Privacy Policy
How Vulnary collects, uses, and protects your data — including the source code, credentials, and engagement inputs you entrust to us.
1. Who we are & scope
Vulnary ("Vulnary", "we", "us", or "our") operates vulnary.com and the Vulnary platform: a software-as-a-service (SaaS) offensive-security service through which customers run and manage security engagements — penetration tests, code review, and exploit verification — via our web portal. This Privacy Policy explains what personal data and customer material we collect, how and why we use it, who we share it with, and the rights you have over it.
This Policy applies to the Vulnary marketing site, the customer portal, and all related services (together, the "Services"). It does not apply to third-party websites, tools, or targets you choose to test, which are governed by their own terms. Where we act as a data controller we decide how and why data is processed (for example, your account and billing data). Where we handle material inside an engagement on your instructions — including code, scope, and credentials — we generally act as a data processor on your behalf, and your own agreement with us (the DPA and Master Services Agreement) governs that processing.
2. Information we collect
2.1 Account & contact data
When you register or are invited to an organization, we collect identity and contact details such as your name, work email address, organization/team name, role, and authentication metadata. We use passwordless, magic-link sign-in, so we do not store account passwords.
2.2 Engagement inputs (including sensitive material)
To run an engagement you provide the inputs that define and enable it. Depending on the engagement type, this can include highly sensitive material:
- Scope definitions — the in-scope targets, URLs, hostnames, IP ranges, and rules of engagement you authorize us to test.
- Source code — repositories, archives, or files you upload for code review.
- Credentials — usernames, passwords, tokens, keys, or other secrets you supply so we can perform authenticated testing.
- Third-party reports — pentest reports or findings you upload for exploit verification or re-testing.
- Engagement artifacts — findings, proofs-of-concept, exploits, logs, and reports produced during the engagement.
You are responsible for ensuring you are authorized to submit this material and to have us test the targets you define. Do not upload personal data that is not necessary for the engagement.
2.3 BYO AI-provider keys
Some plans let you bring your own AI-provider API key. Where you do, we store that key encrypted, use it solely to run your engagements, and never write it to logs. You may rotate or remove it at any time.
2.4 Automatically-collected & usage data
When you use the Services we automatically collect technical and usage data — IP address, device and browser type, pages and features used, engagement telemetry, timestamps, and diagnostic/error logs. We use this to operate, secure, debug, and improve the Services.
2.5 Billing data
Paid plans require billing information. Card and payment details are collected and processed directly by our third-party payment processor; we receive only limited billing metadata (such as plan, transaction status, and the last four digits of a card). We do not store full card numbers.
2.6 Cookies
We use a small number of strictly-necessary and analytics cookies. See our Cookies Policy for details and your choices.
3. How we use your information
- To provide, operate, and maintain the Services and run the engagements you request.
- To authenticate you (magic-link email sign-in) and manage your account and organization.
- To process the source code, scope, credentials, and other inputs strictly as needed to execute your engagement and produce its results.
- To bill you, prevent fraud, and manage subscriptions.
- To secure, monitor, debug, and improve the platform.
- To communicate with you about your account, engagements, security, and service changes.
- To comply with legal obligations and enforce our terms.
We do not sell your personal data, and we do not use your source code, credentials, or engagement inputs to train models or for any purpose beyond delivering your engagement.
4. Legal bases (GDPR)
If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases:
| Purpose | Legal basis |
|---|---|
| Providing the Services and running engagements | Performance of a contract (Art. 6(1)(b)) |
| Billing, fraud prevention, security | Contract and legitimate interests (Art. 6(1)(b), (f)) |
| Product analytics and improvement | Legitimate interests (Art. 6(1)(f)) |
| Marketing communications (where applicable) | Consent (Art. 6(1)(a)) |
| Meeting legal and regulatory obligations | Legal obligation (Art. 6(1)(c)) |
Where we process engagement material on your behalf, your organization is the controller and determines the legal basis for that material; we act on your documented instructions as processor.
