Privacy Policy

VulnCheck, Inc. Privacy Policy

Last updated: June 30th, 2026

We are "VulnCheck", a corporate group made up of VulnCheck, Inc. – a company incorporated and registered in United States of America and headquartered at 6 Longfellow Road, Lexington, MA 02420, United States – and its affiliates.

At VulnCheck, your privacy is important to us. We believe in a responsible and proactive approach when dealing with your personal data.

This policy sets out how and why we collect, store, use and share personal data generally, our dedication to protect it, as well as your rights in relation to your personal data and details of how to contact us and supervisory authorities if you have a complaint.

For the purposes of data protection laws, the data "controller" is VulnCheck. This means that VulnCheck is responsible for deciding how we hold and use personal data about you.

This privacy policy applies to: (i) individuals who visit and use our website(s), app(s) and related services (together the "Site"), engage with us via our Site, social media accounts and/or in connection with any purchases, contracts or related matters; (ii) individuals we deal with in their business capacity, such as representatives of our customers or suppliers or investors; and (iii) individuals that apply for work with us ("you", "your").

It is important that you read this privacy policy together with any other privacy policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your personal data.

The types of personal data we collect

The personal data we process about you includes:

  • Identity Data: including your first name and surname.
  • Contact Data: including contact details such as your billing address, email address and telephone numbers.
  • Business Data: including the name of the organisation you represent, your position and department.
  • Transactional Data: including information about our business dealings, transactions and interactions with you.
  • Technical Data: including your IP address when you visit or engage with our Site or social media accounts.
  • Usage Data: including information about how you use or search our Site including any user preferences and notes.
  • Marketing and Communications Data: including your preferences in receiving marketing from us, your communication preferences and your language settings.
  • Survey Data: including data from surveys that we may, from time to time, run on the Site for research purposes, if you choose to respond to, or participate in, them.
  • Investor Data: including information related to your investments in VulnCheck.
  • Recruitment Data: including data related to your employment history and salary expectations for the purpose of considering and progressing your application to work for us.

How your personal data is collected

We collect most categories of personal data from you directly or when you use our Site or engage with us via social media. For example, if you submit a form through the "Request a Demo" or "Register to Watch" pages of our Site, we will collect personal data such as Identity Data, Contact Data and Business Data.

However, we may also collect your personal data from third parties, such as marketing companies where you are a prospective client of VulnCheck or, where you are applying for a job with us, from an employment agency, reference provider or background check provider, or sometimes we collect information that is available in the public domain such as from social media platforms (including LinkedIn).

Lawful basis for processing

We will only process your personal data where we have a lawful basis to do so. The lawful basis will depend on the purposes for which we have collected and use your personal data. In almost every case, the lawful basis will be one of the following:

  • Our legitimate business interests: Where we have a legitimate interest to use personal data regarding you in relation to the operation of our business.
  • Performance of an agreement with you (or in order to take steps prior to entering into an agreement with you): For example, (i) where you have provided your personal data in relation to applying for employment with us; (ii) where you have provided your personal data to receive details in relation to our services or products; and (iii) to administer and manage our relationship with our investors or prospective investors.
  • Compliance with the law: Where we are subject to a legal obligation and need to use your personal data in order to comply with that obligation.
  • Consent: Where you have given consent for us to process your personal data for a specific purpose.

Please find a table which sets out each category of personal data we collect below, and the lawful basis for processing it.

