Privacy Policy
Last updated: TODO: insert effective date
1. Who We Are (Data Controller)
TODO: Legal entity name and registered address(“Vigil”, “we”, “us”) is the data controller for personal data processed through the Vigil attack surface management platform (“the Service”).
TODO: Confirm registered company name, number, registered address, and country of incorporation. If you process data of EU/EEA residents and are not established in the EU, identify your EU representative (Art. 27 GDPR).
Contact our privacy team: privacy@vigil.security
2. Data We Collect
2.1 Account and Identity Data
- Email address (used for authentication via magic link)
- Organisation name
- Role within your organisation (admin or member)
- Invitation metadata (inviter name, timestamp)
2.2 Billing Data
- Subscription plan and status
- Stripe customer ID (payment card data is held solely by Stripe)
- Billing event history (invoice paid, payment failed, etc.)
2.3 Domain and Scan Data
- Domain names you add to the Service
- DNS verification tokens and verification history
- Scan results (subdomains, DNS records, certificates, security findings)
- Scan scheduling configuration
2.4 Usage and Technical Data
- API call counts, token usage, and associated costs
- Scan job metadata (start time, duration, phase outcomes)
- Activity log entries (scans triggered, domains added, members invited)
- TODO: Confirm whether IP addresses, user-agent strings, or session identifiers are logged, and for how long.
2.5 Communications Data
- Email addresses used to send transactional emails (magic links, invitations, alerts)
- Email delivery metadata (sent/failed status)
3. How We Use Your Data (Lawful Bases — GDPR Art. 6)
We process your personal data on the following lawful bases:
| Purpose | Data categories | Lawful basis |
|---|---|---|
| Providing and operating the Service | Account, domain, scan, usage data | Contract (Art. 6(1)(b)) |
| Authentication (magic link emails) | Email address | Contract (Art. 6(1)(b)) |
| Billing and subscription management | Account, billing data | Contract (Art. 6(1)(b)) |
| Transactional notifications (payment alerts, domain alerts) | Email address, billing/domain status | Contract (Art. 6(1)(b)) |
| Legal compliance (fraud prevention, tax records) | Account, billing data | Legal obligation (Art. 6(1)(c)) |
| Service improvement and analytics | Usage and technical data (aggregated) | TODO: Confirm basis — legitimate interests (Art. 6(1)(f)) or consent (Art. 6(1)(a)). Conduct LIA if using legitimate interests. |
| Marketing communications | Email address | TODO: Confirm basis — consent (Art. 6(1)(a)) with opt-in mechanism, or legitimate interests for existing customers (soft opt-in). Document consent records. |
4. Data Retention
TODO: Define specific retention periods for each data category. Example structure (to be confirmed by legal review):
- Account data: Duration of account + [TODO: X months] after deletion for legal/fraud prevention purposes
- Scan results: [TODO: X months] from scan date, or until account deletion, whichever is sooner
- Billing records: [TODO: 7 years] for tax compliance
- Activity logs: [TODO: X months] rolling window
- Usage events: [TODO: X months] for billing reconciliation
When data is deleted it is removed from active databases. Backups are purged on a rolling schedule of TODO: specify backup retention window.
5. Data Sharing and Sub-Processors
We share data only as necessary to provide the Service. Our current sub-processors include:
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Stripe | Payment processing | USA | SCCs / TODO: confirm |
| Google (Gemini API) | AI-assisted security analysis (paid tier) | TODO: confirm data region | TODO: confirm transfer mechanism |
| TODO: Firecrawl / hosting | Web crawling for scan data | TODO | TODO |
| TODO: Hosting provider (e.g. AWS, GCP) | Infrastructure and data storage | TODO: confirm region | TODO: confirm transfer mechanism |
| TODO: SMTP provider | Transactional email delivery | TODO | TODO |
We do not sell your personal data to third parties. We do not use your scan data to train AI models.
TODO: Execute Data Processing Agreements (DPAs) with all sub-processors before launch. Maintain and publish a complete sub-processor list with a notification mechanism for changes (GDPR Art. 28).
6. International Data Transfers
TODO: If any processing occurs outside the EEA/UK, document the transfer mechanism for each: adequacy decision, Standard Contractual Clauses (SCCs), or Binding Corporate Rules (BCRs). Conduct Transfer Impact Assessments (TIAs) where required.
7. Your Rights (GDPR Chapter III)
Depending on your location, you may have the following rights regarding your personal data:
- Right of access (Art. 15): Request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): Request correction of inaccurate data.
- Right to erasure / “right to be forgotten” (Art. 17): Request deletion of your data where we have no overriding legal obligation to retain it.
- Right to restriction of processing (Art. 18): Request that we limit how we use your data in certain circumstances.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing.
- Rights related to automated decision-making (Art. 22): TODO: Confirm whether any fully automated decisions with legal effect are made (e.g., automated subscription suspension). If so, document the safeguards.
To exercise any of these rights, email privacy@vigil.security. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.
TODO: Build a Data Subject Request (DSR) workflow to handle access, erasure, and portability requests within the statutory timeframe. Document the internal process.
8. Cookies and Tracking
TODO: Audit all cookies and local storage used by the Service (session tokens, CSRF tokens, analytics). Classify them as strictly necessary, functional, analytics, or marketing. Implement a cookie consent banner for non-essential cookies. Create a full cookie notice.
At present, the Service uses session cookies for authentication and CSRF protection only. No third-party advertising cookies are used.
9. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption at rest and in transit (TLS 1.2+)
- Role-based access controls with organisation-level data isolation
- CSRF protection on all state-changing endpoints
- SSRF protection on all outbound network requests
- Regular security scanning of the platform itself
TODO: Add any additional certifications (ISO 27001, SOC 2, etc.) once obtained. Define the breach notification procedure (GDPR Art. 33/34 — 72-hour supervisory authority notification, data subject notification where high risk).
10. Children's Privacy
The Service is not directed at children under 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@vigil.security.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice in the Service at least 30 days before the changes take effect. Your continued use after the effective date constitutes acceptance.
12. Contact and Data Protection Officer
TODO: Determine whether a DPO must be appointed under Art. 37 GDPR (required if you process personal data on a large scale or process special categories of data). If required, name the DPO here and register them with the relevant supervisory authority.
For privacy enquiries: privacy@vigil.security
TODO: Add registered postal address for formal data protection correspondence.