VECTRAGUARD

Privacy Policy

Last updated: March 10, 2026

VectraGuard Security, Inc. ("VectraGuard," "we," "us," or "our") operates the VectraGuard vulnerability scanning platform ("Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By accessing or using VectraGuard, you agree to this Privacy Policy. If you do not agree with the terms of this policy, please do not access the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, organization name, and password (stored as a bcrypt hash — we never store plaintext passwords). If you use single sign-on (SSO), we receive your identity from the SSO provider.

1.2 Scan Data

When you configure and run vulnerability scans, we process and store:

  • Target information (IP addresses, domain names, URLs) that you provide
  • Scan configurations and schedules you define
  • Vulnerability findings, severity ratings, and remediation data generated by scan engines
  • Risk assessments and health scores computed from scan results

Important: We only scan targets you explicitly authorize. Scan data is isolated per organization using row-level security (RLS) in our database — no organization can access another's data.

1.3 Usage Data

We automatically collect certain information when you access the Service, including:

  • Browser type and version
  • Operating system
  • Pages visited and features used within VectraGuard
  • Time and date of access
  • IP address (for security and rate limiting)

1.4 Cookies and Tracking

We use cookies as described in our Cookie Policy. Necessary cookies (authentication, security) are always active. Analytics and marketing cookies are only set with your explicit consent.

2. How We Use Your Information

We use the information we collect to:

  • Provide the Service: Run vulnerability scans, generate reports, compute risk assessments, and deliver notifications
  • Authenticate and secure: Verify your identity, manage sessions, enforce access controls, and protect against unauthorized access
  • Improve the platform: Analyze usage patterns to enhance features, fix bugs, and optimize performance (only with analytics consent)
  • Communicate: Send scan completion notifications, security alerts, and service updates
  • Comply with legal obligations: Maintain audit logs, respond to lawful requests, and meet regulatory requirements

3. Data Sharing and Disclosure

We do not sell your personal data. We may share information in the following circumstances:

  • Within your organization: Team members in your organization can access shared scan data, reports, and vulnerability findings based on their assigned role (owner, admin, member)
  • Service providers: We use third-party infrastructure providers (hosting, database, email delivery) who process data on our behalf under strict contractual obligations
  • Legal compliance: We may disclose information if required by law, subpoena, or government request
  • Business transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred as part of that transaction

We never share raw vulnerability findings or scan results with third parties for their own purposes.

4. Data Security

We implement industry-standard security measures to protect your data:

  • All data in transit is encrypted via TLS 1.2+
  • Data at rest is encrypted using AES-256
  • Passwords are hashed using bcrypt with cost factor 12
  • Authentication tokens use HttpOnly, Secure cookies with SameSite protection
  • Row-level security (RLS) ensures strict multi-tenant data isolation
  • API access can be scoped and rate-limited per key
  • All administrative actions are logged in an immutable audit trail

5. Data Retention

We retain your account data for as long as your account is active. Scan results and vulnerability data are retained according to your organization's plan:

  • Free plan: 30 days
  • Pro plan: 1 year
  • Enterprise plan: Configurable, up to unlimited

When you delete your account, we remove your personal data within 30 days. Anonymized, aggregated data may be retained for analytics purposes.

6. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your personal data (subject to legal retention requirements)
  • Portability: Request your data in a structured, machine-readable format (CSV export is available for scan data)
  • Objection: Object to processing of your data for specific purposes
  • Withdraw consent: Withdraw cookie consent at any time via the Cookie Preferences option

To exercise these rights, contact us at privacy@vectraguard.com. We will respond within 30 days.

7. International Data Transfers

Our servers are located in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. We ensure appropriate safeguards are in place for international transfers in compliance with applicable data protection laws.

8. Children's Privacy

VectraGuard is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we may also notify you via email or an in-app notification.

10. Contact Us

If you have questions or concerns about this Privacy Policy, contact us at:

VectraGuard Security, Inc.

Email: privacy@vectraguard.com

Data Protection Officer: dpo@vectraguard.com