Privacy Policy

1. Introduction

This Privacy Policy describes how VulneraX, operated by Dimitris Marakomichelakis ("we," "us," or "our"), collects, uses, stores, and shares your personal information when you use our vulnerability management and security scanning platform.

We are committed to protecting your privacy and ensuring the security of your personal data. This policy complies with the General Data Protection Regulation (GDPR) and other applicable European Union data protection laws.

By using VulneraX, you agree to the collection and use of your information as described in this Privacy Policy. If you do not agree with this policy, please do not use our Services.

2. Information We Collect

We collect information you provide directly and information collected automatically when you use VulneraX.

2.1 Information You Provide Directly

• Account Information: Email address, first name, last name, and account credentials when you register for an account
• Payment Information: Billing details processed securely through Stripe. We do not store your full credit card or payment card number
• Profile Settings: Preferences such as graph color choices and notification settings
• User Content: Scan targets, vulnerability findings, reports, test profiles, team data, and other materials you upload or create

2.2 Information Collected Automatically

• Usage Data: Information about how you use VulneraX, including pages visited, features used, scan activity, and session duration
• Device Information: Device type, operating system, browser type, IP address, and device identifiers
• Scan Metadata: Target URLs, scan configurations, vulnerability counts, and scan status information
• Local Storage Data: Usage counters (e.g., dependency analyzer usage limits) stored locally on your device

2.3 Information from Third Parties

• Payment Processor: Stripe provides us with transaction status and billing information

3. How We Use Your Information

We use your information for the following purposes:

• Providing the Services: Operating and maintaining VulneraX, including conducting vulnerability scans, generating reports, and managing your account
• Account Management: Creating and managing your account, processing subscriptions, and providing customer support
• Payment Processing: Processing subscription payments through our payment provider, Stripe
• Service Improvement: Analyzing usage patterns to improve our Services, develop new features, and optimize performance
• Security and Fraud Prevention: Detecting and preventing unauthorized access, fraud, or other illegal activities
• AI-Powered Analysis: Using AI services to analyze dependencies for vulnerabilities and assist with security assessments
• Legal Compliance: Complying with applicable laws, regulations, and legal processes
• Communications: Sending important service announcements, updates, and security alerts (you cannot opt out of essential communications)

We do not sell your personal information to third parties. We share your data only as described in this policy or with your consent.

4. Legal Basis for Processing

Under the GDPR, we process your personal data based on the following legal grounds:

4.1 Contract Performance

Processing is necessary for the performance of the contract between you and us. This includes providing the Services you request (vulnerability scanning, report generation, account management), processing payments, and maintaining your account.

4.2 Legitimate Interests

Processing is necessary for our legitimate interests in operating and improving VulneraX, ensuring security, preventing fraud, and developing new features. We balance these interests against your privacy rights and provide ways to object to certain processing.

4.3 Consent

For certain processing activities, such as marketing communications (if any) or optional features, we rely on your consent. You can withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

4.4 Legal Obligation

We may process your data where required by law, such as responding to legal requests, court orders, or regulatory demands.

5. Cookie Policy

VulneraX uses cookies and similar tracking technologies to enhance your experience and collect usage information.

5.1 Types of Cookies We Use

• Essential Cookies: Required for the Services to function properly. These include session cookies for authentication, security, and basic functionality. You cannot disable these cookies.
• Authentication Cookies: Remember your login state and authenticate you across pages. These are essential for security and access control.
• Functional Cookies: Store your preferences, such as theme settings and display preferences, to personalize your experience.

5.2 Local Storage

We use browser local storage to track usage limits (e.g., dependency analyzer free tier usage) and persist certain settings. This data remains on your device and is not transmitted to our servers directly.

5.3 Third-Party Cookies

Our third-party service providers may set cookies on your device:

• Stripe: For payment processing and fraud prevention
• Google: For OAuth authentication and Firebase services

5.4 Managing Cookies

Most browsers allow you to:

• View cookies stored on your device
• Delete all or specific cookies
• Block cookies from all or specific websites
• Set preferences for first-party and third-party cookies

Note that blocking essential cookies may prevent you from using VulneraX or cause degraded functionality. We do not currently offer a cookie consent banner as we only use essential and functional cookies necessary for providing the Services.

