Privacy Policy

Last updated: 12 July 2026

Who runs StackScope

StackScope is operated by DATAFREAK LTD, a company registered in England and Wales (company number 17328826), with its registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ. DATAFREAK LTD is the data controller for the limited personal data described in this policy. Questions about this policy, or any request relating to your data, can be sent to [email protected].

What StackScope does

StackScope is a public directory that analyses the technology stacks of product launch websites. We find launches both from launch platforms and by discovering newly launched sites ourselves from publicly available internet infrastructure, then crawl the publicly accessible pages and extract technical information: frameworks, hosting providers, security headers, DNS records, and other signals that are already visible to anyone with a web browser. The full detection methodology is documented on the methodology page, and our crawler behaviour is documented at /bot.

What we collect about websites

For each website we analyse, we store:

  • The website URL, name, and description
  • HTTP response headers
  • Publicly accessible HTML content (rendered in a headless browser)
  • Up to 5 linked CSS stylesheets from the page
  • Well-known files if present: robots.txt, llms.txt, security.txt, sitemap.xml, ads.txt, humans.txt, manifest.webmanifest
  • Privacy policy and terms of service pages, if linked from the homepage
  • Names of browser cookies set during the page load (both HTTP Set-Cookie and JavaScript-set; we store the cookie name only, not the value)
  • Names of client-side storage keys (localStorage, sessionStorage, IndexedDB database names, Cache Storage cache names; names only, not contents)
  • Inline analytics and marketing identifiers found in the page source
  • DNS records (MX, NS, TXT, CNAME, DNSKEY)
  • TLS certificate details (issuer, expiry, Subject Alternative Name count)
  • ASN and hosting provider
  • Domain registration data
  • A viewport screenshot of the page
  • Detected technologies, scores, and analysis results

All of this information is either publicly accessible on the open web or observable by any visitor loading the page in a standard web browser. We do not access authenticated areas, submit forms, or interact with websites beyond loading public pages needed for analysis.

What we collect about visitors

We do not run analytics on StackScope. We do not record page views, build visitor profiles, run third-party analytics or advertising, or set tracking or analytics cookies. Browsing requires no account and no personal information. A free, optional account exists for launch owners; it stores exactly one thing about you, your email address, and is described in the Accounts section below.

Beyond the optional account, the only visitor data we handle is transient and exists for security and delivery: our edge provider (Cloudflare) sees requests as it routes them (see the third-party section below), and standard web server logs record requests in the ordinary way. These logs are retained for 30 days and then deleted. Abuse-prevention logging is described below.

Abuse prevention

When abuse-prevention thresholds fire on sensitive endpoints, we temporarily log the requesting IP and timestamp so we can rate-limit the pattern. These logs are retained for 30 days and then deleted. Sustained abuse may result in a temporary edge-level block.

If our edge protections need to verify a request, we may show a brief browser check and set a short-lived bs_pass cookie on stackscope.dev to remember the result. The cookie expires after one hour, carries no information identifying you personally, and you can clear it at any time without affecting your visit.

Cookies and local storage

We set no tracking or advertising cookies. The full list of what we store in your browser:

  • bs_pass: set only after the brief browser check described above. Strictly necessary, expires after one hour.
  • StackScope.Account: set only when you sign in to an optional account. It keeps you signed in and is strictly necessary for the account to work. It lasts up to 30 days, or until you sign out.
  • bp_dismissed_*: set (as a cookie or a localStorage key) when you dismiss a promotional banner, so we don't show you the same banner again. It records only the dismissal, nothing about you.

Accounts

StackScope offers free, optional accounts at /account. No feature requires one. An account does two things: it lets a launch owner recover their claim's management link if they lose the bookmark, and it lets you opt in to occasional update emails about StackScope.

An account stores exactly one piece of personal data: your email address. There are no passwords. You sign in by entering your email and clicking a one-time link we send you. The account is created the first time a sign-in link is used, not when it is requested. Sign-in links expire after 15 minutes, the tokens in them are stored hashed (we cannot reverse them), and sign-in requests that are never used are deleted within about 24 hours.

