Privacy Policy
Last updated: March 2026
1. Data Controller
The controller of your personal data is:
Penterep Security s.r.o.
Registered in the Czech Republic under IČO 17749433
Registered office: Ševčenkova 570/4, 642 00 Brno, CZ
Email: privacy@apviso.com
For the purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Czech data protection legislation (Act No. 110/2019 Coll.), we are the data controller for the personal data described in this policy, except where we process personal data on your behalf as a data processor (see Section 9).
2. Information We Collect
2.1 Data Categories and Legal Basis
The following table summarizes the personal data we collect, our legal basis for processing, and how long we retain it:
| Data Category | What We Collect | Legal Basis (GDPR Art. 6) | Retention Period |
|---|---|---|---|
| Account Data | Name, email address, company name, job title | Contract performance (Art. 6(1)(b)) | Duration of account + 30 days |
| Billing Data | Payment method (via Stripe), billing address, invoices | Contract performance (Art. 6(1)(b)), legal obligation (Art. 6(1)(c)) | Duration of account + 10 years (tax law) |
| Scan Configuration | Target domains, IP addresses, scan parameters | Contract performance (Art. 6(1)(b)) | Duration of subscription |
| Scan Results | Vulnerability reports, findings, evidence, severity ratings | Contract performance (Art. 6(1)(b)) | Duration of subscription + 30-day export window |
| Technical Data | IP address, browser type, device info, access logs | Legitimate interest (Art. 6(1)(f)) | 90 days |
| Usage Analytics | Feature usage, scan frequency, platform interactions | Legitimate interest (Art. 6(1)(f)) | 26 months (anonymized after 26 months) |
| Communications | Support tickets, emails, feedback | Contract performance (Art. 6(1)(b)), legitimate interest (Art. 6(1)(f)) | Duration of account + 12 months |
2.2 Data We Do Not Collect
We do not process credit card numbers or bank account details directly. All payment processing is handled by Stripe, which acts as an independent controller for payment data. We do not knowingly collect personal data from individuals under the age of 16.
2.3 Personal Data Discovered During Scans
During security testing, our AI Agents may encounter personal data exposed on your Targets (for example, leaked credentials, personally identifiable information in error messages, or exposed database records). This data is included in Scan Results solely for the purpose of reporting the vulnerability to you. We process such data as a data processor on your behalf, subject to our Data Processing Agreement. We do not use incidentally discovered personal data for any other purpose.
3. How We Use Your Information
We use your personal data for the following purposes:
- Providing the Service: Creating and managing your account, running Scans, generating reports, and delivering Scan Results.
- Billing and payments: Processing Subscription payments, sending invoices, and managing billing inquiries.
- Communications: Sending scan notifications, service updates, security alerts, and responding to your support requests.
- Service improvement: Analyzing usage patterns to improve platform performance, features, and user experience. Where we use analytics for this purpose, we rely on our legitimate interest in improving our Service.
- AI model improvement: Using anonymized and aggregated scan data to train and improve our AI models. This data cannot be used to identify you, your organization, or your Targets. You may opt out of this use by contacting us (see Section 12).
- Security and fraud prevention: Monitoring for unauthorized access, abuse of the Service, and maintaining the security of our platform.
- Legal compliance: Meeting our obligations under applicable law, including tax and accounting requirements.
We do not sell your personal data to third parties. We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you.
4. Who We Share Your Data With
We share your personal data only with the following categories of recipients, and only to the extent necessary for the stated purposes:
- Cloud infrastructure provider: OVHcloud — hosting and computing infrastructure for the Service. Data location: EU (Gravelines, France).
- Payment processor: Stripe — Subscription payment processing. Acts as an independent controller for payment data.
- Email service provider: Resend — transactional emails (scan notifications, account communications).
- Analytics provider: Fathom Analytics — privacy-focused, anonymized usage analytics. EU-isolated data processing.
- Professional advisors: Legal counsel, accountants, and auditors, as required, subject to professional confidentiality obligations.
- Law enforcement: If required by law, court order, or valid legal process, or if we believe in good faith that disclosure is necessary to protect the rights, safety, or property of APVISO, our users, or the public.
A current list of our sub-processors is maintained at our Sub-Processors page and updated at least 30 days before any new sub-processor is engaged. You may subscribe to notifications of sub-processor changes.
5. International Data Transfers
All personal data is processed and stored exclusively within the European Economic Area (EEA). We do not transfer personal data outside the EEA.
6. Data Security
We implement technical and organizational measures appropriate to the risk to protect your personal data, including:
- Encryption of all data at rest using AES-256 encryption
- Encryption of all data in transit using TLS 1.2 or higher
- Isolated container execution for each Scan, with containers destroyed upon completion
- Role-based access controls with least-privilege principles
- Multi-factor authentication for administrative access
- Regular security audits and vulnerability assessments of our own infrastructure
- Incident response procedures with defined escalation paths
- Employee security awareness training
7. Data Retention
7.1 General Retention Principles
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Specific retention periods are set out in the table in Section 2.1.
