Privacy Policy

vulnr (“vulnr,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our automated vulnerability scanning platform, website (vulnr.app), and associated services (collectively, the “Service”).

By using the Service, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use the Service.

Information you provide directly:

• Email address and password for account registration
• Full name and company name (if provided)
• Domain names and URLs submitted for security scanning
• Payment information (processed by Polar.sh — we do not store card details)
• Communications you send to us (support emails, feedback)

Information collected automatically:

• IP address and approximate geographic location
• Browser type, version, language, and operating system
• Device type and screen resolution
• Pages viewed, time spent, and navigation patterns
• Referral source (how you found us)
• Authentication session tokens
• User agent string

Security scan data:

• DNS records associated with submitted domains
• Publicly accessible information gathered during scanning
• Vulnerability findings, severity ratings, and evidence
• Port scan results and technology stack information
• Scan history and remediation status

Payment information:

We do not store your credit card details. Payment processing is handled by Polar.sh, a PCI-compliant payment provider. We receive only a payment confirmation token, transaction amount, and subscription status.

We use collected information for the following purposes:

• To provide, operate, and maintain the vulnerability scanning Service
• To create and manage your account and plan
• To deliver security scan reports and findings to your dashboard
• To process payments and manage subscriptions via Polar.sh
• To send transactional emails (account verification, scan completion, payment receipts)
• To improve our platform, fix technical issues, and develop new features
• To detect and prevent fraud, unauthorized use, and abuse
• To comply with legal obligations and respond to legal requests
• To enforce our Terms of Service

We do not:

• Sell your personal information to third parties
• Send unsolicited marketing emails without your consent
• Use your vulnerability scan data for any purpose other than providing the Service
• Share your security scan results without your explicit written consent

To understand how users interact with our Service and improve user experience, we may use privacy-respecting analytics tools that collect anonymized usage data such as page views, feature usage, and session duration. No personally identifiable information is shared with these analytics providers beyond what is necessary.

You can limit analytics collection by enabling “Do Not Track” in your browser settings.

We share your information only in the following circumstances:

• Service providers: Polar.sh (payment processing), cloud infrastructure providers (hosting, storage, workflow orchestration). These providers are bound by data processing agreements and access only data necessary to perform their services.
• Legal compliance: When required by law, court order, subpoena, or governmental authority.
• Fraud prevention: To protect against unauthorized use, such as scanning domains without authorization.
• Business transfers: In connection with a merger, acquisition, or sale of assets, with appropriate confidentiality protections.
• With your consent: When you explicitly direct us to share information with a third party.

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

• Account data: Retained for the duration of your account and for 30 days after deletion, unless required by law.
• Scan reports and findings: Retained for 2 years after generation for audit purposes.
• Session and analytics data: Retained for 90 days, then automatically deleted.
• Payment records: Retained as required by financial regulations (typically 7 years).
• Server logs: Retained for 30 days for security and debugging purposes.

You may request earlier deletion of your personal data by emailing [email protected]. Note that deletion may not be possible for records required by law or legitimate business purposes.

We implement industry-standard security measures to protect your data:

• All data in transit is encrypted using TLS 1.2 or higher
• Data at rest is encrypted using AES-256
• Passwords are hashed using bcrypt with appropriate salt rounds
• Reports are stored in private, access-controlled object storage
• Access to customer data is restricted to authorized personnel only
• Rate limiting and brute-force protection on all authentication endpoints
• We conduct regular security reviews of our own platform

Despite these measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

Depending on your location, you may have the following rights regarding your personal data:

• Right to access: Request a copy of the personal data we hold about you.
• Right to rectification: Correct inaccurate or incomplete data.
• Right to erasure: Request deletion of your personal data (“right to be forgotten”).
• Right to portability: Receive your data in a structured, machine-readable format.
• Right to restrict processing: Request that we limit how we use your data.
• Right to object: Object to processing of your data for marketing purposes.
• Right to withdraw consent: Withdraw consent at any time where processing is based on consent.
• Right to opt-out of sale (CCPA): We do not sell personal data. This right is automatically satisfied.
• Right to non-discrimination (CCPA): We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or sooner as required by applicable law).

vulnr primarily uses browser session storage to maintain:

• Authentication tokens for maintaining your logged-in session
• User preferences and settings

We use minimal cookies strictly necessary for the Service to function. We do not use advertising or tracking cookies. You can manage cookies through your browser settings.

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If we learn that we have collected data from a person under 18, we will delete it promptly. If you believe we have collected information from a minor, please contact us immediately at [email protected].

vulnr operates globally. Your data may be transferred to, stored in, and processed in countries where our service providers maintain facilities. By using our Service, you consent to these transfers.

We ensure appropriate safeguards are in place for international data transfers in compliance with applicable data protection laws, including Standard Contractual Clauses (SCCs) where required by the GDPR.

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party sites you visit.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by updating the “Last updated” date and, for significant changes, by sending an email or displaying a prominent notice. Your continued use of the Service after changes constitutes acceptance.

For privacy-related questions, data requests, or concerns:

• General support: [email protected]
• Website: vulnr.app