Privacy Policy

1. Introduction

PentestMate ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website at pentestmate.com and our penetration testing services (collectively, the "Service").

By using our Service, you consent to the data practices described in this Privacy Policy. If you do not agree with the practices described herein, please do not use our Service.

2. Information We Collect

2.1 Personal Information

We collect personal information that you voluntarily provide when using our Service, including:

Account Information: Email address, name, and password when you create an account;
Payment Information: Billing address and payment details (processed securely through Stripe);
Domain Information: Domain names and DNS records you submit for verification and testing;
Communication Data: Information you provide when contacting our support team.

2.2 Automatically Collected Information

When you access our Service, we automatically collect certain information, including:

Device Information: Browser type, operating system, device identifiers;
Usage Data: Pages visited, features used, time spent on the Service;
Log Data: IP address, access times, referring URLs;
Cookies: Session and authentication cookies for functionality.

2.3 Security Testing Data

During penetration testing, our Service may collect:

Technical information about your systems, servers, and applications;
Vulnerability scan results and security findings;
Network configuration data discovered during testing;
Response data from your systems during automated scans.

Important: We do not intentionally collect or store sensitive personal data (such as credit card numbers, passwords, or personal health information) discovered during security testing. Our tools are designed to identify vulnerabilities, not exfiltrate data.

3. How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve our Service;
Verify domain ownership before conducting penetration tests;
Generate security reports and vulnerability assessments;
Process payments and manage subscriptions;
Send transactional emails (account verification, password resets, test notifications);
Provide customer support and respond to inquiries;
Analyze usage patterns to improve user experience;
Detect, prevent, and address fraud, abuse, or security issues;
Comply with legal obligations.

4. Information Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

4.1 Service Providers

We share information with third-party service providers who assist in operating our Service:

Stripe: Payment processing and subscription management;
MongoDB Atlas: Database hosting and storage;
Fly.io: Cloud infrastructure for running security scans;
Resend: Transactional email delivery;
NextAuth.js: Authentication services.

4.2 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change.

4.4 With Your Consent

We may share your information for other purposes with your explicit consent.

5. Data Security

We implement industry-standard security measures to protect your information:

Encryption of data in transit (TLS/SSL) and at rest;
Secure authentication mechanisms;
Regular security assessments of our own infrastructure;
Access controls and employee training;
Secure deletion of data when no longer needed.

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

6. Data Retention

We retain your information for as long as necessary to provide our Service and fulfill the purposes described in this Privacy Policy:

Account Data: Retained while your account is active and for a reasonable period after closure;
Security Reports: Retained for 12 months or as specified in your subscription plan;
Payment Records: Retained as required for tax and legal compliance (typically 7 years);
Log Data: Automatically deleted after 90 days.

You may request deletion of your data by contacting us at founders@updates.pentestmate.com.

7. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

Access: Request a copy of the personal information we hold about you;
Correction: Request correction of inaccurate or incomplete information;
Deletion: Request deletion of your personal information;
Portability: Request your data in a structured, machine-readable format;
Objection: Object to processing of your personal information;
Restriction: Request restriction of processing in certain circumstances;
Withdrawal: Withdraw consent where processing is based on consent.

To exercise these rights, please contact us at founders@updates.pentestmate.com. We will respond to your request within 30 days.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to:

Maintain your session and authentication status;
Remember your preferences;
Analyze usage of our Service;
Improve performance and user experience.

You can control cookies through your browser settings. However, disabling cookies may affect the functionality of our Service.

9. Third-Party Links

Our Service may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to review the privacy policies of any third-party sites you visit.

10. Children's Privacy

Our Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child, we will take steps to delete that information.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your own. These countries may have different data protection laws. By using our Service, you consent to the transfer of your information to the United States and other countries where our servers and service providers are located.

12. European Users (GDPR)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR). The legal bases for processing your data include:

Contract: Processing necessary to provide the Service you requested;
Legitimate Interest: Processing for our legitimate business purposes;
Consent: Processing based on your consent, which you may withdraw;
Legal Obligation: Processing required by law.

You may lodge a complaint with your local supervisory authority if you believe your rights have been violated.

13. California Users (CCPA)

California residents have specific rights under the California Consumer Privacy Act (CCPA):

Right to know what personal information we collect and how it's used;
Right to delete personal information we hold;
Right to opt-out of the sale of personal information (we do not sell your data);
Right to non-discrimination for exercising your privacy rights.

To exercise these rights, contact us at founders@updates.pentestmate.com.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

PentestMate
Email: founders@updates.pentestmate.com
Website: pentestmate.com

We will respond to your inquiry within 30 days.