Last updated: June 2026. Vulny SIA ("Vulny", "we", "us") is the data controller for personal data processed through the Vulny vulnerability scanning service. This policy explains what we collect, why, how we protect it, and the rights you have under the GDPR and other applicable data protection laws.
We collect only what we need to run the service:
To deliver and operate the scanner; authenticate you and secure your account; verify you are authorised to scan a target; process payments and prevent fraud; send service emails (verification, trial, billing, security alerts and reminders); provide support; monitor performance and improve the product; and meet legal and accounting obligations.
We rely on: performance of our contract with you (providing the service and billing); our legitimate interests (securing the platform, preventing abuse, product improvement and limited direct marketing to existing customers); your consent where required (e.g. non-essential cookies or marketing where consent is the lawful basis); and legal obligation (tax and accounting records).
We do not sell your personal data. We share it only with trusted sub-processors who act on our instructions under data processing agreements:
| Provider | Purpose | Location |
|---|---|---|
| Cloud hosting (k3s on a VPS within the EU) | Running the platform and storing data | EU |
| Stripe | Payment processing | EU / US |
| Email delivery (our mail server) | Transactional & service emails | EU |
We may also disclose data where required by law, to protect our rights, or in connection with a corporate transaction (e.g. merger), in which case you will be notified.
Our platform and data are hosted within the EU. Where a sub-processor (e.g. a payment processor) processes data outside the EU/EEA, the transfer is protected by an adequacy decision or EU Standard Contractual Clauses, so your data receives an equivalent level of protection.
We keep account and scan data while your account is active. After you delete your account, tenant data is removed (cascaded by tenant), except where we must retain certain records — for example invoices and tax records are kept for the period required by law (typically up to 7 years). Security and audit logs are kept for a limited period for fraud prevention and incident investigation.
We apply technical and organisational measures to protect your data, including encryption in transit (TLS), encrypted storage of secrets, hashed passwords, role-based access controls, tenant isolation, and audit logging. No method of transmission or storage is completely secure, but we work to protect your information and to notify you and the relevant authority of a qualifying personal data breach without undue delay.
Subject to applicable law, you have the right to access, correct, export (portability), delete, restrict or object to the processing of your personal data, and to withdraw consent at any time. Export and account deletion are available directly in your account settings, or by emailing us. We honour erasure requests subject to legal retention obligations. If you are in the EU/EEA and believe we have not handled your data lawfully, you have the right to lodge a complaint with your local data protection supervisory authority.
We use a strictly necessary session cookie to keep you signed in. We do not use advertising or cross-site tracking cookies. Any optional analytics cookies are only set with your consent and can be declined without affecting the service.
Vulny is a business service and is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, contact us and we will delete it.
We may update this policy from time to time. We will post the new version here with a revised "Last updated" date and, for material changes, notify you by email or in-app.
For any privacy request or question, contact support@vulny.app. Data controller: Vulny SIA, registration number 40203753831, registered office Kazaru street 4-59, Saurieši, Latvia (company register).