Privacy Policy — waitdead.ai

Last updated 2026 · English version governs

Good-faith notice. This policy is provided in good faith and is intended to meet GDPR and CCPA-grade expectations. Independent legal counsel review is still pending. Where a registered-entity or jurisdiction-specific detail is not yet finalized, it appears below as a visible placeholder rather than an invented value.

1. Who we are

This service is operated by waitdead ("waitdead.ai", "we", "us"). We are an independent AI security review firm. Our legal-entity registration is in progress; the registered company name, number, and address will be published here once finalized: [to be supplied: registered legal entity name, number, registered address].

The data controller for the purposes of applicable data-protection law is [to be supplied: controller entity, once registered]. We have not yet appointed a formal data-protection officer; the contact point for all privacy matters is our intake channel (see Section 9). Our governing jurisdiction will be confirmed on registration: [to be supplied: governing jurisdiction].

2. Data we collect

We collect only what we need to respond to you and to deliver a review.

Booking & contact. When you book a review or submit the intake form, we collect your name, email address, company, and country, plus whatever you choose to write in your message.
Free scan. When you run the free scan, you paste a public artifact — a public MCP server URL, an OpenAPI manifest, or an agent configuration. Secrets are redacted on submit, and pasted input is treated as untrusted data, not as a trusted instruction. Please do not paste credentials, tokens, or private/internal endpoints; the scan is designed for public surfaces only.
Anti-abuse. Our forms include a honeypot field and standard request metadata used solely to prevent automated abuse.
Operational logs. Our hosting and DNS providers process technical data (such as IP address and request timestamps) needed to serve the site securely.

We do not run third-party advertising trackers, and we do not sell personal data.

3. Why we use it — and our legal basis

We process the data above on two legal bases under the GDPR (and the analogous bases under CCPA/CPRA):

Contract (Art. 6(1)(b)). To respond to your enquiry, scope and deliver a review, and manage the engagement you requested.
Legitimate interest (Art. 6(1)(f)). To run the free scan you asked for, to operate and secure our site and forms, to prevent abuse, and to follow up on a lead you initiated. You can object at any time (see Section 8).

4. Retention

We keep personal data only as long as we have a reason to.

Booking & intake records are retained for the life of the enquiry or engagement and for a reasonable period afterward to meet legal, accounting, and dispute-handling needs: [to be supplied: retention period, pending counsel].
Scan artifacts. The public artifact you paste, and the exposure checklist generated from it, are retained as part of the tracked lead so we can follow up; they are deleted on request and otherwise after the retention window above. Because input is treated as untrusted data and secrets are redacted on submit, we do not intentionally store credentials.

5. Sub-processors

We share personal data only with the service providers needed to operate. These are the only sub-processors we use; the current list is maintained on our Trust page.

Sub-processor	Purpose
Supabase	Database & authentication
Contabo	VPS hosting (Germany / EU)
Resend	Transactional email (region sa-east-1)
Cloudflare	DNS

6. International transfers

Our hosting is in the EU (Germany, via Contabo). Some sub-processors may process data outside your country — for example, transactional email is sent through a region outside the EU. Where personal data is transferred internationally, we rely on the appropriate safeguards, such as Standard Contractual Clauses or an equivalent transfer mechanism, in line with applicable law: [to be supplied: specific transfer mechanism, pending counsel].

7. How we protect it

TLS 1.3 with valid certificates on all our sites; HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy are set.
Framework and version fingerprints are stripped.
Secrets are redacted on scan submit, and pasted input is treated as untrusted data.
AI-derived findings are labeled as such and gated behind human sign-off.

We do not yet hold SOC 2, ISO 27001, or ISO 42001; those are planned, not held.

8. Your rights

Subject to applicable law, you have the right to access the personal data we hold about you, to request its correction or erasure, to object to or restrict processing based on legitimate interest, and to data portability. Under the CCPA/CPRA you also have the right to know what we collect and to request deletion; we do not sell or "share" personal data for cross-context behavioural advertising. You may also lodge a complaint with your local supervisory authority.

9. How to exercise them

Use our intake channel — crm.waitdead.com/intake — to make any privacy request; it creates a tracked ticket so nothing is lost. A dedicated inbound security/privacy mailbox is being stood up with our own mail server (in progress); until then, the intake form is the reliable channel. We do not operate a phone line.