6. Third-Party Services

We use trusted third-party services to operate VulneraX. Each provider has their own privacy policy governing how they process your data.

6.1 Stripe

Purpose: Payment processing and subscription management
Data: Payment information, billing address, transaction history
Privacy Policy: https://stripe.com/privacy

6.2 AI Services

Purpose: AI-powered dependency vulnerability analysis and security assessment
Data: Dependency package information from your package.json files (limited to 50 scans/month on Pro plans)
Privacy: Data sent to AI services is processed securely. We do not send sensitive authentication data or User Content beyond what is necessary for analysis.

These providers are data processors acting on our instructions. They are independent controllers for their own processing activities and maintain their own privacy policies and data practices.

7. Data Retention

We retain your personal data for as long as necessary to provide the Services and fulfill the purposes described in this Privacy Policy.

• Account Data: Retained while your account is active and for 3 years after account deletion for legal and dispute resolution purposes
• Scan Data: Retained as long as your account is active. Scan data is deleted within 90 days of account deletion
• Payment Data: Retained as required by tax and accounting laws (typically 7-10 years for financial records)
• Authentication Logs: Retained for 12 months for security and fraud prevention purposes
• Marketing Data: Retained until you withdraw consent or opt out

After the retention periods above, we securely delete or anonymize your data. Some data may be retained longer if required by law or to resolve disputes.

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of Access: You can request a copy of the personal data we hold about you
• Right to Rectification: You can request correction of inaccurate or incomplete personal data
• Right to Erasure: You can request deletion of your personal data ("right to be forgotten")
• Right to Restriction: You can request that we restrict processing of your data
• Right to Data Portability: You can request a copy of your data in a structured, machine-readable format
• Right to Object: You can object to processing based on legitimate interests or direct marketing
• Right to Withdraw Consent: Where processing is based on consent, you can withdraw it at any time

To exercise any of these rights, please contact us at: dimitrismarako@outlook.com

We will respond to your request within 30 days. We may need to verify your identity before processing certain requests.

You also have the right to lodge a complaint with a supervisory authority in your EU member state. For example, if you are in Greece, you can contact the Hellenic Data Protection Authority (HDPA).

9. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States where some of our service providers (Google, Stripe) are based.

When we transfer personal data outside the EEA, we ensure adequate protection through:

• Standard Contractual Clauses: Contracts approved by the European Commission that require the recipient to protect personal data to EU standards
• Adequacy Decisions: Transfers to countries deemed adequate by the European Commission
• Google and Stripe: Both companies participate in the EU-US Data Privacy Framework and have implemented appropriate safeguards for data transfers

You can request more information about the safeguards we use for international transfers by contacting us.

10. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption: Data is encrypted in transit using TLS/SSL and at rest where technically feasible
• Access Controls: Role-based access controls limit employee access to personal data
• Secure Infrastructure: Built on Google Cloud Platform with industry-standard security features
• Authentication: Secure authentication via Firebase Auth with OAuth provider options
• Regular Updates: Security patches and software updates applied promptly
• Incident Response: Procedures in place to respond to security incidents

While we strive to protect your personal data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

You play an important role in maintaining security by keeping your account credentials confidential and promptly reporting any unauthorized access.

11. Children's Privacy

VulneraX is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately. Upon verification, we will promptly delete such information.

By using VulneraX, you represent that you are at least 16 years of age or older, or that you are using VulneraX under the supervision of a parent or guardian who agrees to be bound by these terms.

12. Policy Updates and Contact

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated policy on this page
• Updating the "Last updated" date
• Displaying a notice within VulneraX (for significant changes)

We encourage you to review this Privacy Policy periodically.

Contact Information

For questions about this Privacy Policy, to exercise your rights, or to make data protection requests, please contact:

Dimitris Marakomichelakis
Email: dimitrismarako@outlook.com

I am a solo web developer committed to protecting your privacy. As a small developer, I may not have a dedicated data protection officer, but I take your privacy rights seriously and will respond to inquiries promptly.