Runtime Riot provides public-surface security analysis for websites and web applications, including passive recon, exposed asset review, and, where authorized, deeper active testing. These terms govern use of the service, and the privacy section explains what data we collect, how we use it, and how long we keep it.
You must be legally able to enter into a binding agreement to use Runtime Riot. If you use the service on behalf of a company, client, or other organization, you represent that you have authority to bind that party to these terms.
Runtime Riot provides website and application security analysis. Depending on the offering selected, that may include public-surface review, exposed credential checks, headers and identity footprint analysis, source map and endpoint review, cloud asset discovery, Firebase and bucket checks, DNS and TLS inspection, and, for higher tiers, active testing such as clickjacking, redirect handling, rate-limit review, subdomain takeover checks, and other sanctioned probes.
By submitting any domain, URL, host, application, or related asset, you certify that you own it, control it, or have clear written authorization to permit the requested analysis. You must not use Runtime Riot to test third-party systems without permission.
We may require verification before running certain scans or active modules. Verification can include DNS TXT proof, email confirmation, provider-based login confirmation, payment confirmation, or other proof that reasonably ties you to the target or the requesting organization. We may refuse, pause, or cancel a request if authorization is unclear or disputed.
Access to Runtime Riot may be provided through Sign in with GitHub, Sign in with Google, or magic-link login. You are responsible for safeguarding your login channel, controlling access to your email account and provider accounts, and ensuring that anyone using your login is authorized to act for you.
Paid scans require valid payment through our third-party payment processor. Prices, scope, and availability may change prospectively. Result links and hosted report artifacts are generally available for up to seven days from issuance. After that window, we may delete the live report artifacts and retain only limited transaction metadata, job metadata, and receipt records.
Purchased scans are generally non-refundable once a scan has started or completed. If a scan cannot be completed, is materially impaired by a service outage, infrastructure failure, or a significant connection issue not caused by you, or if other extenuating circumstances apply, we may issue a refund, partial refund, or replacement scan credit in our discretion.
If you believe a refund or scan credit is warranted, contact us within seven days of the affected purchase or scan. We will review the circumstances in good faith, but refunds and credits are not guaranteed.
Runtime Riot is an assessment tool, not a guarantee of security, compliance, or fitness for any purpose. A scan may miss issues, produce false positives, or become stale as the target changes. You remain responsible for remediation decisions, incident response, legal compliance, and production safety.
The service is provided on an as-is and as-available basis to the maximum extent permitted by law. To the maximum extent permitted by applicable law, Runtime Riot disclaims implied warranties, including merchantability, fitness for a particular purpose, and non-infringement.
To the maximum extent permitted by law, Runtime Riot will not be liable for indirect, incidental, special, consequential, exemplary, or punitive damages, or for loss of profits, revenue, data, goodwill, or business interruption arising from or related to the service. These terms are governed by the laws of the State of Florida, without regard to conflict-of-law principles.
We may update these terms from time to time by posting the revised version on the site. Continued use after the effective date of an update constitutes acceptance of the revised terms. Questions about these terms should be directed through the contact method identified on the Runtime Riot site or in your transaction record.
We may share information with service providers that help us operate Runtime Riot, including authentication providers, payment processors, hosting and infrastructure vendors, email delivery vendors, analytics providers, and contractors operating under confidentiality obligations. We may also disclose information where required by law, to protect rights or safety, or to investigate misuse.
Runtime Riot uses Google Analytics to understand site usage and performance. Authentication may rely on session cookies or equivalent session-scoped tokens needed to keep you signed in and complete login safely. We do not use persistent login cookies, and authentication cookies are intended to expire with the session. We may also store limited browser-side preferences, such as theme choice, using local storage; that preference is not used as a cross-site tracking cookie.
Hosted result links and report artifacts are generally retained for up to seven days. After that period, we aim to remove report contents and keep only limited metadata about the transaction, job, and receipt. We may retain account records, audit logs, authorization records, and legally necessary business records for a longer period where reasonably required.
We use reasonable administrative, technical, and organizational measures designed to protect information in our control. No method of transmission, storage, or processing is completely secure, and we cannot guarantee absolute security.
You may stop using the service at any time. You may also contact Runtime Riot through the contact method published on the site to request account-access help, deletion of retained account data, or clarification regarding data associated with a transaction, subject to verification and any legal or operational retention requirements.
Runtime Riot is intended for professional and business use and is not directed to children under 13.
We may revise this Privacy Policy from time to time. The revised version becomes effective when posted with a new effective date.