Last updated: June 30th, 2026
We are "VulnCheck", a corporate group made up of VulnCheck, Inc. – a company incorporated and registered in United States of America and headquartered at 6 Longfellow Road, Lexington, MA 02420, United States – and its affiliates.
At VulnCheck, your privacy is important to us. We believe in a responsible and proactive approach when dealing with your personal data.
This policy sets out how and why we collect, store, use and share personal data generally, our dedication to protect it, as well as your rights in relation to your personal data and details of how to contact us and supervisory authorities if you have a complaint.
For the purposes of data protection laws, the data "controller" is VulnCheck. This means that VulnCheck is responsible for deciding how we hold and use personal data about you.
This privacy policy applies to: (i) individuals who visit and use our website(s), app(s) and related services (together the "Site"), engage with us via our Site, social media accounts and/or in connection with any purchases, contracts or related matters; (ii) individuals we deal with in their business capacity, such as representatives of our customers or suppliers or investors; and (iii) individuals that apply for work with us ("you", "your").
It is important that you read this privacy policy together with any other privacy policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your personal data.
The personal data we process about you includes:
We collect most categories of personal data from you directly or when you use our Site or engage with us via social media. For example, if you submit a form through the "Request a Demo" or "Register to Watch" pages of our Site, we will collect personal data such as Identity Data, Contact Data and Business Data.
However, we may also collect your personal data from third parties, such as marketing companies where you are a prospective client of VulnCheck or, where you are applying for a job with us, from an employment agency, reference provider or background check provider, or sometimes we collect information that is available in the public domain such as from social media platforms (including LinkedIn).
We will only process your personal data where we have a lawful basis to do so. The lawful basis will depend on the purposes for which we have collected and use your personal data. In almost every case, the lawful basis will be one of the following:
Please find a table which sets out each category of personal data we collect below, and the lawful basis for processing it.
| Purpose | Category of personal data | Lawful bases for processing |
|---|---|---|
| To respond to queries and fulfil your requests | Identity Data; Contact Data; Business Data; Transactional Data | Our legitimate interests for our business operations; Consent |
| To create and manage your account or other user profiles, if applicable | Identity Data; Contact Data; Business Data; Transactional Data; Technical Data; Usage Data; Marketing and Communications Data; Survey Data | Performance of an agreement with you; Our legitimate interests for our business operations |
| To enter into and fulfil the services for customers and deal with suppliers, for example by processing orders or other transactions | Identity Data; Contact Data; Business Data; Transactional Data; Marketing and Communications Data | Performance of an agreement with you; Our legitimate interests for our business operations |
| To facilitate use of our Site and social media accounts and to personalise Site content and communications based on your preferences | Identity Data; Contact Data; Business Data; Transactional Data; Technical Data; Usage Data; Marketing and Communications Data; Survey Data | Performance of an agreement with you; Our legitimate interests for our business operations |
| To manage, deliver and improve our Site and social media accounts, including testing, research, analysis and product development | Identity Data; Business Data; Transactional Data; Technical Data; Usage Data | Our legitimate interests for our business operations |
| To set and operate cookies and similar technologies on our Site | Technical Data; Usage Data | Consent; Our legitimate interests for our business operations |
| For direct marketing and to communicate with you about announcements, updates or offers | Identity Data; Contact Data; Business Data; Transactional Data; Marketing and Communications Data | Consent; Our legitimate interests for our business operations |
| To process your email address using tools which identify the organisation you work for | Contact Data; Business Data; Technical Data | Our legitimate interests for our business operations |
| To handle complaints and disputes | All data types | Our legitimate interests for our business operations |
| To comply with the law or law enforcement, enforce our legal rights and protect against fraudulent, illegal or harmful actions and maintain the safety, security and integrity of our Site, and to conduct audits | All data types | To comply with our legal obligations; Our legitimate interests for our business operations |
| To perform our day-to-day business operations including business development | All data types | Our legitimate interests for our business operations |
| To make service recommendations | Identity Data; Contact Data; Business Data; Transactional Data; Usage Data | Consent; Our legitimate interests for our business operations |
| To track and understand usage of our products and services | Identity Data; Contact Data; Business Data; Transactional Data; Technical Data; Usage Data | Our legitimate interests for our business operations |
| To administer and manage our relationships with our investors | Identity Data; Contact Data; Investor Data | Performance of an agreement with you; Our legitimate interests for our business operations |
| To consider your application for work with us and to allow you to participate in our recruitment processes | Identity Data; Contact Data; Recruitment Data | Our legitimate interests for our business operations |
Where we need to collect personal data about you, and you fail to provide that data when requested, we may not be able to fulfil our obligations to you.
We retain your information for as long as it is necessary for the purposes for which it was collected. This will usually not exceed one (1) year, and it is our policy to purge most customer data within 180 days after the end of our relationship.
We may retain personal data related to our investors and job applicants for longer where this is necessary to administer and keep a record of our relationship, although this will usually not exceed six (6) years after the end of our relationship or last contact with you.
Additionally, we retain personal data where we are required to do so under any legal, regulatory, accounting, finance, tax, reporting and insurance requirements after which time it will be destroyed or de-identified when the information is no longer required for any purpose for which it may be used or disclosed by us and we are no longer required to law or regulation to retain the information. Please note that this will be assessed on a case-by-case basis.