Situations in which we process personal data

PurposeCategory of personal dataLawful bases for processing
To respond to queries and fulfil your requestsIdentity Data; Contact Data; Business Data; Transactional DataOur legitimate interests for our business operations; Consent
To create and manage your account or other user profiles, if applicableIdentity Data; Contact Data; Business Data; Transactional Data; Technical Data; Usage Data; Marketing and Communications Data; Survey DataPerformance of an agreement with you; Our legitimate interests for our business operations
To enter into and fulfil the services for customers and deal with suppliers, for example by processing orders or other transactionsIdentity Data; Contact Data; Business Data; Transactional Data; Marketing and Communications DataPerformance of an agreement with you; Our legitimate interests for our business operations
To facilitate use of our Site and social media accounts and to personalise Site content and communications based on your preferencesIdentity Data; Contact Data; Business Data; Transactional Data; Technical Data; Usage Data; Marketing and Communications Data; Survey DataPerformance of an agreement with you; Our legitimate interests for our business operations
To manage, deliver and improve our Site and social media accounts, including testing, research, analysis and product developmentIdentity Data; Business Data; Transactional Data; Technical Data; Usage DataOur legitimate interests for our business operations
To set and operate cookies and similar technologies on our SiteTechnical Data; Usage DataConsent; Our legitimate interests for our business operations
For direct marketing and to communicate with you about announcements, updates or offersIdentity Data; Contact Data; Business Data; Transactional Data; Marketing and Communications DataConsent; Our legitimate interests for our business operations
To process your email address using tools which identify the organisation you work forContact Data; Business Data; Technical DataOur legitimate interests for our business operations
To handle complaints and disputesAll data typesOur legitimate interests for our business operations
To comply with the law or law enforcement, enforce our legal rights and protect against fraudulent, illegal or harmful actions and maintain the safety, security and integrity of our Site, and to conduct auditsAll data typesTo comply with our legal obligations; Our legitimate interests for our business operations
To perform our day-to-day business operations including business developmentAll data typesOur legitimate interests for our business operations
To make service recommendationsIdentity Data; Contact Data; Business Data; Transactional Data; Usage DataConsent; Our legitimate interests for our business operations
To track and understand usage of our products and servicesIdentity Data; Contact Data; Business Data; Transactional Data; Technical Data; Usage DataOur legitimate interests for our business operations
To administer and manage our relationships with our investorsIdentity Data; Contact Data; Investor DataPerformance of an agreement with you; Our legitimate interests for our business operations
To consider your application for work with us and to allow you to participate in our recruitment processesIdentity Data; Contact Data; Recruitment DataOur legitimate interests for our business operations

If you fail to provide personal data

Where we need to collect personal data about you, and you fail to provide that data when requested, we may not be able to fulfil our obligations to you.

How long we keep your personal data

We retain your information for as long as it is necessary for the purposes for which it was collected. This will usually not exceed one (1) year, and it is our policy to purge most customer data within 180 days after the end of our relationship.

We may retain personal data related to our investors and job applicants for longer where this is necessary to administer and keep a record of our relationship, although this will usually not exceed six (6) years after the end of our relationship or last contact with you.

Additionally, we retain personal data where we are required to do so under any legal, regulatory, accounting, finance, tax, reporting and insurance requirements after which time it will be destroyed or de-identified when the information is no longer required for any purpose for which it may be used or disclosed by us and we are no longer required to law or regulation to retain the information. Please note that this will be assessed on a case-by-case basis.

After our agreement with you expires or terminates, or our relationship with you has otherwise ended, we may also store your information in an aggregated and anonymised format.

Sharing your personal data with third parties

We do not rent or sell your personal data to anyone.

We may share your personal data with our suppliers and other business partners, such as the supplier who hosts our Site. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. However, these third-party service providers may have their own privacy policies in respect of the information we are required to provide to them. For these providers, we recommend that you read their privacy policies so you can understand the manner in which your personal data will be handled by them.

Once you leave our Site, for example via a link, the processing of your personal data is no longer governed by this privacy policy.

We may disclose your personal data to other third parties in the following cases:

  • in the event that we sell any of our business or assets, in which case we may disclose your personal data to the prospective buyer of such business or assets;
  • if we are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation or request; and
  • to protect the rights, property or safety of us or our users, or others, and in order to enforce or apply the terms of our contracts with customers (this includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction).

We may de-identify your personal data so that you are not identified as an individual and provide that information to our partners. We may also provide aggregate usage information to our partners (or allow partners to collect that information from you), who may use such information to understand how often and in what ways people use our Site, so that they, too, can provide you with an optimal online experience.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third parties to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Marketing

Where permitted by law or where we have asked for your consent, we may send you marketing materials which we believe may be of interest to you.

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. You may receive marketing communications from us if you have requested information from us or engaged with us and you have not opted out of receiving that marketing.

Third-party marketing: We are committed to protecting and respecting your personal data. We will not share your personal data with third parties for marketing purposes.

Opting out: You can ask us to stop sending you marketing messages at any time by contacting us via the contact details at section 15 of this privacy policy.

Cookies

You can find details on the cookies (and similar technologies) we use by accessing our cookie management tool here: Cookies.

Where we store your personal data

We keep your information in data centres within the US. For technical reasons, our application vendors may transfer your personal data internationally.

If we transfer your personal data internationally, we will take steps to ensure that appropriate safeguards are in place to protect your personal data and to make sure it is treated securely and in accordance with this privacy policy and data protection law. In such case, we rely on approved data transfer mechanisms; namely, the European Commission's "standard contractual clauses" or the "EU-US Data Privacy Framework" or the UK "International Data Transfer Agreement", "UK Addendum" or "UK Extension to the EU-US Data Privacy Framework" designed to ensure your Personal Data is subject to adequate safeguards in the recipient county. You may contact us for a copy of the safeguards which we have put in place to protect your personal data and privacy rights in these circumstances.

