Privacy Policy
Last updated: 30 May 2026
This privacy policy explains how Hexora ("we", "us", "our") collects, uses, and protects your personal data when you use our vulnerability scanning service at hexora.uk. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. What data we collect
- Account data: email address and hashed password.
- Billing data: Stripe customer ID and subscription status. We do not store card details.
- Scan data: target URLs, findings, severity levels, evidence, and timestamps.
- Public scan data: target URL, results, and IP address for rate limiting.
- Usage data: server logs including IP addresses and user agents.
- Cookies: essential authentication tokens only. No advertising or tracking cookies.
2. How we use your data
We use your data to:
- Provide the scanning service and manage your account and subscription
- Process payments via Stripe
- Enforce rate limits and detect and prevent abuse
- Communicate about your account
- Comply with legal obligations
We do not sell your personal data or share it with third parties for marketing.
3. Legal basis
- Contract: processing account, scan, and billing data to provide the Service.
- Legitimate interests: security monitoring, rate limiting, and abuse prevention.
- Legal obligation: where required by law.
4. Third-party services
- Stripe (payments): stripe.com/privacy
- Supabase (database, EU servers): supabase.com/privacy
- Vercel (frontend hosting): vercel.com/legal/privacy-policy
- Cloudflare (DNS and CDN): cloudflare.com/privacy
- Google Workspace (email): policies.google.com/privacy
5. Data retention
- Account data: retained while your account is active, deleted within 30 days of account deletion.
- Scan data: retained while your account is active.
- Public scans (no account): 30 days.
- Server logs: 90 days.
- Billing records: 7 years (UK tax law).
6. Your rights
Under UK GDPR you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data. Contact hello@hexora.uk to exercise these rights. We respond within 30 days. You may also lodge a complaint with the ICO at ico.org.uk.
7. Security
We use HTTPS/TLS, encrypted database storage, hashed passwords, and access controls. No method of transmission or storage is completely secure.
8. International transfers
Data is processed on EU servers (Supabase) and may transit Cloudflare's global network. Appropriate safeguards are in place per UK GDPR.
9. Changes
Material changes will be notified by email.
10. Contact
Privacy enquiries: hello@hexora.uk.