement acceptance).
• Performance of a contract (delivering the scan you paid for).
• Compliance with a legal obligation.

You have the following rights under POPIA:

• Right of access — You may request a copy of all personal information we hold about you.
• Right to correction — You may request that inaccurate information be corrected.
• Right to deletion — You may request that we delete your personal information, subject to our legal retention obligations.
• Right to object — You may object to processing of your personal information on grounds relating to your particular situation.
• Right to lodge a complaint — You have the right to lodge a complaint with the Information Regulator of South Africa.

When you submit a domain for scanning, GuardianScan performs passive and active reconnaissance on publicly accessible information associated with that domain. We want to be explicit about the boundaries of what we do and do not do:

• We do not access private or authenticated areas of your website.
• We do not store or retain the content of your website pages.
• We do not share your scan findings with any third party.
• We do not use your scan results to train AI models.
• We do not modify, extract, or exploit any data found on your systems.

Scan findings are stored in your account for 12 months and are accessible only to you. We use Anthropic's Claude API to generate the narrative analysis in Intelligence Scan reports. Data sent to Anthropic is governed by their Privacy Policy and zero data retention agreement for API usage.

GuardianScan integrates the following third-party services. Each has their own privacy policy:

You may request deletion of your account and associated data at any time by emailing cd@thereggiesmith.com. We will action deletion requests within 30 days, subject to legal retention requirements for payment records and consent logs.

• All data is encrypted in transit using TLS 1.3.
• Database storage is encrypted at rest.
• Authentication is handled by Clerk using industry-standard practices including MFA support.
• Access to production systems is restricted to authorised personnel only.
• In the event of a data breach affecting your personal information, we will notify you and the Information Regulator within 72 hours as required by POPIA.

GuardianScan uses the following cookies:

• Authentication cookies (Clerk) — Essential session cookies required for login and to maintain your authenticated state. These cannot be disabled without preventing access to your account.

We do not use:

• Advertising or retargeting cookies.
• Analytics tracking cookies (no Google Analytics, Hotjar, etc.).
• Third-party tracking pixels.

To exercise any of your rights under POPIA — access, correction, deletion, or objection — contact us at:

We will respond to all requests within 30 days. Where we are unable to fulfill a request (e.g. due to a legal retention obligation), we will explain why in writing.

This policy was last updated on 1 June 2025. We will notify registered users of material changes by email.