Privacy Policy
pentes.io is an attack-surface monitoring service. To run it, we must store enough information to identify your account, authenticate your domain ownership, schedule scans against assets you've proven you own, and bill you. This policy explains exactly what we collect, why, how long we keep it, and how you can make us delete it.
1. Data we collect
Account data
- Email address (required for sign-in and operational notices).
- Display name and avatar (if you sign in with Google — provided by Google's OAuth profile claim).
- Hashed password (only if you create a password-based account; we use argon2id).
- Account creation timestamp, last-login timestamp, IP address of the most recent login.
Assets and scan data
- Domains, hostnames, and IP addresses you submit as assets.
- The ownership-proof artifact you used to verify the asset (DNS TXT record value, file path, or HTTP header). We store both the artifact you supplied and the verification result.
- Scan job metadata: start/end time, scanner versions, configuration, exit code.
- Structured scan findings in
SARIF 2.1.0format, plus the LLM-triaged report we render from them.
Billing data
- Stripe customer ID, subscription tier, invoice IDs, last-4 of the payment instrument.
- We do not store full card numbers, CVV, or banking details — those live in Stripe and we only receive references.
Operational telemetry
- Web analytics via Google Analytics 4 with
anonymize_ipenabled andallow_google_signalsdisabled — page paths, referrers, and aggregate device/region buckets only. - Application server logs (request path, status code, latency, user-agent, truncated IP) retained for 30 days for abuse detection and incident response.
- Audit log entries (immutable, append-only) for every security-relevant action: asset verification, scan authorization, scan start/stop, report access. This log is the legal record that backs every scan and is retained for the life of the account plus 7 years.
2. How we use it
- To run the service: authenticate you, verify asset ownership, schedule and run scans, produce reports.
- To bill you: enforce plan quotas, generate invoices.
- To prove authorization: our worker re-verifies ownership at the moment of every scan; the audit log records that verification result and the per-scan authorization agreement you accepted.
- To detect abuse: rate-limiting, anomaly detection on scan volume, manual review of flagged accounts.
- To improve the product: aggregate, non-identifying usage analytics. We do not sell personal data, ever.
We do not use your scan findings, asset list, or report contents to train any third-party AI model. The LLM-triage step sends a SARIF blob plus minimal asset context (no secrets, no credentials, no raw response bodies) to our triage provider; outputs from that provider are not retained by them per their zero-data-retention policy.
3. Legal basis for processing (GDPR)
- Contract performance — account data, asset data, scan data, billing data: we need this to deliver the service you signed up for.
- Legitimate interest — operational telemetry and abuse detection: necessary to keep the service available and safe; balanced against minimal IP truncation and short retention.
- Legal obligation — invoice records (tax law), audit log retention (records of authorization for security testing).
- Consent — Google Analytics measurement; you can disable this in your browser via a DNT header or by blocking
googletagmanager.com.
4. Sub-processors
We use the following sub-processors. Each is bound by a data processing agreement and processes data only to provide the listed function.
- Hetzner Online GmbH (Germany) — primary hosting for the API, database, and scanning plane.
- Cloudflare, Inc. (USA) — edge CDN, DDoS protection, R2 object storage for SARIF blobs and rendered reports.
- Stripe Payments Europe Ltd. (Ireland) — payment processing and subscription billing.
- Google LLC (USA) — Google Sign-In (OAuth) and Google Analytics 4 measurement.
- Anthropic, PBC (USA) — LLM triage of SARIF findings; zero data retention configured on our API key.
- SendGrid (Twilio Inc.) (USA) — transactional email (verification, password reset, invoice receipts).
If we add or change a sub-processor we will update this list and (for material changes) notify account holders by email at least 30 days in advance.
5. Retention
- Account data — for the life of your account; deleted within 30 days of account deletion (longer only where law requires us to keep e.g. invoice records).
- Scan findings and reports — for the life of your account by default; on account deletion, purged within 30 days from the database and within 7 days from object storage.
- Audit log — life of account plus 7 years. This is the legal record that backs the authorization for every scan we ran for you; it cannot be deleted on request for as long as the corresponding scan records exist.
- Server logs — 30 days, rolling.
- Billing records (invoices) — 10 years, as required by EU and US tax law.
6. Your rights
If you are in the EU/UK you have GDPR rights to: access, rectification, erasure (subject to the retention carve-outs above), restriction of processing, data portability, and objection. If you are in California you have analogous CCPA/CPRA rights including the right to know and the right to delete. To exercise any of these, email privacy@pentes.io. We will respond within 30 days.
You may also lodge a complaint with your local data protection authority. We will not retaliate against you for doing so.
7. Security
See our Security page for the controls we run. In short: TLS 1.3 in transit, AES-256 at rest, strict tenant isolation on every database query, immutable audit log, non-destructive scanner posture enforced by the worker (not just policy), credentials and secrets never sent to the LLM.
8. Cookies & analytics
We use a small number of strictly-necessary cookies for authentication (session tokens) and CSRF protection. Google Analytics 4 sets its own cookies (_ga, _ga_*) for measurement; we run it with anonymize_ip on and allow_google_signals off so it does not feed Google's advertising graph. No third-party advertising cookies are set.
9. Children
pentes.io is not designed for and not directed at people under 18. We do not knowingly collect data from children. If you believe we have, email privacy@pentes.io and we will delete it.
10. Changes to this policy
While the product is in pre-GA development this policy is a living document — material changes will bump the version stamp at the top of this page and be announced to account holders by email at least 14 days before they take effect.
11. Contact
- Privacy questions and rights requests: privacy@pentes.io
- Security issues: see Responsible Disclosure
- Postal address: published on request — the operator is currently a single individual and we don't publish a home address. Email first.