5. How engagement data, credentials & source code are protected
The material you entrust to us for an engagement — source code, credentials, scope, and reports — is treated as highly sensitive and handled under strict controls:
- Encryption — data is encrypted in transit (TLS) and at rest. Secrets such as credentials and BYO AI-provider keys are additionally encrypted at the application layer.
- Isolation — engagements run in isolated, per-customer execution environments; customer material is logically separated so one customer's data is never accessible to another.
- Access controls — access is limited to the minimum personnel and systems required to deliver the engagement, on a need-to-know basis, with authentication and logging.
- No secret logging — credentials and BYO keys are excluded from application logs and are never used outside your own engagements.
- Retention limits — engagement inputs and artifacts are retained only for the duration of the engagement plus a defined window (see Section 8), then deleted.
- Deletion on request — you may request early deletion of your engagement material at any time.
6. Sharing & subprocessors
We do not sell your data. We share it only with service providers ("subprocessors") who help us run the Services, and only to the extent needed. These include:
- Cloud hosting & infrastructure — to host the platform and run engagements.
- Email delivery (Resend) — to send magic-link authentication and transactional email.
- Payment processing — to handle billing and subscriptions.
- AI providers — to power engagement automation; where you use a BYO key, requests run against your own provider account.
Subprocessors are bound by contract to appropriate confidentiality and security obligations. A current list of subprocessors is maintained in our Trust Center. We may also disclose data where required by law or to protect our rights, and we may transfer data as part of a merger, acquisition, or reorganization (subject to this Policy).
7. International transfers
We and our subprocessors may process data in countries other than your own. Where we transfer personal data out of the EEA, UK, or Switzerland, we rely on appropriate safeguards — such as the European Commission's Standard Contractual Clauses and equivalent UK/Swiss mechanisms — to ensure your data receives an adequate level of protection.
8. Data retention
We keep personal data only as long as necessary for the purposes described in this Policy:
- Account data — for as long as your account is active, plus a reasonable period afterward for legal, security, and audit purposes.
- Engagement inputs (code, credentials, scope, reports) — for the duration of the engagement plus a defined retention window, after which they are deleted; credentials may be purged earlier once no longer needed.
- Engagement artifacts and findings — retained so you can access your results, subject to your deletion requests and plan terms.
- Billing records — as required by tax and accounting law.
- Logs and telemetry — for a limited operational and security period.
When a retention period ends, or on a valid deletion request, we delete or irreversibly anonymize the data.
9. Security
We maintain technical and organizational measures designed to protect your data against unauthorized access, alteration, disclosure, or destruction, including encryption, environment isolation, least-privilege access, monitoring, and logging. No system is perfectly secure, but security is central to how the platform is built. You can read more about our practices in the Trust Center.
10. Your rights
Depending on where you live (including under the GDPR and the California Consumer Privacy Act), you may have the right to:
- Access — obtain a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — request deletion of your personal data.
- Portability — receive your data in a structured, machine-readable format.
- Restriction & objection — restrict or object to certain processing, including processing based on legitimate interests and direct marketing.
- Withdraw consent — where processing is based on consent, withdraw it at any time.
- Non-discrimination — exercise your rights without being penalized in the Services you receive.
To exercise any of these rights, contact us at [email protected]. We will respond within the timeframe required by applicable law and may need to verify your identity. If we process material on behalf of your organization as a processor, we will direct your request to that organization (the controller). You also have the right to lodge a complaint with your local data protection authority.
11. Children
The Services are intended for business use and are not directed to individuals under 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us data, contact [email protected] and we will delete it.
12. Cookies
We use cookies and similar technologies for authentication, core functionality, and limited analytics. For details and your choices, see our Cookies Policy.
13. Changes to this Policy
We may update this Policy from time to time. When we make material changes, we will update the "Last updated" date below and, where appropriate, notify you through the Services or by email. Your continued use of the Services after a change takes effect constitutes acceptance of the updated Policy.
14. How to contact us
For any privacy question or to exercise your rights, contact our privacy team — and Data Protection Officer, where one is designated — at:
- Email: [email protected]
- Data Protection Officer: [email protected] (attn: DPO)
Last updated: July 2026