Vulnalyzeulnalyze

Privacy Policy

Last updated: November 7, 2025

1. Introduction

Vulnalyze AB ("we", "our", or "us"), a company registered in Sweden, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data in compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and the Swedish Data Protection Act (Dataskyddsförordningen).

2. Data Controller

The data controller responsible for your personal data is:

Vulnalyze AB
Email: privacy@vulnalyze.com

3. Data Protection Officer

You can contact our Data Protection Officer at: dpo@vulnalyze.com

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under Article 6 of the GDPR:

  • Contract Performance: Processing necessary for the performance of our service agreement with you
  • Legitimate Interests: Processing necessary for our legitimate interests or those of third parties
  • Legal Obligations: Processing necessary to comply with legal obligations
  • Consent: Where you have given explicit consent for specific processing activities

5. Types of Data We Collect

5.1 Account Information

  • Name and email address
  • GitHub account information
  • Organization details
  • Payment information (processed securely through Stripe)

5.2 Usage Data

  • IP addresses and browser information
  • Service usage patterns and preferences
  • Token consumption and scan history
  • Error logs and performance data

5.3 Repository Data

  • Code repository metadata
  • Scan results and vulnerability reports
  • Commit and pull request information

6. Purpose of Processing

We process your personal data for the following purposes:

  • Providing and maintaining our security analysis service
  • Processing payments and managing subscriptions
  • Communicating with you about service updates and security alerts
  • Improving our service and developing new features
  • Complying with legal obligations and preventing fraud
  • Protecting our rights and the security of our service

7. Data Sharing and Transfers

7.1 Third-Party Service Providers

We may share your data with trusted third parties including:

  • GitHub: For repository integration and authentication
  • Stripe: For payment processing (PCI-DSS compliant)
  • Railway: For secure cloud hosting within the EU
  • Anthropic: For AI/ML services with appropriate safeguards

7.2 International Data Transfers

When we transfer personal data outside the EU/EEA, we ensure appropriate safeguards are in place, such as:

  • EU Standard Contractual Clauses (SCCs)
  • Adequacy decisions by the European Commission
  • Binding Corporate Rules where applicable

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy:

  • Account data: Duration of account plus 3 years
  • Payment records: 7 years (Swedish accounting law requirements)
  • Scan results: 90 days after scan completion
  • Log data: 6 months for security and debugging purposes

9. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

  • Right of Access (Article 15): Request a copy of your personal data
  • Right to Rectification (Article 16): Request correction of inaccurate data
  • Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten")
  • Right to Restrict Processing (Article 18): Request limitation of data processing
  • Right to Data Portability (Article 20): Receive your data in a portable format
  • Right to Object (Article 21): Object to certain types of processing
  • Right to Withdraw Consent (Article 7): Withdraw consent at any time

To exercise these rights, please contact us at privacy@vulnalyze.com. We will respond within 30 days as required by GDPR.

10. Data Security

We implement appropriate technical and organizational measures to ensure data security, including:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)
  • Regular security audits and vulnerability assessments
  • Access controls and authentication mechanisms
  • Employee training on data protection
  • Incident response procedures
  • Regular backups and disaster recovery plans

11. Data Breach Notification

In the event of a personal data breach, we will notify the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) within 72 hours as required by Article 33 of GDPR. If the breach is likely to result in high risk to your rights and freedoms, we will also notify you directly without undue delay.

12. Cookies and Tracking

We use cookies and similar technologies to enhance your experience. Our use of cookies includes:

  • Essential cookies: Required for service functionality
  • Analytics cookies: To understand service usage (with consent)
  • Preference cookies: To remember your settings

You can manage cookie preferences through your browser settings. Note that disabling certain cookies may affect service functionality.

13. Children's Privacy

Our service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete such information.

14. Swedish Data Protection Authority

You have the right to lodge a complaint with the Swedish supervisory authority:

Integritetsskyddsmyndigheten (IMY)
Box 8114
104 20 Stockholm
Sweden
Phone: +46 8 657 61 00
Email: imy@imy.se
Website: www.imy.se

15. Marketing Communications

We will only send you marketing communications with your explicit consent, which you can withdraw at any time. Service-related communications (security alerts, account notifications) are not considered marketing and are necessary for service provision.

16. Automated Decision-Making

Our service uses AI for code analysis, but we do not use automated decision-making that produces legal effects or similarly significantly affects you. All critical security decisions are subject to human review.

17. Privacy by Design

We implement privacy by design principles in accordance with Article 25 of GDPR, including:

  • Data minimization - collecting only necessary data
  • Purpose limitation - using data only for stated purposes
  • Privacy-enhancing technologies
  • Default privacy settings that protect your data

18. Updates to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes via email or through the service. The "Last updated" date at the top indicates the most recent revision.

19. Contact Us

For questions about this Privacy Policy or our data practices, please contact privacy@vulnalyze.com

20. Language

This Privacy Policy is provided in English. In case of any discrepancy between the English version and translations, the English version shall prevail. Swedish language version is available upon request.

Vulnalyzeulnalyze
    © 2025 Vulnalyze