Trust

EdgeBreach Privacy Policy

EdgeBreach protects your information with the same rigor we bring to security testing

Last updated: February 12, 2026

How we handle your information

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Name
  • Email address
  • Company name (optional)
  • Billing information (processed by our payment provider)
  • Password (stored in hashed form)
1.2 Target and Scan Information

When you use the Service to test targets, we collect:

  • Target URLs, IP addresses, and domain information
  • Scan configurations and settings
  • Authentication credentials you provide for authenticated testing (encrypted at rest)
1.3 Scan Results and Findings

The Service generates and stores:

  • Discovered vulnerabilities and security findings
  • Evidence artifacts (screenshots, HTTP request/response data, proof of exploitation)
  • Reports and remediation guidance
  • Attack chain information
1.4 Source Code (White-Box Testing)

If you use our white-box testing feature:

  • Source code is uploaded and processed in memory only
  • Source code is NOT stored on our systems
  • Source code is NOT used to train our AI models
  • Processing occurs in isolated, ephemeral environments that are destroyed after analysis
1.5 Usage Information

We automatically collect:

  • Log data (IP addresses, browser type, pages visited, timestamps)
  • Device information
  • Feature usage and interaction data
  • Error reports and performance data
1.6 Cookies and Tracking Technologies

We use cookies and similar technologies for:

  • Authentication and session management
  • Remembering your preferences
  • Analytics and service improvement
  • Security (fraud detection, abuse prevention)

2. How We Use Your Information

2.1 Providing the Service

We use your information to:

  • Create and manage your account
  • Perform security scans on your authorized targets
  • Generate findings, evidence, and reports
  • Provide customer support
  • Process payments
2.2 Improving the Service

We use information to:

  • Analyze usage patterns and improve features
  • Debug and fix issues
  • Develop new capabilities
2.3 AI Model Training — Important Disclosure

We use certain anonymized scan data to improve our AI security models.

What we DO use for training:

  • Anonymized successful attack patterns and techniques
  • Anonymized vulnerability patterns and indicators
  • Generalized information about vulnerability types and attack chains

What we DO NOT use for training:

  • Your source code (never stored, never used for training)
  • Identifiable target information (URLs, IP addresses, domain names)
  • Your credentials or authentication data
  • Any data that could identify you or your organization
  • Evidence artifacts containing sensitive data

How we anonymize data:

  • All target-specific identifiers are stripped
  • Data is aggregated across multiple sources
  • Technical patterns are extracted without context
  • No individual customer's data can be reconstructed

This training data helps EdgeBreach detect new vulnerability patterns and improve attack chain discovery for all customers.

2.4 Communications

We may use your email to:

  • Send service-related notices (scan completions, account changes)
  • Respond to your inquiries
  • Send product updates and announcements (you can opt out)
  • Provide security alerts related to your scans
2.5 Legal and Safety

We may use your information to:

  • Comply with legal obligations
  • Enforce our Terms of Service
  • Protect against fraud and abuse
  • Respond to legal requests

3. Information Sharing

3.1 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

3.2 Service Providers

We share information with service providers who help us operate the Service, including:

  • Cloud infrastructure (AWS, GCP — US regions only)
  • Payment processing (Stripe)
  • Email delivery services
  • Analytics services
  • Customer support tools

All service providers are contractually obligated to protect your information.

3.3 Legal Requirements

We may disclose information if required by law, legal process, or government request. We will notify you of such requests unless prohibited by law.

3.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any such change and your options.

3.5 With Your Consent

We may share information in other circumstances with your explicit consent.

4. Data Retention

4.1 Active Subscription Retention

While your subscription is active:

Data Type - Retention Period
Account information - Duration of account
Scan configurations - Duration of subscription
Findings and vulnerabilities - Duration of subscription
Evidence artifacts (screenshots, HTTP captures) - 12 months rolling, then deleted
Reports - Duration of subscription
Usage logs- 12 months

4.2 After Subscription Ends

When your subscription terminates:

  • You have 30 days to export your data
  • We send reminders at termination, 7 days, and 14 days before deletion
  • After 30 days, all Customer Data is deleted
  • Anonymized, aggregated data (used for AI training) is retained indefinitely
4.3 Free Trial Data

If you do not convert to a paid subscription:

