Privacy Policy

Last updated: June 7, 2026 - Governing law: State of Georgia, USA

We do not sell your data. Ever. This is not negotiable and will not change.

1. What We Collect

Account data: Name, email, organization name, role.

Usage data: Pages visited, features used, session timestamps.

Asset data: Device names, IP addresses, vendor and model information you enter to enable CVE matching.

CVE interaction data: Watchlist entries, dismissed findings, acknowledged CVEs.

Payment data: Handled entirely by Stripe. We never see card numbers, CVV codes, or full payment card data.

Communication data: Emails sent for magic links and configured alerts.

2. What We Do Not Collect

3. How We Use Your Data

We never use your asset data for any purpose other than providing the service to you.

4. Data Retention

Data TypeRetention Period
Account dataLife of subscription plus 90 days post-cancellation
Asset and finding dataDeleted within 30 days of account closure
Usage logs30 days rolling
Backups90 days
Audit logsPer subscription tier (30-365 days)

5. Data Storage and Security

6. Subprocessors

SubprocessorPurpose
OVHcloudInfrastructure hosting
CloudflareCDN, DDoS protection, SSL termination
StripePayment processing
ResendTransactional email delivery
AnthropicAI inference for SAGE analysis
ElevenLabsVoice synthesis (when enabled, Professional+ tier only)

Each subprocessor is bound by data processing agreements. We review subprocessors annually. We provide 30 days notice before adding new subprocessors.

7. Your Rights

8. Cookies

We use only essential session cookies. No advertising cookies. No third-party tracking cookies. Session cookies are httponly and secure, set with SameSite=Strict to prevent CSRF.

9. GDPR and CCPA

For EU residents: we process data under legitimate interest (providing the service you signed up for) and contract performance. For California residents: we do not sell personal information as defined by CCPA. Contact [email protected] for GDPR or CCPA requests.

10. Children

BreachSpider is not directed at persons under 18. We do not knowingly collect data from minors. If you believe a minor has provided us data, contact us immediately.

11. Contact

CITED Relevance LLC
Joshua Hayes, Data Controller
Jefferson, Georgia
[email protected]