Privacy Policy
Subnetlens - Desktop Network Scanner & IT Toolkit
Last updated: 18 March 2026 Version: 1.0
1. Who We Are
This Privacy Policy explains how HELIOSOFT LTD, a company registered in England and Wales (company number 17169454), with its registered address at 128 City Road, London, EC1V 2NX, United Kingdom ("we", "us", "our"), handles your personal data when you use the Subnetlens desktop application ("the Software").
We are the data controller for the personal data described in this policy. This means we decide how and why your data is processed.
Contact details:
- Email: support@subnetlens.com
- Postal address: HELIOSOFT LTD, 128 City Road, London, EC1V 2NX, United Kingdom
2. What This Policy Covers
Subnetlens is a desktop application that runs locally on your computer. It is not a cloud service. The vast majority of data the Software processes never leaves your machine. This policy explains the limited circumstances in which data is transmitted externally, as well as what is stored locally.
3. Personal Data We Process
3.1 License Activation Data
When you activate a Pro license, the following data is sent to our payment and licensing provider:
| Data | Description |
|---|---|
| License key | The key you purchased, sent for validation and activation |
| Machine fingerprint | A pseudonymised identifier (a SHA-256 hash) derived from your computer's hardware properties: CPU model, primary network adapter MAC address, operating system, CPU architecture, and total RAM. This hash cannot be reversed to recover the original values and cannot identify you personally without additional information |
| Customer name | Returned by the licensing provider from your purchase record |
| Customer email | Returned by the licensing provider from your purchase record |
Your license key is revalidated automatically every 3 days while the Software is running, with a 7-day grace period for offline use.
Lawful basis: Contract performance (Article 6(1)(b) UK GDPR) -- this processing is necessary to fulfil our licensing agreement with you and to verify your entitlement to Pro features.
3.2 Public IP and Geolocation Data
When you manually choose to use the "Public IP" or "GeoIP" toolkit tools, the Software sends a request to a third-party IP information service. The data involved is:
| Data | Description |
|---|---|
| Your public IP address | Sent to ipinfo.io when you use the Public IP tool |
| A target IP address | Sent to ipinfo.io when you use the GeoIP tool (this may be your IP or another IP you specify) |
These tools only run when you explicitly activate them. The Software never sends IP information to external services automatically or in the background.
Lawful basis: Legitimate interest (Article 6(1)(f) UK GDPR) -- you have actively chosen to use these tools and expect them to query external services to function. You can achieve the same result by visiting ipinfo.io directly in your browser.
3.3 Bandwidth Test Data
When you manually choose to use the "Bandwidth Test" toolkit tool, the Software downloads a test file from Cloudflare's speed test service (speed.cloudflare.com) to measure your connection speed. No personal data is intentionally sent, but Cloudflare will see your IP address as part of the standard HTTP connection. You may also specify a custom test URL.
Lawful basis: Legitimate interest (Article 6(1)(f) UK GDPR) -- you have actively chosen to run this test.
3.4 Webhook Data (Scheduled Scans)
If you configure a webhook in the scheduled scan feature, the Software will send scan results to the URL you specify. This data may include:
- Schedule name, subnet, and scan type
- Device count and device details (IP addresses, hostnames, open ports)
- Change detection results (new, disappeared, or changed devices)
You control whether webhooks are enabled, which URL receives the data, and what scans trigger them.
Lawful basis: Consent (Article 6(1)(a) UK GDPR) -- you explicitly configure the webhook URL and choose to enable this feature.
3.5 HTTP Headers and TLS Check Tools
When you use the "HTTP Headers" or "TLS Check" toolkit tools, the Software connects to a server you specify to retrieve HTTP response headers or TLS certificate information. The target server will see your IP address as part of the connection. No data is sent to us.
Lawful basis: Legitimate interest (Article 6(1)(f) UK GDPR) -- you have actively chosen to query a specific server.
3.6 WHOIS Lookups
When you use the "WHOIS" tool, the Software queries the system WHOIS service for the domain or IP you specify. WHOIS servers will see your IP address. No data is sent to us.
Lawful basis: Legitimate interest (Article 6(1)(f) UK GDPR).
4. Data Stored Locally on Your Device
The following data is stored on your computer in the application data directory and is never transmitted to us or any third party (unless you explicitly use the webhook or export features):
| Data | Storage |
|---|---|
| Network scan results | Discovered devices (IP addresses, MAC addresses, hostnames, open ports, vendor information, SSH/HTTP banners) |
| Scan history and snapshots | Historical scan data for trend analysis and compliance |
| Credential vault | Usernames, passwords, and notes you store, encrypted locally with AES-256-GCM using a master password you set (PBKDF2 with 600,000 iterations) |
| IPAM reservations | IP address reservations and notes |
| Radar events and device history | Network monitoring events and device status changes |
| Scheduled scan configurations | Cron expressions, scan settings, webhook URLs |
| Application settings | Your preferences (theme, scan concurrency, enabled features) |
| Application state | Window position, last viewed page, selected network profile |
| License information | Your license key, activation status, and cached validation (obfuscated with machine-specific key) |
| Saved network maps | Map layouts and device positions |
| Tool settings and favourites | Stored in your browser's localStorage within the application |
Where Local Data Is Stored
Application data is stored in your user profile's application data directory (typically %APPDATA%\network-mapper on Windows). The credential vault uses its own encrypted store files (vault-meta.json and credentials.json).
