Trust

Security

Last updated: July 1, 2026

The short version
  • Raw IP addresses are never stored — network addresses are one-way hashed.
  • Data is encrypted in transit and scoped to each site, never pooled across customers.
  • Every change runs automated dependency + code scanning and a security review before it ships.
  • We collect the minimum needed to score traffic — no visitor names, emails, or cross-site profiles.

Protecting your data

ValidVisit is a tool for finding untrustworthy traffic, so being trustworthy with data is the point. We collect the minimum needed to judge whether a click is genuine and no more.

  • Network addresses are reduced to a one-way hash before storage — the raw IP is never written to disk.
  • Data is encrypted in transit with modern TLS.
  • Each customer’s data is scoped to their own sites; identifiers are never shared between customers.
  • Aggregated reports hold counts and scores only — they carry no per-visitor identifiers.

Application & infrastructure security

Security is built into how we ship, not bolted on afterward:

  • Automated dependency scanning flags vulnerable packages before they reach us.
  • Automated code scanning runs on every change to catch common flaws early.
  • Every pull request runs an automated security review, plus type-checking, linting and tests, before it can merge.
  • The browser tag ships with security headers, including a Content Security Policy.
  • Access to production data follows least-privilege — limited to the people who need it to run the service.

Privacy by design

The strongest way to protect data is not to hold sensitive data in the first place. We don’t store raw IPs, we don’t ask visitors for personal details, and we don’t build cross-site advertising profiles. See the privacy policy for the full picture, including data retention and your erasure rights.

Reporting a vulnerability

If you believe you’ve found a security issue, we want to hear from you. Email security@validvisit.com with the details and steps to reproduce. Please give us a reasonable window to investigate and fix before any public disclosure; we won’t pursue good-faith researchers who follow responsible disclosure.

Compliance posture

Our data practices are built to support GDPR, UK GDPR and CCPA/CPRA obligations — including data minimization, per-site scoping, and a permanent right-to-erasure path. As the product matures we’ll continue to strengthen our controls and pursue formal attestations where they add value for customers.

Contact

Security questions or documentation requests can be sent to security@validvisit.com.