Privacy Policy · VulnVerify

1. Who we are

VulnVerify (“we”, “us”) is operated from Egypt and provides a vulnerability intelligence service used by customers globally. For the purposes of GDPR and similar regulations, we act as both data controller (for account data) and data processor (when handling content you submit through our service).

You can reach our team at contact@vulnverify.com or for privacy-specific matters at privacy@vulnverify.com.

2. Data we collect

We collect only data that is necessary to operate the service:

Account data: your name, email address, hashed password, organization, and subscription tier.
Usage data: search queries, saved searches, watched vulnerabilities, alerts you configure, and the records you view. We use this to provide and improve the service.
Billing data: for paid plans, we collect billing-related information via our payments processor. We never see or store your full card number.
Technical data: IP address, browser user-agent, device type, and approximate region for security and rate-limiting.

3. How we use your data

We use the data described above to: deliver the service, authenticate you, send transactional emails (verification, password reset, billing receipts), enforce per-tier usage limits, detect and prevent abuse, and improve the product.

We do not sell your personal data. We do not use your data to train third-party AI models. We do not share your search history or watchlists with anyone outside the VulnVerify team.

4. Legal basis for processing (GDPR)

For users in the European Economic Area, UK, and other regions with similar regulations, our legal basis for processing your personal data is:

Contract: to deliver the service you signed up for.
Legitimate interests: to keep the service secure, prevent abuse, and improve the product.
Consent: for optional marketing communications, which you can withdraw at any time.
Legal obligation: where applicable, to comply with tax or law-enforcement requirements.

5. Third-party services

We use a small number of trusted sub-processors to operate the service. Each has been chosen for their security posture and contractual data-protection commitments:

Stripe — payment processing for subscriptions. Card data is sent directly to Stripe (a PCI-DSS Level 1 processor); we receive only billing metadata (e.g. last 4 digits, billing country).
Resend — transactional email delivery (verification, password reset, receipts).
PostHog — product analytics with EU-region hosting. We track usage events, not the content of your searches.
Cloud hosting — the application is hosted by a major cloud provider in the EU region.

A current list of sub-processors is available on request to privacy@vulnverify.com.

6. How we source vulnerability findings

VulnVerify is a defensive threat-intelligence service. Our findings are collected from publicly-accessible underground sources — including dark-web forums and marketplaces, paste sites, ransomware leak sites, public exploit databases, and Telegram channels. We never conduct unauthorized testing against any organization's infrastructure.

Every finding is manually verified by a security researcher with a working proof-of-concept before publication. We retain a pseudonymous researcher handle (e.g. “VR-001”) for audit attribution; the researcher's legal identity is never stored alongside findings.

We deliberately omit specific forum or marketplace names from public records and external communications, both for source protection and to avoid drawing attention to underground venues. The broad category (e.g. “underground-forum,” “exploit-marketplace”) is recorded for each finding.

7. Executive contact data (cold-outreach pipeline)

If you received an unsolicited “preliminary threat report” email from us, this section explains how we got your contact information and your rights under GDPR Article 14, CAN-SPAM, and CASL.

Source of your data: We obtain executive contact information (name, work email, title, LinkedIn URL) from Apollo.io, a B2B contact-enrichment provider whose data is sourced from publicly-available business records and aggregated from published company materials. We do not scrape personal social media, leaked databases, or restricted directories.

Why we contact you: Our lawful basis is “legitimate interest” in notifying your organization of vulnerabilities affecting your domain that our research team has manually verified. This is consistent with the responsible-disclosure norms in the security industry and similar to threat-intelligence services like Recorded Future, Flashpoint, and Mandiant.

What we send:A single preliminary report (4 pages, no exploit specifics) and, if you don't respond or unsubscribe, no further automated outreach for the same finding. We never send the same domain more than once every 30 days, regardless of new findings.

Your rights: Every email contains a one-click unsubscribe link (RFC 8058). Clicking it immediately and permanently suppresses your domain from our outreach pipeline — we will not email anyone at your organization again. You can also email privacy@vulnverify.com to request: (a) what data we hold about you, (b) correction of inaccurate data, (c) immediate erasure, or (d) a copy of the Apollo.io entry we used. We respond within 30 days.

Retention: Executive contact records are cached for 30 days; after that they are re-enriched or expired. EmailCampaign records are retained for 24 months for audit and compliance, then anonymized.

8. Data retention

We keep your account data for as long as your account is active. Search history is kept for 90 days. Audit logs are kept for 12 months. Billing records are kept for the period required by Egyptian and applicable foreign tax law.

When you delete your account, we remove personal data within 30 days. We may retain anonymized aggregate data indefinitely.

9. Your rights

If you are in a region with applicable privacy laws (including the EU, UK, California, and Egypt), you have the right to:

Access the personal data we hold about you.
Correct inaccurate or incomplete data.
Erase your data (the “right to be forgotten”).
Export your data in a portable format.
Object to or restrict certain processing.
Withdraw consent at any time where consent is the basis.
Lodge a complaint with your local data protection authority.

Email privacy@vulnverify.com to exercise any of these rights. We respond within 30 days.

10. Cookies and similar technologies

We use strictly-necessary cookies for authentication and session management. Product-usage analytics (via PostHog) are collected server-side and keyed to your account — no analytics cookies are set, and we record usage events, not the content of your searches.

We do not use third-party advertising or tracking cookies.

11. Security

Data is encrypted in transit (TLS 1.2+) and at rest. Passwords are hashed with bcrypt. Database access is restricted to authenticated services in a private network. We follow secure development practices and undergo periodic external review.

In the unlikely event of a personal-data breach affecting you, we will notify you and the relevant supervisory authority within 72 hours, in line with GDPR requirements.

12. International data transfers

Because we operate from Egypt and serve customers globally, your data may be transferred to, and processed in, countries outside your home jurisdiction. When transferring data internationally, we rely on Standard Contractual Clauses or equivalent safeguards as required by the GDPR.

13. Changes to this policy

We may update this policy from time to time. Material changes will be announced via email and on this page. The “Last updated” date at the top reflects the most recent revision.

14. Contact

Email privacy@vulnverify.com for privacy questions or contact@vulnverify.com for anything else.

Questions? Reach us at contact@vulnverify.com.