Privacy Policy

ModernPentest ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered automated penetration testing platform and services (collectively, the "Services").

This policy applies to users worldwide and addresses the requirements of the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy laws.

1. Information We Collect

1.1 Information You Provide

We collect information you provide directly to us, including:

• Account Information: Email address, name, profile picture, and authentication credentials when you create an account through our identity provider (Clerk).
• Organization Information: Company name, team size, industry, technology stack, and business goals during onboarding.
• Billing Information: Payment card details (processed by Stripe), billing address, and transaction history.
• Target Application Data: URLs, application names, descriptions, and configurations of systems you choose to test.
• Test Credentials: If you provide test user credentials for authenticated scanning, these are encrypted and stored securely.
• Communications: Information you provide when you contact our support team or participate in surveys.

1.2 Information Collected Automatically

When you use our Services, we automatically collect:

• Usage Metrics: Number of scans run, applications tested, reports generated, and feature usage patterns.
• Log Data: IP address, browser type and version, operating system, pages visited, time spent on pages, and referring URLs.
• Device Information: Device type, unique device identifiers, and mobile network information.
• Cookies and Similar Technologies: We use cookies and similar tracking technologies to collect and track information. See Section 10 for details.

1.3 Information from Third Parties

We may receive information about you from third parties, including:

• OAuth Providers: If you sign in using Google, GitHub, or Microsoft, we receive your basic profile information from these providers.
• Analytics Providers: Aggregated usage data from analytics services.

2. Scan Data Collection

When you use our security scanning services, we collect and process:

• Vulnerability Findings: Security vulnerabilities discovered during testing, including severity ratings, descriptions, and affected endpoints.
• Proof-of-Concept Evidence: Technical evidence demonstrating the existence of vulnerabilities, such as HTTP requests/responses and code snippets.
• Application Responses: HTTP responses, error messages, and other technical data received from your target applications during scanning.
• Remediation Guidance: AI-generated recommendations for fixing identified vulnerabilities.
• Compliance Reports: SOC 2-ready reports generated from scan results.

Important: We do not intentionally collect or store sensitive personal data (such as financial records, health information, or personal communications) from your target systems. If such data is inadvertently captured during scanning, it is treated with the highest level of confidentiality and deleted according to our retention policies.

3. How We Use Your Information

We use the information we collect to:

• Provide and Maintain Services: Operate our platform, execute security scans, and generate reports.
• Process Payments: Handle subscription billing, process transactions, and send receipts.
• Send Communications: Deliver scan completion notifications, security alerts, product updates, and support responses.
• Improve Our Services: Analyze usage patterns, identify bugs, and develop new features.
• AI Analysis: Use artificial intelligence (via Anthropic's Claude) to analyze vulnerabilities, reduce false positives, and generate remediation guidance.
• Security and Fraud Prevention: Detect and prevent fraudulent activity, unauthorized access, and abuse of our Services.
• Legal Compliance: Comply with applicable laws, regulations, and legal processes.
• Aggregated Analytics: Create anonymized, aggregated statistics about security trends and vulnerabilities (which cannot identify individual users or organizations).

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to fulfill our contractual obligations to you, such as providing security scanning services and generating reports.
• Legitimate Interests: Processing necessary for our legitimate business interests, such as improving our Services, preventing fraud, and marketing (where you have not opted out).
• Legal Obligations: Processing necessary to comply with legal requirements, such as tax reporting and responding to legal requests.
• Consent: Where required by law, we obtain your consent before processing certain data, such as for marketing communications or cookies. You may withdraw consent at any time.

5. How We Share Your Information

5.1 Service Providers (Sub-processors)

We share your information with third-party service providers who assist us in operating our Services. All sub-processors are bound by Data Processing Agreements (DPAs) and are required to protect your data in accordance with applicable privacy laws.

• Clerk: Authentication, single sign-on (SSO), and identity management. Processes: email, name, profile data.
• Stripe: Payment processing and subscription management. Processes: payment card data, billing address, transaction history.
• Anthropic (Claude): AI-powered vulnerability analysis and remediation guidance. Processes: scan findings, application response data.
• Convex: Database infrastructure, real-time functionality, and file storage. Processes: all application data.
• Google Cloud Platform: Scanning infrastructure, compute resources, and data processing. Processes: scan execution data, target application responses.
• Vercel: Web application hosting and content delivery. Processes: usage logs, IP addresses.

5.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas, government investigations).

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change and any choices you may have regarding your information.

