Back to home

Privacy Policy

Last updated: May 13, 2026

This policy explains what data we collect, why we collect it, how we use it, and the rights you have over it. We’ve tried to write it in plain English. If anything is unclear, email [email protected] and we’ll either clarify or change it.

1. Who We Are

Pentry.ai (“we,” “us”) provides automated security scanning. For GDPR purposes, we are the data controller for your account information and a data processor for the content of your scans.

2. Data We Collect

From you, directly

  • Account: email, name (optional), hashed password, OAuth profile (if you signed in via Google).
  • Billing: handled by Stripe — we never see your card numbers. We do store your Stripe customer ID, plan, and invoice metadata.
  • Scan targets: hostnames you add to your account.
  • Authentication sets: credentials you provide so we can scan authenticated areas. These are encrypted at rest with AES-128 (Fernet).
  • Integration tokens: Slack webhooks, GitHub tokens, etc. — also encrypted at rest.

From your activity

  • Scan results: findings discovered against targets you authorize.
  • Usage: timestamps of logins, scan starts/completes, feature access.
  • Audit log: security-relevant actions (password change, key creation, integration setup).

From your device

  • IP address — used for rate-limiting, abuse detection, security alerts. Truncated for analytics.
  • Browser + OS — for compatibility and session safety (“new device” warnings).
  • Cookies — only the strictly necessary kind (auth session, theme preference). We don’t use third-party advertising cookies.

3. How We Use Data

  • Run the Service: scan your targets, generate reports, send notifications you’ve opted into.
  • Bill you: charge your subscription and produce invoices.
  • Protect the Service: detect abuse, rate-limit, alert you to suspicious sign-ins.
  • Improve the Service: anonymized + aggregated patterns from scans help us tune detection rules. We never use identifiable scan content for marketing or share it with third parties.
  • Communicate: transactional emails (account, billing, scan results, security alerts) and — only if you opt in — product updates.

4. Lawful Bases (GDPR)

  • Contract: account management, scan execution, billing.
  • Legitimate interest: fraud prevention, security, service improvement.
  • Consent: optional marketing emails, optional cookies.
  • Legal obligation: tax records, lawful disclosure requests.

5. Who We Share Data With

We use the following sub-processors. Each has access only to what their function requires:

  • Stripe (USA) — billing.
  • Resend (USA) — transactional email delivery.
  • Alias Robotics (Spain) — the alias1 model that produces AI-driven analyses. Scan inputs are sent for inference; we never persist customer prompts with their API.
  • Cloudflare (USA / global) — DNS, edge caching, DDoS protection.
  • Hosting provider (Fly.io / Hetzner — current as of 5/24/2026) — infrastructure.
  • Google (USA) — if you use Sign in with Google.

We do not sell or rent your data. We don’t use it for advertising.

6. Where Data Lives

Servers are in the EU (Hetzner Falkenstein) by default. Stripe and Resend may process data in the United States. EU↔US transfers rely on Standard Contractual Clauses.

7. How Long We Keep It

  • Account data: as long as your account is active, plus 30 days after deletion (then anonymized).
  • Scan results: until you delete the target or your account.
  • Audit log: 12 months for compliance, then deleted.
  • Billing records: 7 years (statutory minimum in most jurisdictions).
  • Anonymized usage data: indefinitely.

8. Your Rights

You can, at any time:

  • Access your data — most of it is visible in your profile, the rest is available on request.
  • Correct your data — name updates from the profile page; for anything else, email us.
  • Delete your data — Profile → Danger Zone → Delete Account. Anonymization happens immediately; full purge within 30 days.
  • Export your data — CSV exports of scans + findings are in the dashboard. Full account export on request.
  • Object to processing — for non-essential use (e.g. anonymized analytics) you can opt out.
  • Withdraw consent — for any consent-based processing, anytime.
  • Lodge a complaint — with your local data-protection authority (EU/UK customers).

9. Security

We encrypt data in transit (TLS 1.3) and sensitive fields at rest (Fernet / bcrypt for passwords). Production access is limited to founders + on-call engineers and audited. Detailed security disclosures: /security.

10. Children

The Service is not directed at children under 16. If we learn we’ve collected data from a minor without parental consent, we’ll delete it.

11. Changes

We’ll post material updates here and notify you by email at least 30 days before they take effect.

12. Contact

Privacy questions: [email protected]
Data Protection Officer: same address, line 1: “DPO”.

Questions? Email [email protected].