Privacy
Policy

Your data stays yours. We built Auto-Offensive with privacy-first principles — no data selling, no hidden tracking, just secure security testing.

Sections

We only collect what's needed to run the platform and keep your account secure.

Account

Email, username, bcrypt-hashed password, encrypted API tokens

Scan Data

Targets, findings, logs, metadata — isolated to your account

Usage Signals

Features used, scan frequency, tool selection, login history

Technical

IP address, browser/OS, device type — for security & abuse prevention

Repository scanning is opt-in. We only access GitHub/GitLab when you explicitly authorize it.

Auto-Offensive is fully compliant with the General Data Protection Regulation (GDPR) and other international data protection laws.

Compliance

GDPR (EU/UK), CCPA (California), LGPD (Brazil)

Data Controller

Auto-Offensive Technologies Ltd.

DPO Contact

dpo@auto-offensive.com

Data Protection

SHA-256 encryption, annual audits

Your data stays yours. We are committed to data sovereignty — your scan data is stored in your designated region unless you choose otherwise.

→Lawful Basis: Performance of contract (service delivery) and legitimate interests (security)
→Right to Access: Get a copy of all personal data we hold within 30 days
→Right to Rectification: Correct inaccurate personal data instantly
→Right to Erasure: Request deletion ("right to be forgotten") with no delay
→Data Portability: Receive your data in machine-readable format (JSON/CSV)
→Right to Object: Opt out of processing for marketing or legitimate interests
→International Transfers: Protected by Standard Contractual Clauses (SCCs)
→Cross-Border Transfers: GDPR-compliant via EU-US Data Privacy Framework

For GDPR data requests, email dpo@auto-offensive.com — we respond within 72 hours as required by Article 12.

→Run and store your scans, display results in your dashboard
→Manage authentication and account security
→Enforce fair usage limits (3 scans/day on free tier)
→Detect and prevent platform abuse or DDoS misuse
→anonymized scan patterns to improve vulnerability detection
→Send scan completion alerts and security notifications
✕Sell, rent, or trade your data to anyone
✕Use your personal scan results for commercial purposes

You own it entirely. Scan configs, findings, reports, history — all yours. Each account is fully isolated at the database level.

On AI training: We may use anonymized, aggregated patterns to improve detection models. We never identify your org, expose specific findings, or use raw data commercially.

Export your data anytime in JSON, CSV, or PDF from the dashboard.

Daily scans3 scans / day

Max scan duration30 minutes

Concurrent scans1 at a time

Target scopeSingle domain per scan

Storage100 GB scan history

Tools availableAll 14+ tools

Accounts that abuse free resources (e.g. mass automated scanning of targets you don't own) may be suspended. Legitimate learning and testing is always welcome.

We share the minimum necessary with trusted providers who help us operate.

AWS — HostingSendGrid — EmailGoogle Analytics — Aggregated metricsGitHub / GitLab — If you authorizeIntercom — Support

All providers are contractually required to protect your data and use it only for the specified purpose. We may disclose data to authorities when required by law — and we'll notify you when legally permitted to do so.

Account deletedCredentials removed immediately

Scan resultsDeleted within 7 days

BackupsPurged within 30 days

Anonymized analyticsUp to 90 days

Security logsUp to 1 year (abuse prevention)

Heads up: Download your data before deleting your account — deletion is permanent.

→View and download all your account data anytime
→Edit or correct your account information in settings
→Request full data export in portable format (within 30 days)
→Delete your account and all associated data permanently
→Unsubscribe from non-essential emails at any time
→Opt out of analytics via browser "Do Not Track" or account settings
→File a complaint with your local data protection authority

In Transit

HTTPS / TLS 256-bit encryption on all connections

At Rest

AES-256 for sensitive data, bcrypt for passwords

Access

Role-based controls, MFA available, session timeouts

Monitoring

24/7 intrusion detection, WAF, DDoS protection on AWS

If we detect a breach, we notify you within 48 hours with details and protective steps.

Questions about your data? We respond to all privacy requests within 7 business days, security issues within 24 hours.

Privacy

privacy@auto-offensive.com

Within 7 business days

DPO (GDPR)

dpo@auto-offensive.com

Within 72 hours

Security

security@auto-offensive.com

Within 24 hours

Privacy
Policy

Your data stays yours. We built Auto-Offensive with privacy-first principles — no data selling, no hidden tracking, just secure security testing.