If you tick the updates box, we record that consent with a timestamp and the exact wording you agreed to. The box is never pre-ticked. Every update email contains an unsubscribe link, and you can also unsubscribe from /account.

To stop abuse of the sign-in email flow, we keep a log containing a hashed IP address and a hashed email address for each sign-in request. It is deleted after 30 days.

You can delete your account yourself from /account. Deletion removes your email address and detaches any claims from the account. Your bookmark links keep working, and update emails stop.

Third-party services we use

StackScope is hosted on our own infrastructure but relies on Cloudflare for edge protection. This section names the third parties that can see data from visitors who interact with specific surfaces of the site, so you can make an informed call.

  • Cloudflare (CDN & WAF): all traffic to stackscope.dev passes through Cloudflare's network. Cloudflare sees your IP address, user agent, and request path while it routes traffic to our origin, and applies standard WAF protections. This applies to every visitor. See Cloudflare's privacy policy.
  • Cloudflare Turnstile: we use Cloudflare's Turnstile widget on the claim flow and the account sign-in page to stop scripted abuse, and on the brief browser check that appears when our edge protections need to verify a request. Turnstile is a CAPTCHA alternative that inspects browser signals to decide whether a request is human. When the widget loads, your IP and browser fingerprint are shared with Cloudflare. Turnstile may set cookies on challenges.cloudflare.com (not on stackscope.dev). Most visitors never see the widget.
  • Cloudflare Email Service: account emails (sign-in links, recovery links, and updates you opted into) are delivered through Cloudflare's Email Service, operated by Cloudflare, Inc., a US company, which processes the recipient address and the message content in order to deliver each email. Transfers to the US are covered by the UK-US data bridge and Cloudflare's standard contractual safeguards. This only applies if you use an account; browsing involves no email.

The claim system

Website owners can optionally claim their launch page via the claim flow, accessed from the launch's own page. A claim lets you mark the launch as yours, embed a score badge, and receive a bookmark URL (/r/{token}) that triggers a fresh re-scan when you ship fixes. For each claim we store:

  • The claimed launch short-id
  • A hashed version of your capability token (stored as a SHA-256 hash; we cannot reverse it)
  • The verification method used and the first-verified date
  • If you optionally attach the claim to an account: which account it is attached to and the date you attached it

We do not require an email address, account, or password to claim. The claim flow is stateless on our side: the capability URL is the credential. If you want a safety net, you can optionally attach a claim to a free account (see the Accounts section above); the account stores your email address so we can send you a fresh management link if you lose the bookmark. Claiming a launch is free.

Private site analysis (self-add)

You can submit your own site for a private StackScope analysis via the Launch Readiness Check page. The flow is designed so we hold the minimum data needed to verify ownership and run a single crawl. Specifically:

  • When you submit a URL at /claim/new: we store the URL and the time you submitted it in a pending row. The pending row is automatically deleted after a short window if you do not complete the marker step. Your IP address is used in-memory for short-term rate limiting and is not persisted against the submission in our application database, though it does appear in our standard request logs as described in the visitors section above. The Cloudflare Turnstile widget runs on this form to stop scripted abuse; see the third-party section above for what Turnstile sees.
  • To verify you control the site, our backend fetches a marker from a URL on your own domain (HTML meta tag, .well-known file, or DNS TXT record). This is a single outbound HTTP request to the URL you submitted, identifying as StackScopeBot/1.0 and respecting robots.txt. We read only the marker file, not the rest of your site.
  • If the marker matches, we record the launch as owner-only (private). This means the launch page does not appear in the public directory, search engine sitemaps, or our aggregate statistics. It is reachable only via the two capability URLs we hand back at validation time: a private report URL and a re-scan trigger URL. We store a SHA-256 hash of each token; we never store the plaintext.
  • The initial scan runs the same analysis pipeline as our public crawl, with one difference: we do not capture or store a screenshot of your site. The crawl includes everything else (tech stack, security headers, well-known files, infrastructure data we look up via our ASN/SSL/WHOIS providers as described above).
  • You can trigger fresh analyses via the re-scan URL, subject to rate limits to keep our crawl behaviour polite. Each trigger produces a new private snapshot, never replacing earlier ones; the snapshot history is visible only to you via the private report URL.
  • You can remove your launch at any time via the same re-scan URL (the Remove launch action). Removal deletes the launch row, the owner marker, every snapshot row, and any stored screenshots from disk. Self-service, no account or email required.