5. Data Recipients (Third Parties)
We share personal data with the following third parties, only as described above:
| Recipient | Data Shared | Purpose | Location |
|---|---|---|---|
| Paddle (Paddle.com Market Limited) | Name, email, billing address, payment details (entered on their checkout, not transmitted by the Software) | Merchant of Record for HELIOSOFT LTD: processes payment, collects and remits applicable VAT/sales tax, handles refunds | United Kingdom / United States |
| Licensing backend (HELIOSOFT LTD self-hosted or Keygen.sh) | License key, pseudonymised machine fingerprint | License validation and activation | United Kingdom / United States |
| ipinfo.io (IpInfo Inc.) | Your public IP address or a target IP address | Public IP lookup and geolocation (only when you use these tools) | United States |
| Cloudflare (Cloudflare Inc.) | Your IP address (via standard HTTP connection) | Bandwidth speed testing (only when you use this tool) | United States / Global CDN |
We do not sell, rent, or trade your personal data to any third party.
6. International Data Transfers
When data is sent to the third-party services listed in Section 5, it may be transferred to and processed in the United States or other countries outside the United Kingdom.
These transfers are protected by the following safeguards:
- LemonSqueezy, ipinfo.io, and Cloudflare operate under contractual commitments and industry-standard security practices. Transfers to the United States are made in reliance on the UK Extension to the EU-US Data Privacy Framework or, where applicable, Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office.
- The machine fingerprint sent to LemonSqueezy is pseudonymised (a one-way hash) and cannot identify you on its own.
7. Data Retention
| Data | Retention Period |
|---|---|
| License validation cache | Refreshed every 3 days; stored until you deactivate your license or uninstall the Software |
| Network scan data and history | Stored indefinitely on your device until you delete it through the Software or remove the application data directory |
| Credential vault | Stored indefinitely on your device until you delete entries or reset the vault |
| Radar events | Configurable maximum; stored on your device until you clear them |
| Application settings and state | Stored until you reset settings or remove the application data directory |
| Tool settings and recent targets | Stored in localStorage until you clear browser data within the application |
We do not retain any of your data on our servers. All data listed above is stored locally on your device.
8. What Happens When You Uninstall
Uninstalling the Software does not automatically delete your application data. Your scan results, credential vault, settings, and other stored data will remain in the application data directory.
To fully remove all data, delete the application data directory from your user profile after uninstalling. On Windows, this is typically located at:
`` %APPDATA%\network-mapper ``
9. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of access -- You can request a copy of the personal data we hold about you.
- Right to rectification -- You can ask us to correct inaccurate personal data.
- Right to erasure -- You can ask us to delete your personal data. For license data held by LemonSqueezy, you can deactivate your license from within the Software (which removes the machine fingerprint from their records) or contact us to request full deletion.
- Right to restriction of processing -- You can ask us to restrict how we use your data in certain circumstances.
- Right to data portability -- You can request your data in a commonly used, machine-readable format. The Software includes built-in export features (CSV, JSON) for scan data, device data, events, and vault credentials.
- Right to object -- You can object to processing based on legitimate interests (Sections 3.2, 3.3, 3.5, and 3.6 above). Since these tools only run when you choose to use them, you can simply not use them.
- Rights related to automated decision-making -- The Software does not make any automated decisions that produce legal or similarly significant effects on you.
To exercise any of these rights, contact us at support@subnetlens.com.
We will respond to your request within one month. In rare cases where your request is complex, we may extend this by a further two months, but we will let you know within the first month.
10. Right to Complain
If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: https://ico.org.uk/make-a-complaint/
- Telephone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would appreciate the chance to address your concerns before you contact the ICO, so please reach out to us first.
11. Cookies and Tracking
The Software is a desktop application. It does not use cookies, web beacons, pixel tags, or any browser-based tracking technologies. We do not embed any analytics, telemetry, or usage-tracking services in the Software.
12. Children and Age Requirement
The Software is not intended for use by anyone under the age of 16. If you are under 16, you must have the consent of a parent or guardian to use the Software, in accordance with the terms of our End User License Agreement.
13. Security Measures
We take the security of your data seriously:
- Local-first architecture: The vast majority of your data never leaves your computer.
- Credential vault encryption: Your stored credentials are encrypted with AES-256-GCM, using a key derived from your master password via PBKDF2 with 600,000 iterations and a random 32-byte salt. We never have access to your master password or vault contents.
- Pseudonymised machine fingerprint: The identifier sent for license validation is a one-way SHA-256 hash. We deliberately excluded your computer's hostname from the fingerprint calculation to minimise personal data (data minimisation principle).
- Brute-force protection: The credential vault locks after 5 failed master password attempts.
- SSRF protection: Webhook URLs are validated to prevent requests to internal/private network addresses.
- Input validation: All IPC calls between the application's processes validate and sanitise inputs.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes:
- We will update the "Last updated" date at the top of this policy.
- For material changes, we will notify you through the Software or our website.
- Continued use of the Software after notification constitutes acceptance of the updated policy.
We encourage you to review this policy periodically.
15. Contact Us
If you have any questions about this Privacy Policy or how we handle your data:
- Email: support@subnetlens.com
- Postal address: HELIOSOFT LTD, 128 City Road, London, EC1V 2NX, United Kingdom
*This Privacy Policy is governed by the laws of England and Wales and the UK General Data Protection Regulation (UK GDPR).*