Privacy Policy

Last updated: March 20, 2026

1. Introduction

VulNinja LLC ("vul.ninja," "we," "us," or "our") operates the vul.ninja cloud security platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services.

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, and organization name. If you sign in via Microsoft Entra ID, we receive your organizational profile information from Microsoft.

Cloud Security Data

When you connect cloud accounts (AWS, Azure, GCP) for scanning, we access your cloud environment's security configuration using the read-only credentials you provide. This includes:

  • Security findings from cloud-native security services
  • Resource configuration metadata
  • IAM policy information
  • Compliance assessment results

We do not access your application data, customer data, or workload contents. Our scanning is limited to security configuration and posture assessment.

AI Processing Data

When you use our AI agent features, security findings are sanitized before AI processing. All sensitive identifiers (account IDs, resource names, email addresses, API keys) are automatically redacted or hashed before being sent to AI services. See our AI data handling practices in Section 5.

Usage Data

We collect standard usage data including pages visited, features used, browser type, and IP address for service improvement and security purposes.

Payment Information

Payment processing is handled by Stripe. We do not store your credit card numbers or banking details. Stripe's privacy policy governs the handling of payment data.

3. How We Use Your Information

  • To provide and maintain the vul.ninja platform
  • To perform security scans of your cloud environments
  • To generate security reports and recommendations
  • To power AI-assisted investigation and remediation (when enabled)
  • To process payments and manage subscriptions
  • To send service notifications (scan completions, security alerts)
  • To improve our platform and develop new features
  • To comply with legal obligations

4. Data Sharing

We do not sell your personal information. We share data only in these circumstances:

  • Service Providers: We use third-party services (Stripe for payments, SendGrid for email, Azure for hosting) that process data on our behalf under data processing agreements.
  • AI Services: Sanitized (not raw) security findings are processed by AI services for analysis. No personally identifiable information or raw cloud credentials are sent to AI providers.
  • Legal Requirements: We may disclose information if required by law, subpoena, or court order.

5. AI Data Handling

Our AI features implement the following safeguards:

  • All data is sanitized before AI processing (account IDs, resource names, and credentials are redacted)
  • AI providers operate under zero data retention policies
  • Your data is never used to train AI models
  • AI features are optional and can be disabled per organization
  • Complete audit trail of all AI operations is maintained

6. Data Security

We implement industry-standard security measures including:

  • Encryption in transit (TLS 1.2+) and at rest
  • Cloud credentials encrypted with Fernet symmetric encryption
  • Azure Managed Identity for service-to-service authentication
  • JWT-based authentication with token expiration
  • Role-based access control within organizations

7. Data Retention

Scan results and security reports are retained for the duration of your subscription. Upon account deletion, we remove your data within 30 days. Cloud credentials are deleted immediately upon disconnection.

8. Your Rights

You have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your account and associated data
  • Export your scan reports
  • Disable AI features for your organization
  • Disconnect cloud accounts at any time

9. Cookies

We use essential cookies for authentication and session management. We do not use third-party tracking cookies or advertising cookies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the platform.

11. Contact Us

If you have questions about this Privacy Policy, contact us at privacy@vul.ninja.