After our agreement with you expires or terminates, or our relationship with you has otherwise ended, we may also store your information in an aggregated and anonymised format.
We do not rent or sell your personal data to anyone.
We may share your personal data with our suppliers and other business partners, such as the supplier who hosts our Site. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. However, these third-party service providers may have their own privacy policies in respect of the information we are required to provide to them. For these providers, we recommend that you read their privacy policies so you can understand the manner in which your personal data will be handled by them.
Once you leave our Site, for example via a link, the processing of your personal data is no longer governed by this privacy policy.
We may disclose your personal data to other third parties in the following cases:
We may de-identify your personal data so that you are not identified as an individual and provide that information to our partners. We may also provide aggregate usage information to our partners (or allow partners to collect that information from you), who may use such information to understand how often and in what ways people use our Site, so that they, too, can provide you with an optimal online experience.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third parties to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
Where permitted by law or where we have asked for your consent, we may send you marketing materials which we believe may be of interest to you.
We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. You may receive marketing communications from us if you have requested information from us or engaged with us and you have not opted out of receiving that marketing.
Third-party marketing: We are committed to protecting and respecting your personal data. We will not share your personal data with third parties for marketing purposes.
Opting out: You can ask us to stop sending you marketing messages at any time by contacting us via the contact details at section 15 of this privacy policy.
You can find details on the cookies (and similar technologies) we use by accessing our cookie management tool here: Cookies.
We keep your information in data centres within the US. For technical reasons, our application vendors may transfer your personal data internationally.
If we transfer your personal data internationally, we will take steps to ensure that appropriate safeguards are in place to protect your personal data and to make sure it is treated securely and in accordance with this privacy policy and data protection law. In such case, we rely on approved data transfer mechanisms; namely, the European Commission's "standard contractual clauses" or the "EU-US Data Privacy Framework" or the UK "International Data Transfer Agreement", "UK Addendum" or "UK Extension to the EU-US Data Privacy Framework" designed to ensure your Personal Data is subject to adequate safeguards in the recipient county. You may contact us for a copy of the safeguards which we have put in place to protect your personal data and privacy rights in these circumstances.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if any of your personal information changes.
VulnCheck takes your privacy seriously and wants you to be aware of your rights as follows:
Before we can respond to a request to exercise one or more of the rights listed above, you may be required to verify your identity or your account details. This is a security measure to ensure that these rights are only exercised by you. We may also contact you to ask you for further information in relation to your request to speed up our response.
Please contact us using the contact details in section 15 below if you would like to exercise any of your rights.
Separately from the above rights where applicable, if you are a California resident, you have the right to request certain information about our collection and use of your personal data over the past 12 months. In addition, you have the right to request that we delete the personal data that we have collected from you. This right is subject to certain exceptions: for example, we may need to retain your personal data to provide you with access to the Site or to complete a transaction or other action you have requested. If your deletion request is subject to one of these exceptions, we may deny your deletion request. Finally, you have the right to opt-out of sales of your personal data, as sales are defined by applicable California law.
To exercise your access and/or deletion rights, please contact us using the contact details in section 15 below. We do not currently sell your personal data so there is no need to contact us to opt out of sales.
Under California Civil Code Sections 1798.83-1798.84, California residents may be entitled to ask us for a notice identifying the categories of personal data which we share with our affiliates and/or third parties for marketing purposes, and providing contact information for such affiliates and/or third parties. If you are a California resident and would like a copy of this notice, please contact us using the contact details in section 15 below.
If you are a resident of Nevada, you have the right to opt-out of the sale of certain personal data to third parties who intend to license or sell that personal data. You can exercise this right by contacting us using the contact details in section 15 below with the subject line "Nevada Do Not Sell Request" and providing us with your name and the email address associated with your account. Please note that we do not currently sell your personal data as sales are defined in Nevada Revised Statutes Chapter 603A.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
We take steps to ensure that your personal data is treated securely and in accordance with this policy. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your information transmitted via the internet; any transmission is at your own risk.
We have appropriate technical and organisational measures to ensure a level of security appropriate to the risk to the rights and freedoms of you and other individuals. We maintain these technical and organisational measures and will amend them from time to time to improve the overall security of our systems.
In addition, we limit access to your personal data to those employees and other third parties who have a business need to know.
We may, from time to time, include links to and from the Site of our partner networks, advertisers and affiliates. If you follow a link to any of these sites, please note that these sites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any information to these sites.
In the event that you wish to make a complaint about how we process your personal data, please contact us in the first instance using the contact details in section 15 below and we will deal with your request as soon as possible.
You also have the right to lodge complaints before the applicable data protection regulator as follows:
We keep our privacy policy under regular review and we will place any updates on this webpage. You should look at this policy regularly to check for any changes. We will generally notify you of any material changes to this privacy policy through a notice provided via the Site or otherwise supplied to you. Your continued engagement with us after the date of the updated policy constitutes your acceptance of the updated policy. If you do not agree to the updated policy, you must stop your engagement with us.
If you have any questions about this policy, how we use your personal data or your data privacy rights, please contact us at legal@vulncheck.com.
Alternatively, you may submit a written request to the address at the top of this privacy policy.