Privacy Policy

Information you provide. When you submit a form on the site, to request a pentest, ask for a consultation, or open a sample report, we collect the details you give us. These may include your name, email address, company name, role or job title, the URL of your website or app, and any project details or message you choose to include. The only required field is your email address.

Information collected automatically. When you visit the site, our servers and infrastructure providers automatically receive standard technical information such as your IP address, browser type, and the pages you request. We use this for security, abuse prevention, rate-limiting, and keeping the site running. We do not use it to build advertising profiles.

Cookies and analytics. We use a functional cookie to remember your light or dark theme preference, and Google Analytics (GA4) to understand how the site is used so we can improve it. Google Analytics sets first-party cookies (such as _ga) and processes usage data, including a truncated/anonymized IP, on our behalf. We do not sell this data or use it for advertising. Our bot-protection provider may also set its own cookies or process device signals to tell humans apart from bots. See “How we share information” below, and you can opt out of Google Analytics with Google's browser add-on.

Engagement information. If you become a client, we access only the systems, accounts, and data you explicitly authorize us to test, and only for the purpose of the engagement. How we handle findings and anything encountered during testing is governed by your engagement agreement and our Terms of Service, and such material is treated as confidential.

We use the information we collect to:

• Respond to your inquiries and provide the sample report or information you request;
• Scope, quote, deliver, and support our services;
• Protect the site and our systems against fraud, abuse, and security threats;
• Comply with legal obligations and enforce our Terms;
• Understand and improve the site and our offerings.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

Where the GDPR or UK GDPR applies, we process personal data on one or more of these bases: your consent (for example, when you submit a form); our legitimate interests in operating and securing the site, responding to inquiries, and marketing our services to businesses; performance of a contract when we deliver services you have engaged us for; and compliance with our legal obligations.

We share personal information only with:

• Service providers who help us operate, including our CRM provider (to manage inquiries), our team-communication tools (to alert us to new inquiries), our analytics provider (Google Analytics, to measure site usage), our hosting and infrastructure providers, our bot-protection provider, and our rate-limiting provider. They process data on our behalf under contract.
• Professional and security partners, including our testing partner, where needed to deliver the services and subject to confidentiality.
• Legal and safety recipients, where we believe disclosure is required by law or necessary to protect rights, safety, or the integrity of our systems.
• A successor entity, in connection with a merger, acquisition, or sale of assets, subject to this policy.

We can provide the current list of providers on request.

We keep personal information only as long as needed for the purposes described here: to respond to your inquiry, manage our relationship, meet legal and accounting obligations, and resolve disputes. After that we delete or anonymize it. Engagement materials and findings are retained as set out in your engagement agreement and then securely destroyed.

We apply administrative, technical, and physical safeguards appropriate to the sensitivity of the information, including encryption in transit, access controls, and least-privilege practices. No method of transmission or storage is perfectly secure, but security is our discipline and we treat your data accordingly.

We and our providers may process information in countries other than your own. Where required, we rely on appropriate safeguards, such as standard contractual clauses, for international transfers.

Depending on where you live, you may have the right to access, correct, delete, or receive a copy of your personal information, to object to or restrict certain processing, and to withdraw consent. California residents have rights under the CCPA and CPRA, including the right to know, delete, and opt out of the “sale” or “sharing” of personal information, neither of which we do.

To exercise any right, email us at hello@vibesecurely.com and we will respond as required by law. You may also lodge a complaint with your local data-protection authority.

The site and services are intended for businesses and are not directed to children under 16. We do not knowingly collect information from children.

The site links to third-party sites, for example posts on X and our testing partner's site, and may display publicly available content with attribution. We are not responsible for the privacy practices of those third parties.

We may update this policy from time to time. We will revise the “Last updated” date above, and for material changes we will take any additional steps required by law.

Questions about this policy, or want to exercise a privacy right? Email hello@vibesecurely.com.