Privacy Policy
Last updated: January 2026
Secure7 Innovations Sp. z o.o.
ul. Erazma Ciołka 17/304
01-445 Warszawa, Poland
REGON: 386901920
EU VAT: PL5272935084
Email: contact@secure7.io
1. Information We Collect
Account Information
When you create an account, we collect:
- Email address - for account identification and communications
- Name - for personalization
- Password - stored as a secure hash, never in plain text
- MFA secrets - encrypted, for two-factor authentication
Scan Configuration Data
When you run security scans, we process:
- Target information - IP addresses, hostnames, URLs you choose to scan
- Scan parameters - configuration options you select
- VPN configurations - if provided, encrypted at rest
Scan Results
Security scan outputs may include:
- Discovered services and ports
- Vulnerability findings
- Security recommendations
- Technical metadata about scanned systems
Transaction Data
- Token balance - your credit balance for running scans
- Transaction history - purchases, scan costs, refunds
- Payment information - processed by Stripe, we never store card details
Usage Information
- Login timestamps and IP addresses
- Session information
- Feature usage patterns (with consent for analytics)
2. How We Use Your Information
Service Provision
- Execute security scans you request
- Generate and deliver scan reports
- Manage your token balance and transactions
- Provide customer support
Security & Compliance
- Prevent unauthorized access to your account
- Detect and prevent abuse of our services
- Maintain audit logs for compliance
- Investigate security incidents
Service Improvement
With your consent, we may use anonymized, aggregated data to:
- Improve scan accuracy and performance
- Develop new features
- Generate industry security insights (never identifiable)
2a. Legal Basis for Processing (GDPR)
Contract Performance (Article 6.1.b)
- Account management
- Scan execution and delivery
- Token and payment processing
- Customer support
Consent (Article 6.1.a)
- Analytics cookies
- Marketing communications
- Optional integrations
Legitimate Interest (Article 6.1.f)
- Security monitoring
- Fraud prevention
- Service improvements
Legal Obligation (Article 6.1.c)
- Financial record keeping
- Data subject rights fulfillment
- Law enforcement requests
3. Information Sharing
We do not sell your personal data. We share information only with:
Service Providers (Sub-Processors)
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| OVH | Server hosting | Poland (EU) | EU data residency |
| Stripe | Payment processing | USA | PCI-DSS, SCCs |
| Analytics (with consent) | USA | Google SCCs |
Legal Requirements
We may disclose information if required by law or to:
- Comply with legal process
- Protect our rights and safety
- Prevent fraud or security threats
4. International Data Transfers
Your data is primarily stored in the European Union (Poland). When we transfer data to third-party providers outside the EU (such as Stripe for payments), we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) - EU-approved contractual protections
- Data Processing Agreements (DPAs) - with all sub-processors
- Encryption - data encrypted in transit and at rest
5. Data Security
We implement comprehensive security measures:
Technical Measures
- Encryption in transit - TLS 1.3 for all connections
- Encryption at rest - AES-256-GCM for sensitive data
- Secure password storage - PBKDF2 with unique salts
- Container isolation - each scan runs in an isolated environment
- Rate limiting - protection against abuse
Organizational Measures
- Access controls and authentication
- Security audit logging
- Regular security reviews
- Incident response procedures
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion + 30-day grace period |
| Scan results | Based on your selected retention (one-time, 1 day, or 7 days) |
| Transaction records | 7 years (legal requirement) |
| Audit logs | 7 days routine, 7 years for security incidents |
| Login attempts | 90 days |
| Sessions | 24 hours maximum |
7. Your Rights (GDPR)
Under GDPR, you have the following rights:
Right to Access
View all your data through your account dashboard or request a copy.
Right to Rectification
Update or correct your personal information at any time.
Right to Erasure
Delete your account and all associated data (30-day grace period).
Right to Data Portability
Export your data in a machine-readable JSON format.
Right to Object
Object to processing based on legitimate interest.
Right to Restrict Processing
Request limitation of how we process your data.
How to exercise your rights:
Use the in-app controls in your Account Settings, or contact us at
contact@secure7.io.
Right to lodge a complaint:
You have the right to lodge a complaint with the Polish supervisory authority:
UODO - Urząd Ochrony Danych Osobowych
8. Cookies
Essential Cookies (Always Active)
Required for the website to function:
- Authentication cookie - keeps you logged in
- Anti-forgery cookie - protects against CSRF attacks
- Cookie consent - remembers your cookie preferences
Analytics Cookies (Optional)
With your consent, we use:
- Google Analytics - helps us understand how the site is used
You can change your cookie preferences at any time using the cookie settings in the footer.
9. Children's Privacy
Our services are not intended for individuals under 16 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us immediately.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we may also send you an email notification.
11. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us:
Email: contact@secure7.io
Response time: Within 30 days for GDPR requests