  • Trial data is retained for 30 days after trial expiration
  • After 30 days, all data is deleted
4.4 Account Deletion

You may request deletion of your account at any time by contacting us. Upon deletion:

  • Account information is deleted within 30 days
  • Scan data follows the post-termination policy above
  • Some information may be retained for legal compliance (e.g., billing records)

5. Data Security

5.1 Security Measures

We implement industry-standard security measures including:

  • Encryption in transit (TLS 1.2+)
  • Encryption at rest (AES-256)
  • Access controls and authentication
  • Regular security assessments
  • Employee security training
5.2 Source Code Security

For white-box testing:

  • Source code is processed in isolated, ephemeral environments
  • Code exists in memory only during analysis
  • Environments are destroyed immediately after processing
  • No persistent storage of source code
5.3 Credential Handling

If you provide credentials for authenticated testing:

  • Credentials are encrypted at rest
  • Access is strictly limited
  • Credentials are deleted when the associated target is removed
5.4 Incident Response

In the event of a data breach affecting your personal information, we will:

  • Investigate and contain the breach
  • Notify affected users without undue delay
  • Notify regulators as required by law
  • Provide information about steps you can take
5.5 No Guarantee

While we implement robust security measures, no system is completely secure. We cannot guarantee absolute security of your data.

6. Data Location and Transfer

6.1 Data Location

All Customer Data is stored and processed in the United States (AWS and/or GCP US regions).

6.2 International Users

If you access the Service from outside the United States, you consent to the transfer of your information to the United States. The United States may have different data protection laws than your jurisdiction.

7. Your Rights and Choices

7.1 Access and Portability

You can:

  • Access your account information through the Service
  • Export your scan data and reports at any time
  • Request a copy of your personal data
7.2 Correction

You can update your account information through the Service or by contacting us.

7.3 Deletion

You can:

  • Delete individual scan data through the Service
  • Request deletion of your account
  • Request deletion of specific personal information

Some data may be retained for legal compliance.

7.4 Opt-Out of Marketing

You can opt out of marketing emails by:

  • Clicking “unsubscribe” in any marketing email
  • Updating your communication preferences in account settings

Service-related communications (security alerts, account notices) are not optional.

7.5 Do Not Track

Our Service does not currently respond to “Do Not Track” browser signals.

8. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

8.1 Right to Know

You can request information about:

  • Categories of personal information collected
  • Sources of personal information
  • Business purposes for collection
  • Categories of third parties with whom we share
  • Specific pieces of personal information collected
8.2 Right to Delete

You can request deletion of your personal information, subject to certain exceptions.

8.3 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

8.4 Authorized Agents

You may designate an authorized agent to make requests on your behalf.

8.5 Contact for CCPA Requests

To exercise your CCPA rights, contact us at [EMAIL] or [PHONE].

9. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, you have additional rights under GDPR:

9.1 Legal Basis for Processing

We process your data based on:

  • Contract: To provide the Service you requested
  • Legitimate interests: To improve our services and prevent fraud
  • Consent: For marketing communications and AI training opt-in
  • Legal obligation: For compliance with applicable laws
9.2 Your Rights

You have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data (“right to be forgotten”)
  • Restrict processing
  • Data portability
  • Object to processing
  • Withdraw consent
  • Lodge a complaint with a supervisory authority
9.3 Data Transfers

Data transfers to the United States are conducted in compliance with applicable data protection laws, including use of Standard Contractual Clauses where required.

9.4 Contact

For GDPR inquiries, contact us at [EMAIL].

10. Children’s Privacy

The Service is not intended for children under 18. We do not knowingly collect information from children. If we learn we have collected information from a child, we will delete it.

11. Third-Party Links

The Service may contain links to third-party websites. We are not responsible for the privacy practices of those websites.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on our website
  • Sending an email to your registered address
  • Displaying a notice in the Service

Changes take effect 30 days after posting, unless we indicate otherwise or immediate changes are required by law.

13. Contact Us

For questions about this Privacy Policy or our privacy practices:

EdgeBreach, Inc.
5255 Winthrop Avenue, Suite 135
Indianapolis, IN 46220
Email: hello@EdgeBreach.com

14. Data Processing Agreement

For customers who require a Data Processing Agreement (DPA) for GDPR or other compliance purposes, please contact us at hello@EdgeBreach.com.