Privacy Policy
Effective June 30, 2026 · Applies to https://vulnsea.com and the beta at beta.vulnsea.com.
VulnSea aggregates public CVE and vulnerability intelligence and serves it to humans and automated agents. This policy explains what we collect, why, and the choices you have. We collect the minimum needed to run the service and we do not sell your data.
1. Who we are
VulnSea ("we", "us") is the operator of this service and the data controller for the personal data described below. Contact: [email protected].
2. What we collect
Account data (via OAuth). When you sign in with GitHub or Google, we receive and store your name, email address, profile image URL, and the provider account identifier. We also store OAuth tokens (access, refresh, id) and granted scopes so the sign-in works. We do not receive your provider password.
Service data you create. Your role and plan, saved searches, watchlist entries, API keys, and any PoC requests you submit (including the optional note you attach). API keys are stored only as a SHA-256 hash plus a short display prefix — we cannot recover the full key after it is shown to you once.
Billing data (if you subscribe). When you start a paid plan we create a Stripe customer for you and store identifiers that link your account to your subscription (stripe customer id, subscription id, and plan status). Payments are processed by Stripe — we never receive or store your full card number. Stripe handles your card and billing details (including any tax/address info) under its own privacy policy.
Operational logs. Request and error logs (structured JSON) with secrets and API keys redacted; an admin audit trail of moderation actions (ban, unban, delete, key revocation); and ingest/monitoring events. To rate-limit and protect the service, our edge (Cloudflare) and the app process your IP address transiently.
Error tracking (optional). If enabled, we forward exception data to Sentry to debug crashes.
We do not use advertising or analytics trackers, and we set only the cookies required for authentication.
3. How we use it
- Authenticate you and keep you signed in.
- Provide the features you use (API access, saved searches, watchlist, alerts).
- Operate, secure, rate-limit, and debug the service.
- Enforce our Terms — including banning abusive accounts.
Legal bases (where GDPR applies): performance of our agreement with you (providing the service), and our legitimate interests in keeping the service secure and operational.
5. Retention
We keep account data while your account is active. Operational logs and backups are retained for a limited window (backups default to roughly two weeks). Audit-log entries are append-only and retained for security and accountability, and may persist after an account is deleted. Billing and tax records held by Stripe are retained by Stripe as required for financial and legal compliance.
6. Your rights & choices
You can view and manage your API keys and saved searches from your account page, and revoke keys at any time. Depending on your location you may have rights to access, correct, export, or delete your personal data, and to object to certain processing.
You can delete your account yourself from the bottom of your account page ("Delete account"). Deletion removes your account record and cascades to your sessions, OAuth links, API keys, saved searches, and watchlist; append-only audit entries recording prior moderation actions are retained. To exercise any other right, email [email protected].
7. Security
Traffic is served over HTTPS through Cloudflare. API keys are hashed at rest, secrets are redacted from logs, and admin actions are audited. No system is perfectly secure, but we aim to apply reasonable safeguards.
8. Children
VulnSea is not directed to children under 16 and we do not knowingly collect their data.
9. International transfers
Our providers may process data in countries other than yours. Where required, transfers rely on appropriate safeguards offered by those providers.
10. Changes
We may update this policy as the service evolves. Material changes will be reflected by a new effective date at the top of this page.
11. Contact
Questions or requests: [email protected].
See also our Terms of Service.