Sections

We only collect what's needed to run the platform and keep your account secure.

Account

Email, username, bcrypt-hashed password, encrypted API tokens

Scan Data

Targets, findings, logs, metadata — isolated to your account

Usage Signals

Features used, scan frequency, tool selection, login history

Technical

IP address, browser/OS, device type — for security & abuse prevention

Repository scanning is opt-in. We only access GitHub/GitLab when you explicitly authorize it.

Auto-Offensive is fully compliant with the General Data Protection Regulation (GDPR) and other international data protection laws.

Compliance

GDPR (EU/UK), CCPA (California), LGPD (Brazil)

Data Controller

Auto-Offensive Technologies Ltd.

DPO Contact

dpo@auto-offensive.com

Data Protection

SHA-256 encryption, annual audits

Your data stays yours. We are committed to data sovereignty — your scan data is stored in your designated region unless you choose otherwise.

→Lawful Basis: Performance of contract (service delivery) and legitimate interests (security)
→Right to Access: Get a copy of all personal data we hold within 30 days
→Right to Rectification: Correct inaccurate personal data instantly
→Right to Erasure: Request deletion ("right to be forgotten") with no delay
→Data Portability: Receive your data in machine-readable format (JSON/CSV)
→Right to Object: Opt out of processing for marketing or legitimate interests
→International Transfers: Protected by Standard Contractual Clauses (SCCs)
→Cross-Border Transfers: GDPR-compliant via EU-US Data Privacy Framework

For GDPR data requests, email dpo@auto-offensive.com — we respond within 72 hours as required by Article 12.

→Run and store your scans, display results in your dashboard
→Manage authentication and account security
→Enforce fair usage limits (3 scans/day on free tier)
→Detect and prevent platform abuse or DDoS misuse
→anonymized scan patterns to improve vulnerability detection
→Send scan completion alerts and security notifications
✕Sell, rent, or trade your data to anyone
✕Use your personal scan results for commercial purposes

You own it entirely. Scan configs, findings, reports, history — all yours. Each account is fully isolated at the database level.

On AI training: We may use anonymized, aggregated patterns to improve detection models. We never identify your org, expose specific findings, or use raw data commercially.

Export your data anytime in JSON, CSV, or PDF from the dashboard.

Daily scans3 scans / day

Max scan duration30 minutes

Concurrent scans1 at a time

Target scopeSingle domain per scan

Storage100 GB scan history

Tools availableAll 14+ tools

Accounts that abuse free resources (e.g. mass automated scanning of targets you don't own) may be suspended. Legitimate learning and testing is always welcome.

We share the minimum necessary with trusted providers who help us operate.

AWS — HostingSendGrid — EmailGoogle Analytics — Aggregated metricsGitHub / GitLab — If you authorizeIntercom — Support

Account deletedCredentials removed immediately

Scan resultsDeleted within 7 days

BackupsPurged within 30 days

Anonymized analyticsUp to 90 days

Security logsUp to 1 year (abuse prevention)

Heads up: Download your data before deleting your account — deletion is permanent.

→View and download all your account data anytime
→Edit or correct your account information in settings
→Request full data export in portable format (within 30 days)
→Delete your account and all associated data permanently
→Unsubscribe from non-essential emails at any time
→Opt out of analytics via browser "Do Not Track" or account settings
→File a complaint with your local data protection authority

In Transit

HTTPS / TLS 256-bit encryption on all connections

At Rest

AES-256 for sensitive data, bcrypt for passwords

Access

Role-based controls, MFA available, session timeouts

Monitoring

24/7 intrusion detection, WAF, DDoS protection on AWS

If we detect a breach, we notify you within 48 hours with details and protective steps.

Questions about your data? We respond to all privacy requests within 7 business days, security issues within 24 hours.

Privacy

privacy@auto-offensive.com

Within 7 business days

DPO (GDPR)

dpo@auto-offensive.com

Within 72 hours

Security

security@auto-offensive.com

Within 24 hours

PrivacyPolicy

PrivacyPolicy

Privacy
Policy

Privacy
Policy