10. Changes to this policy

We may update this policy as our entity registration completes, as counsel review finishes, or as our processing changes. We will update the "Last updated" date above; material changes will be reflected here before they take effect.

If anything in this policy conflicts with the rights granted to you by applicable law, the law prevails.

Resumen

Este servicio es operado por waitdead ("waitdead.ai"), una firma independiente de revisión de seguridad de IA. El registro de nuestra entidad legal está en proceso: [a completar: nombre, número y domicilio de la entidad legal registrada]. La jurisdicción aplicable y el responsable del tratamiento se confirmarán al completar el registro: [a completar: responsable del tratamiento y jurisdicción]. Aún no designamos un delegado de protección de datos formal; el punto de contacto para temas de privacidad es nuestro canal de intake.

Datos que recopilamos. Al reservar o enviar el formulario de intake: nombre, correo, empresa y país, más lo que escribas en tu mensaje. En el escaneo gratuito pegás un artefacto público (URL de un servidor MCP público, un manifiesto OpenAPI o la configuración de un agente); los secretos se redactan al enviar y el contenido pegado se trata como dato no confiable. No uses credenciales ni endpoints privados. No corremos rastreadores publicitarios ni vendemos datos personales.

Por qué y base legal. Tratamos los datos sobre dos bases del RGPD (y equivalentes en CCPA/CPRA): contrato (responder tu consulta y ejecutar la revisión que pediste) e interés legítimo (correr el escaneo solicitado, operar y proteger el sitio, prevenir abuso y dar seguimiento a un lead que iniciaste). Podés oponerte en cualquier momento.

Retención. Conservamos los datos solo mientras haya un motivo: los registros de reserva e intake durante la consulta o el trabajo y un período razonable posterior por motivos legales y contables: [a completar: período de retención, pendiente de asesoría]. Los artefactos del escaneo y su lista de exposición se conservan como parte del lead y se eliminan a pedido o tras ese período.

Sub-procesadores. Compartimos datos solo con los proveedores necesarios para operar; estos son los únicos, detallados en nuestra página de Confianza:

Sub-procesador	Propósito
Supabase	Base de datos y autenticación
Contabo	Hosting VPS (Alemania / UE)
Resend	Correo transaccional (región sa-east-1)
Cloudflare	DNS

Sub-procesador

Propósito

Supabase

Base de datos y autenticación

Contabo

Hosting VPS (Alemania / UE)

Resend

Correo transaccional (región sa-east-1)

Cloudflare

DNS

Transferencias internacionales. El hosting está en la UE (Alemania, vía Contabo). Algunos sub-procesadores pueden tratar datos fuera de tu país. Cuando hay transferencia internacional, nos apoyamos en las salvaguardas adecuadas, como las Cláusulas Contractuales Tipo o un mecanismo equivalente: [a completar: mecanismo de transferencia, pendiente de asesoría].

Cómo protegemos los datos. TLS 1.3 con certificados válidos; HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy y Permissions-Policy activos; fingerprints de framework y versión eliminados; secretos redactados al enviar el escaneo; los hallazgos derivados de IA se etiquetan y quedan sujetos a aprobación humana. Aún no contamos con SOC 2, ISO 27001 ni ISO 42001: están planificados, no vigentes.

Tus derechos. Según la ley aplicable, podés acceder a tus datos, pedir su corrección o eliminación, oponerte o limitar el tratamiento por interés legítimo, y solicitar portabilidad. Bajo CCPA/CPRA tenés derecho a saber qué recopilamos y a pedir la eliminación; no vendemos ni "compartimos" datos para publicidad de contexto cruzado. También podés reclamar ante tu autoridad de control.

Cómo ejercerlos. Usá nuestro canal de intake — crm.waitdead.com/intake — para cualquier solicitud de privacidad; genera un ticket rastreable. Estamos montando un buzón dedicado de seguridad/privacidad con nuestro propio servidor de correo (en proceso); hasta entonces, el formulario de intake es el canal confiable. No operamos línea telefónica.

Cambios. Podemos actualizar esta política a medida que se complete el registro de la entidad, finalice la revisión legal o cambie nuestro tratamiento. Actualizaremos la fecha de "Última actualización" arriba.

La versión en inglés es la que rige; versión completa en español a pedido.