5.4 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

5.5 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. This applies to all users, including California residents under the CCPA.

6. Data Retention

We retain your information for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required by law.

• Account Data: Retained while your account is active and for 30 days after account deletion.
• Scan Results and Reports: Retained for 1 year to support compliance requirements and audit trails.
• Scan Logs: Retained for 180 days for debugging and support purposes.
• Security and Audit Logs: Retained for 7 years to comply with legal and regulatory requirements.
• System Logs: Retained for 1 year.
• Billing Records: Retained for 7 years to comply with tax and financial regulations.

After the retention period expires, data is securely deleted or anonymized.

7. Data Security

We implement industry-standard security measures to protect your information:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3.
• Encryption at Rest: Sensitive data is encrypted at rest using AES-256 encryption.
• Access Controls: Strict role-based access controls limit who can access your data within our organization.
• Multi-Factor Authentication: We support and encourage MFA for all user accounts.
• SOC 2 Type II Compliance: Our infrastructure and operations undergo regular SOC 2 Type II audits.
• PCI DSS Compliance: Payment data is handled in compliance with PCI DSS requirements through Stripe.
• Regular Security Testing: We conduct regular penetration testing and vulnerability assessments of our own systems.

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

8. Your Rights

8.1 Rights for All Users

Regardless of your location, you have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data (subject to legal retention requirements).
• Export: Request a copy of your data in a portable format.

8.2 Additional Rights for EEA/UK Residents (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights:

• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data under certain circumstances.
• Right to Restrict Processing: Request that we limit how we use your data.
• Right to Data Portability: Receive your data in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
• Right to Lodge a Complaint: Lodge a complaint with your local supervisory authority if you believe we have violated your rights.

8.3 Additional Rights for California Residents (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request information about the categories and specific pieces of personal information we have collected about you.
• Right to Delete: Request deletion of your personal information (subject to certain exceptions).
• Right to Opt-Out of Sale: We do not sell your personal information, so this right is not applicable.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

8.4 Exercising Your Rights

To exercise any of your rights, please contact us at privacy@modernpentest.com. We will respond to your request within 30 days (or sooner as required by law). We may need to verify your identity before processing your request.

9. International Data Transfers

ModernPentest is based in the United States, and your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

If you are located in the EEA, UK, or Switzerland, we protect your data during international transfers through:

• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses for transfers to countries without an adequacy decision.
• Data Processing Agreements: All our sub-processors are bound by DPAs that include appropriate data protection safeguards.
• Adequacy Decisions: Where applicable, we rely on adequacy decisions by the European Commission.

10. Cookies and Tracking Technologies

10.1 Types of Cookies We Use

• Essential Cookies: Required for the operation of our Services, including authentication and session management.
• Functional Cookies: Remember your preferences and settings to enhance your experience.
• Analytics Cookies: Help us understand how visitors interact with our Services so we can improve them.

10.2 Managing Cookies

You can control cookies through your browser settings. Note that disabling certain cookies may affect the functionality of our Services.

10.3 Do Not Track

We do not currently respond to "Do Not Track" signals. However, you can opt out of analytics tracking through your browser settings or by contacting us.

11. Children's Privacy

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us at privacy@modernpentest.com, and we will take steps to delete such information.

12. Third-Party Links

Our Services may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party sites you visit.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date. For significant changes, we will also notify you by email.

We encourage you to review this policy periodically to stay informed about how we protect your information.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

• Email: privacy@modernpentest.com
• Website: https://modernpentest.com

15. Data Protection Officer

If you are located in the EEA or UK and have concerns about our data processing activities, you may contact our Data Protection Officer at:

• Email: dpo@modernpentest.com

16. Jurisdiction-Specific Terms

16.1 European Economic Area and United Kingdom

For users in the EEA and UK, ModernPentest acts as the data controller for your personal data. Our legal bases for processing are described in Section 4. You have the right to lodge a complaint with your local supervisory authority if you believe your rights have been violated.

16.2 California

For California residents, in addition to the rights described in Section 8.3:

• We have not sold personal information in the preceding 12 months.
• We have not disclosed personal information for a business purpose to any third party other than our service providers.
• You may designate an authorized agent to make requests on your behalf by providing written authorization.

16.3 Other Jurisdictions

If you are located in another jurisdiction with data protection laws that provide you with additional rights, please contact us to learn how we accommodate those requirements.

17. Effective Date

This Privacy Policy is effective as of December 5, 2025.