Privacy Policy
1. What We Collect
Account data: Name, email, organization name, role.
Usage data: Pages visited, features used, session timestamps.
Asset data: Device names, IP addresses, vendor and model information you enter to enable CVE matching.
CVE interaction data: Watchlist entries, dismissed findings, acknowledged CVEs.
Payment data: Handled entirely by Stripe. We never see card numbers, CVV codes, or full payment card data.
Communication data: Emails sent for magic links and configured alerts.
2. What We Do Not Collect
- We do not scan your network
- We do not collect OT network traffic or process data
- We do not collect PLC ladder logic or engineering configurations
- We do not retain SAGE conversation content beyond the active session
- We do not use tracking pixels or third-party advertising cookies
- We do not sell your data -- ever
3. How We Use Your Data
- To provide the BreachSpider service
- To send alerts and notifications you configure
- To generate reports you request
- To improve the platform (aggregated, anonymized usage patterns only)
- To communicate account and billing information
We never use your asset data for any purpose other than providing the service to you.
4. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Life of subscription plus 90 days post-cancellation |
| Asset and finding data | Deleted within 30 days of account closure |
| Usage logs | 30 days rolling |
| Backups | 90 days |
| Audit logs | Per subscription tier (30-365 days) |
5. Data Storage and Security
- All data stored on OVHcloud infrastructure, US-East region
- No data transferred outside the United States without your consent
- Encryption in transit: TLS 1.2+ via Cloudflare on all connections
- Encryption at rest: OVHcloud infrastructure-level encryption
- Authentication: magic link only -- no passwords stored
- Access controls: role-based, member isolation enforced at database level
- API keys: SHA-256 hashed -- raw key shown only once at generation
6. Subprocessors
| Subprocessor | Purpose |
|---|---|
| OVHcloud | Infrastructure hosting |
| Cloudflare | CDN, DDoS protection, SSL termination |
| Stripe | Payment processing |
| Resend | Transactional email delivery |
| Anthropic | AI inference for SAGE analysis |
| ElevenLabs | Voice synthesis (when enabled, Professional+ tier only) |
Each subprocessor is bound by data processing agreements. We review subprocessors annually. We provide 30 days notice before adding new subprocessors.
7. Your Rights
- Right to export your data: Contact [email protected]
- Right to deletion: Processed within 30 days of written request
- Right to correction: Update profile at any time in Account settings
- Right to restrict processing: Contact [email protected]
8. Cookies
We use only essential session cookies. No advertising cookies. No third-party tracking cookies. Session cookies are httponly and secure, set with SameSite=Strict to prevent CSRF.
9. GDPR and CCPA
For EU residents: we process data under legitimate interest (providing the service you signed up for) and contract performance. For California residents: we do not sell personal information as defined by CCPA. Contact [email protected] for GDPR or CCPA requests.
10. Children
BreachSpider is not directed at persons under 18. We do not knowingly collect data from minors. If you believe a minor has provided us data, contact us immediately.
11. Contact
CITED Relevance LLC
Joshua Hayes, Data Controller
Jefferson, Georgia
[email protected]