Privacy Policy

Pentrust (“Company,” “we,” “us,” or “our”) respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website at pentrust.dev, our automated penetration testing platform, and related services (collectively, “Services”).

By using our Services, you consent to the data practices described in this Privacy Policy. If you do not agree with the data practices described in this policy, you should not use our Services.

• Register for an account (name, email address)
• Subscribe to our services (billing information, payment details)
• Contact our support team
• Participate in surveys or promotions
• Sign up for newsletters

• Login credentials (encrypted)
• API keys (encrypted)
• VPN configurations (encrypted)

All sensitive credentials are encrypted using industry-standard encryption (AES-256) before storage.

• Target domain and URL information
• Scan configurations and parameters
• HTTP requests and responses from the target
• Discovered endpoints and parameters
• Security findings and vulnerability data
• Scan logs and execution traces
• Screenshots of target applications

• IP address and browser type
• Device and operating system information
• Pages visited and features used
• Time spent on pages and click patterns
• Referring website or application
• Log data and error reports

We use the information we collect for various purposes, including:

• Providing Services: To operate, maintain, and provide our security testing Services, including executing scans, generating reports, and delivering findings.
• Account Management: To create and manage your account, authenticate your identity, and provide customer support.
• Billing: To process payments, send invoices, and manage subscriptions.
• Communication: To send you updates, security alerts, technical notices, and respond to your inquiries.
• Improvement:To analyze usage patterns, troubleshoot issues, and improve our Services' functionality and user experience.
• Security: To detect, prevent, and address fraud, abuse, security risks, and technical issues.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.
• AI Training: We may use anonymized scan data to improve our AI models and detection capabilities. Personal information and identifying details are removed before any such use.

We implement appropriate technical and organizational security measures to protect your personal information and scan data:

• Encryption: All sensitive data is encrypted at rest (AES-256) and in transit (TLS 1.3). Credentials are additionally encrypted before database storage using our encryption service.
• Access Controls: We implement role-based access controls (RBAC) and strict authentication requirements for internal access to systems.
• Database Security: Row Level Security (RLS) policies ensure that you can only access your own data.
• Regular Audits: We conduct regular security assessments and vulnerability scans of our own infrastructure.
• Data Minimization: We only collect and retain data necessary for providing our Services.
• Employee Training: Our staff undergo security awareness training and are bound by confidentiality obligations.

However, please be aware that no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

• Account Information: Retained for the duration of your account plus 30 days after deletion, unless legal obligations require longer retention.
• Scan Results: Retained according to your subscription plan. You may delete scan history at any time through your dashboard.
• Billing Information: Retained for 7 years as required by tax and accounting regulations.
• Log Data: Retained for 90 days for security and debugging purposes.

• Cloud hosting and infrastructure providers
• Payment processors
• Email and communication services
• Analytics providers
• AI/ML service providers (for vulnerability analysis)

These providers are contractually bound to use your information only for the purposes of providing services to us and maintaining appropriate security measures.

Depending on your location, you may have certain rights regarding your personal information:

• Access: You can request a copy of the personal information we hold about you.
• Correction: You can request that we correct inaccurate or incomplete information.
• Deletion: You can request that we delete your personal information, subject to certain legal exceptions.
• Portability: You can request a copy of your data in a structured, machine-readable format.
• Restriction: You can request that we limit the processing of your information.
• Objection: You can object to the processing of your information for certain purposes.
• Withdraw Consent: Where we rely on your consent, you can withdraw it at any time.

To exercise these rights, please contact us at [email protected]. We will respond to your request within 30 days.

We use cookies and similar technologies to enhance your experience on our Services:

• Essential Cookies: Required for the operation of our Services (e.g., authentication, security).
• Functional Cookies: Enable enhanced functionality and personalization (e.g., theme preferences).
• Analytics Cookies: Help us understand how visitors interact with our Services (e.g., PostHog, Google Analytics).

You can control cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our Services.

Your information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have data protection laws that differ from your jurisdiction.

When we transfer data internationally, we implement appropriate safeguards, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions where applicable
• Additional technical and organizational security measures

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18 without parental consent, we will take steps to delete such information.

In the event of a data breach that affects your personal information, we will notify you and the relevant supervisory authorities in accordance with applicable laws. We will provide such notification without undue delay after becoming aware of the breach, where required by law.

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the “Last updated” date. For significant changes, we will provide additional notice (e.g., email notification). We encourage you to review this Privacy Policy periodically.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: [email protected]
• Address: Pentrust, Inc., Attn: Privacy Officer

For data protection inquiries from EU residents, you may also contact our EU representative at [email protected].