7.2 Account Deletion
Upon account deletion (whether initiated by you or as a result of Subscription termination):
- Scan Results and scan configuration data are available for export for 30 days, then permanently deleted.
- Account data (name, email) is deleted within 30 days.
- Billing records are retained for up to 10 years as required by Czech tax law (Act No. 563/1991 Coll. on Accounting).
- Technical logs containing your IP address are retained for up to 90 days for security purposes, then deleted.
- Data in encrypted backups may persist for up to 60 days after deletion from primary systems due to backup rotation schedules. Backups are encrypted and access-controlled, and data is not restored from backups after deletion.
7.3 Anonymized Data
Anonymized and aggregated data that cannot be used to identify you may be retained indefinitely for research, benchmarking, and AI model improvement purposes.
8. Cookies and Tracking Technologies
8.1 Essential Cookies
We use strictly necessary cookies for authentication, session management, and security (e.g., CSRF protection). These cookies are required for the Service to function and cannot be disabled. Legal basis: legitimate interest (Art. 6(1)(f) GDPR) and exemption under the ePrivacy Directive for strictly necessary cookies.
8.2 Analytics Cookies
We use analytics cookies to understand how the Service is used and to improve our platform. Analytics cookies are only placed with your explicit consent, which you can provide or withdraw through our cookie consent banner at any time.
8.3 No Advertising Cookies
We do not use advertising or tracking cookies, and we do not participate in any ad networks or cross-site tracking.
8.4 Managing Cookies
You can manage your cookie preferences through our cookie consent banner, accessible at any time via the cookie settings link in the Service footer. You can also configure your browser to block or delete cookies, though this may affect the functionality of the Service.
9. Data Processing on Your Behalf
When we process personal data that resides on or is discovered through your Targets during Scans, we act as a data processor on your behalf. This processing is governed by our Data Processing Agreement (DPA), which is available upon request and addresses:
- The subject matter, duration, nature, and purpose of processing
- The types of personal data and categories of data subjects
- Your instructions regarding processing
- Confidentiality obligations of our personnel
- Technical and organizational security measures
- Sub-processor engagement and management
- Assistance with data subject rights requests
- Data breach notification (within 48 hours of becoming aware)
- Data return and deletion upon termination
- Audit rights
10. Your Rights Under GDPR
As a data subject, you have the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@apviso.com. We will respond to your request without undue delay and in any event within one month of receipt. This period may be extended by two further months where necessary, taking into account the complexity and number of requests.
- Right of access (Art. 15): You have the right to obtain confirmation of whether we process your personal data and, if so, to access that data along with information about how it is processed.
- Right to rectification (Art. 16): You have the right to have inaccurate personal data corrected and incomplete data completed.
- Right to erasure (Art. 17): You have the right to request deletion of your personal data, subject to applicable legal retention requirements.
- Right to restriction (Art. 18): You have the right to request restriction of processing in certain circumstances, such as while we verify the accuracy of your data or assess an objection.
- Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller. You can export your Scan Results at any time through the Service dashboard.
- Right to object (Art. 21): You have the right to object to processing based on our legitimate interests (including analytics and AI model improvement). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
- Right to withdraw consent (Art. 7(3)): Where processing is based on your consent (such as analytics cookies), you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
- Right not to be subject to automated decision-making (Art. 22): We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you. Scan Results are informational outputs, not automated decisions about you as a data subject.
10.1 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority. The competent authority for APVISO is:
Úřad pro ochranu osobních údajů (UOOU)
Pplk. Sochora 27
170 00 Praha 7
Czech Republic
www.uoou.cz
You may also lodge a complaint with the supervisory authority in the EU/EEA member state of your habitual residence or place of work.
11. Children's Privacy
The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly. If you believe we may have collected data from a child, please contact us at privacy@apviso.com.
12. Contact
For all privacy-related questions, data subject rights requests, or to exercise your right to opt out of aggregated data use for AI model improvement:
- Email: privacy@apviso.com
- Postal address: Penterep Security s.r.o., Ševčenkova 570/4, 642 00 Brno, CZ
13. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the competent supervisory authority (UOOU) within 72 hours of becoming aware of the breach, as required by GDPR Article 33
- Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34
- Document the breach, its effects, and remedial actions taken
If we are acting as a data processor on your behalf and become aware of a breach affecting your data, we will notify you within 48 hours in accordance with our DPA.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by: (a) sending an email to your registered address at least 30 days before the changes take effect; and (b) posting a notice on the Service. We encourage you to review this policy periodically. The "Last updated" date at the top of this policy indicates when it was most recently revised.
This Privacy Policy was last updated in March 2026. Prior versions are available upon request.