Keeping your information up to date

It is important that the personal data we hold about you is accurate and current. Please keep us informed if any of your personal information changes.

Your rights

VulnCheck takes your privacy seriously and wants you to be aware of your rights as follows:

  • Access: You can request: (i) confirmation of whether we process your personal data; and (ii) access to a copy of the personal data that we hold about you.
  • Correction: We want to make sure that your personal data is accurate and up to date. You may ask us to correct or complete information you think is inaccurate or incomplete.
  • Erasure: In certain situations, you have the right to have your personal data erased.
  • Object: In certain situations, you have the right to object to our processing of personal data regarding you.
  • Restrict processing: In certain situations, you have the right to restrict our processing of personal data regarding you.
  • Data portability: In certain situations, you can ask us to transfer your personal data to a third party, where technically feasible.
  • Withdrawing consent: Where the processing of your personal data is based on your consent, you can withdraw your consent at any time without impact to any data processing activities that have taken place before such withdrawal.
  • Automated processing: You have the right not to be subject to any decisions based solely on automated processing, including profiling, which has legal or other similarly significantly effects on you unless we have your consent, it is authorised by law or it is necessary for the performance of an agreement.

Before we can respond to a request to exercise one or more of the rights listed above, you may be required to verify your identity or your account details. This is a security measure to ensure that these rights are only exercised by you. We may also contact you to ask you for further information in relation to your request to speed up our response.

Please contact us using the contact details in section 15 below if you would like to exercise any of your rights.

What rights do California residents have?

Separately from the above rights where applicable, if you are a California resident, you have the right to request certain information about our collection and use of your personal data over the past 12 months. In addition, you have the right to request that we delete the personal data that we have collected from you. This right is subject to certain exceptions: for example, we may need to retain your personal data to provide you with access to the Site or to complete a transaction or other action you have requested. If your deletion request is subject to one of these exceptions, we may deny your deletion request. Finally, you have the right to opt-out of sales of your personal data, as sales are defined by applicable California law.

To exercise your access and/or deletion rights, please contact us using the contact details in section 15 below. We do not currently sell your personal data so there is no need to contact us to opt out of sales.

Under California Civil Code Sections 1798.83-1798.84, California residents may be entitled to ask us for a notice identifying the categories of personal data which we share with our affiliates and/or third parties for marketing purposes, and providing contact information for such affiliates and/or third parties. If you are a California resident and would like a copy of this notice, please contact us using the contact details in section 15 below.

What rights do Nevada residents have?

If you are a resident of Nevada, you have the right to opt-out of the sale of certain personal data to third parties who intend to license or sell that personal data. You can exercise this right by contacting us using the contact details in section 15 below with the subject line "Nevada Do Not Sell Request" and providing us with your name and the email address associated with your account. Please note that we do not currently sell your personal data as sales are defined in Nevada Revised Statutes Chapter 603A.

Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

We take steps to ensure that your personal data is treated securely and in accordance with this policy. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your information transmitted via the internet; any transmission is at your own risk.

We have appropriate technical and organisational measures to ensure a level of security appropriate to the risk to the rights and freedoms of you and other individuals. We maintain these technical and organisational measures and will amend them from time to time to improve the overall security of our systems.

In addition, we limit access to your personal data to those employees and other third parties who have a business need to know.

We may, from time to time, include links to and from the Site of our partner networks, advertisers and affiliates. If you follow a link to any of these sites, please note that these sites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any information to these sites.

Complaints

In the event that you wish to make a complaint about how we process your personal data, please contact us in the first instance using the contact details in section 15 below and we will deal with your request as soon as possible.

You also have the right to lodge complaints before the applicable data protection regulator as follows:

Changes to this policy

We keep our privacy policy under regular review and we will place any updates on this webpage. You should look at this policy regularly to check for any changes. We will generally notify you of any material changes to this privacy policy through a notice provided via the Site or otherwise supplied to you. Your continued engagement with us after the date of the updated policy constitutes your acceptance of the updated policy. If you do not agree to the updated policy, you must stop your engagement with us.

How to contact us

If you have any questions about this policy, how we use your personal data or your data privacy rights, please contact us at legal@vulncheck.com.

Alternatively, you may submit a written request to the address at the top of this privacy policy.