If your URL later appears on Product Hunt, Hacker News, or PeerPush via your own submission to those platforms, we recognise the match by hostname and convert your launch to a public listing automatically, like every other launch we pick up from those sources. Your earlier private snapshots stay attached to the launch but are hidden from the public view: only you, with your token, can see them in the snapshot history. If you do not want any public listing, do not submit the same URL to those platforms (or remove the launch from StackScope first).

Our crawlers

Our main crawler identifies itself as Mozilla/5.0 (compatible; StackScopeBot/1.0; +https://stackscope.dev/bot). It respects robots.txt directives and normally performs a single initial crawl per website. Occasional re-crawls happen on a launch owner's request (via the claim bookmark URL) or to apply a bug fix or schema change across the corpus. These re-crawls may be partial rather than a full re-fetch. Full details about our crawler's behaviour, including how to opt out, are on our bot information page.

We also discover newly launched sites from publicly available internet infrastructure. Those discovery fetches are performed by a separate crawler, FossickBot (FossickBot/0.1 (+https://fossick.bot)), operated by DATAFREAK LTD. FossickBot also respects robots.txt; details and opt-out are at fossick.bot.

Website removal

If you are a website owner and would like your site removed from StackScope:

  • Self-service (preferred): claim your launch via the launch page (step-by-step on the bot page) and click Remove launch on your private trigger URL. We re-verify your ownership marker and hide the launch immediately. Verified search-engine crawlers see HTTP 410 Gone on subsequent fetches and deindex within days. No account or email required.
  • Email: if you can't install an ownership marker for any reason, write to [email protected]. We'll do the same hiding manually. No reason required.
  • Block future crawls: disallow StackScopeBot in your robots.txt. This prevents future crawls but does not retroactively remove data already published. Use the self-service or email path for that.

Data storage

All core data (launches, analysis results, abuse logs, and, if you have an account, your email address and consent record) is stored on our own infrastructure hosted in Europe. We do not use third-party analytics, advertising, or data-warehousing services for visitor data. The third-party services named above are limited to the specific surfaces noted.

Why we can use this data

UK data protection law requires a lawful basis for each use of personal data. Ours are simple:

  • Accounts, sign-in emails, and recovery emails: we process your email address to perform the service you asked for when you created the account.
  • Update emails: your consent, given by ticking the box. You can withdraw it at any time via the unsubscribe link in any update email or from /account.
  • Abuse-prevention and security logging: our legitimate interest in keeping the site and the sign-in flow working and safe for everyone.

Your rights

You can ask us for a copy of the personal data we hold about you, ask us to correct it, or ask us to delete it. Deletion is self-service: delete your account from /account. You can also object to any processing we base on legitimate interests. For any of these, write to [email protected]. If you think we have handled your data badly, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

How long we keep things

  • Account data (your email address and consent record): until you delete your account.
  • Unused sign-in requests: deleted within about 24 hours.
  • Sign-in abuse logs (hashed IP and hashed email): 30 days.
  • Web server and abuse-prevention logs: 30 days.
  • Backups: we take nightly encrypted database backups and keep them for 30 days, so deleted data can persist in a backup for up to 30 days after you delete it.

Changes to this policy

We may update this policy as StackScope evolves. The "last updated" date at the top reflects the most recent substantive change. If you have an account, we may email you about material changes. Otherwise, check back if you're concerned.

Contact

Questions about this policy, about our data practices, or about a specific launch page: [email protected]. More about the project on the about page.