Privacy Policy
Plain English Summary: We only collect what we need to run your audit. We never store your AWS credentials, never log your data, and we delete all audit artefacts within 30 days. You can request deletion at any time.
1. Who We Are
LeapScan is an AWS security auditing service operated by Leaptrix Solutions, a technology consulting firm. Our registered point of contact is connect@leaptrix.com.
When we reference "LeapScan," "we," "our," or "us," we mean Leaptrix Solutions and any contracted personnel involved in delivering the AWS audit service.
2. What Data We Collect & Why
| Data Type | What It Is | Why We Collect It | Legal Basis |
|---|---|---|---|
| Contact Email | Your work email address | To deliver your audit report and communicate findings | Contract performance |
| AWS Account ID | Your 12-digit AWS account identifier | To assume the read-only cross-account role and run audit checks | Contract performance |
| Audit Findings | Configuration metadata (not actual data) — e.g. "S3 bucket X has public access enabled" | To compile and deliver your security report | Contract performance |
| Form Submission Data | Data submitted through our web form (relayed via Formspree) | To initiate and scope your audit engagement | Consent / Contract |
We do NOT collect:
- Your AWS root credentials or any IAM access keys
- The actual content of your S3 buckets, databases, or application data
- Personally Identifiable Information (PII) of your customers or users
- Payment card data (we use no on-site payment processing)
3. AWS Access Model & Permissions
We access your AWS environment exclusively through a cross-account IAM role that you create using our CloudFormation template. This role:
- Grants read-only permissions only (equivalent to AWS SecurityAudit managed policy)
- Is exclusively trusted by our consultant AWS account ID
154770582167— no other account can assume it - Cannot create, modify, or delete any AWS resource in your account
- Cannot access the content of your databases, S3 objects, or application code
- You can delete the CloudFormation stack at any time to immediately revoke all access, in under 60 seconds
You can independently verify the exact permissions granted by reviewing our open-source CloudFormation template at: github.com/manju4k/leapscan-role-template
4. Data Retention & Deletion
| Data | Retention Period | How to Request Early Deletion |
|---|---|---|
| Contact email & account ID (Formspree) | 30 days from submission | Email us at connect@leaptrix.com |
| Audit findings & report artefacts | 30 days from delivery | Email us at connect@leaptrix.com |
| IAM role access (your AWS account) | Until you delete the CloudFormation stack | Delete the LeapScan-Audit-Role stack in your AWS console |
All deletion requests are honoured within 72 business hours. We will confirm deletion in writing by email.
5. Subprocessors
We use the following third-party services to deliver the LeapScan service:
| Subprocessor | Purpose | Location | Privacy Policy |
|---|---|---|---|
| Formspree | Form-to-email relay (audit request intake) | United States | formspree.io/legal/privacy-policy |
| Amazon Web Services | Cloud infrastructure for running audit scans | Global (scans run from eu-west-1 by default) | aws.amazon.com/privacy |
| Google Fonts | Web font delivery (no personal data processed) | United States | policies.google.com/privacy |
6. Data Sharing & Disclosure
We do not sell, rent, or trade your data. We will only share your information:
- With the subprocessors listed in Section 5, strictly for service delivery
- If required by applicable law, court order, or regulatory authority
- In the event of a merger or acquisition (you will be notified 30 days in advance)
7. Your Rights (GDPR / CCPA)
Depending on your jurisdiction, you may have the right to:
- Access — Request a copy of all data we hold about you
- Rectification — Correct inaccurate data
- Erasure ("Right to be Forgotten") — Request deletion of all your data
- Portability — Receive your data in a structured, machine-readable format
- Object — Object to processing based on legitimate interests
- Withdraw Consent — Withdraw consent at any time where processing is based on consent
To exercise any right, contact us at connect@leaptrix.com. We will respond within 30 calendar days.
8. Security
We implement industry-standard security practices in our own operations, including:
- AWS IAM least-privilege access for our consultant account
- No permanent storage of client account credentials or metadata
- Encrypted communication (HTTPS/TLS) for all data in transit
- Audit findings transmitted only to the verified email address provided at intake
Ironically, we subject our own AWS infrastructure to the same 131-check LeapScan audit on a monthly basis.
9. Cookies & Tracking
Our website does not use tracking cookies, advertising pixels, or analytics beacons. We do not use Google Analytics or any third-party tracking script. The only external resources loaded are Google Fonts (typography) and Font Awesome (icons), neither of which track individual users.
10. Changes to This Policy
We may update this Privacy Policy as our service evolves. Material changes will be communicated by email to active clients at least 14 days before taking effect. The "Last Updated" date at the top of this page will always reflect the most recent revision.
11. Contact & Complaints
For any privacy concern or data request, contact our Data Controller at:
Leaptrix Solutions
Email: connect@leaptrix.com
Response time: Within 72 business hours for urgent requests, 30 calendar days for formal GDPR requests.