Privacy Policy

Wraith scans your AI chatbot and shows you vulnerabilities. We do not store the URLs you scan, the probes we send, the responses your chatbot gives, or the secrets those responses may contain.

We store aggregate counts (how many scans, what grades, what finding types) so we can improve the product. None of it identifies you or your chatbot.

When you use wraith.sh, we collect:

• Aggregate scan counts and grades (not tied to any target)
• A one-way SHA-256 hash of the target URL, so we can count unique chatbots scanned without knowing which ones
• Scan metadata: duration, API cost, number of findings by severity
• Your IP address, for rate limiting (3 scans/hour). Not linked to scans after the hour elapses.
• Page views and referrers via Vercel Analytics (privacy-friendly, no cookies)
• Your email address only if you voluntarily submit it for launch-week notifications

• The plaintext URL of the chatbot you scanned
• The probes Wraith generated during your scan
• Your chatbot's responses to those probes
• Evidence quotes or finding details that may contain leaked secrets, API keys, or system prompts
• PDF report contents (generated on demand, never persisted)
• Any payment information (handled directly by our payment processor when Stripe is live)

In-memory scan data (findings, exchanges, remediation) is kept for up to one hour so you can download the PDF report, then automatically discarded. It never touches persistent storage.

Nobody, with these narrow exceptions:

• Anthropic — we use their Claude API to run the scans. Scan probes and target responses pass through their API in real time. See Anthropic's privacy policy for how they handle API traffic.
• Railway — our backend host. Processes requests, stores no scan content.
• Vercel — our frontend host + privacy-friendly analytics (no cookies, no fingerprinting).

Since we don't store your scan content or link scans to you, there's nothing to export or delete on the scan side. For your email (if you submitted one): reply to any email we send with "please remove me" and we'll delete your address from our signup list.

Wraith is a security scanner. You are responsible for ensuring you have authorization to scan any target you submit. Scanning an AI chatbot you don't own or have permission to test may violate the target's terms of service or applicable computer-misuse laws in your jurisdiction.

Use the built-in vulnerable demo target (linked from the scan page) to try Wraith without authorization concerns.

Privacy questions, data deletion requests, or suspected abuse: anthony@harbinger.partners

Wraith is operated by Harbinger Security Consulting, LLC.