Last Updated: December 2025
At Vulnz (accessible from https://vulnz.net), the privacy of our visitors and the security of the infrastructure data we monitor is our primary concern. This Privacy Policy outlines the types of information we collect and how we handle it.
This policy distinguishes between data collected through human interaction with our website and dashboard, and technical telemetry collected via the Vulnz WordPress plugin (vulnz-agent) interacting with our API.
If you have additional questions or require more information about our Privacy Policy, please contact us.
1. Data Collected via Website Interaction
This section applies when you visit vulnz.net via a web browser, register for an account, or manage your dashboard.
A. Log Files Vulnz follows a standard procedure of using log files. These files log visitors when they access the website. The information collected includes internet protocol (IP) addresses, browser type, Internet Service Provider (ISP), date and time stamp, and referring/exit pages. These are not linked to any information that is personally identifiable. The purpose of this information is for analysing trends, administering the site, and tracking users’ movement on the website to improve the user experience.
B. Account Information When you register for a Vulnz account, we collect:
- Identity Data: Your name and email address.
- Billing Data: Your billing address and transaction history.
- Configuration Data: Settings regarding report frequency and notification preferences.
C. Cookies & Analytics We use first-party cookies to manage your login session and ensure the secure functionality of the dashboard. We use self-hosted analytics software to understand how our website is used. We do not use third-party advertising trackers and we do not sell your browsing data to advertisers.
2. Data Collected via Service Telemetry (API)
This section applies to data transmitted automatically when you install and activate the Vulnz plugin on a WordPress website.
A. Technical Telemetry To provide vulnerability monitoring, the plugin sends specific technical data to our API servers. This includes:
- System Status: WordPress core version, PHP version, and Web Server signature.
- Component Inventory: A list of installed plugins and themes, their active status, and their version numbers.
- Domain Information: The URL of the site being monitored.
B. Purpose of Processing We process this telemetry solely to:
- Compare your software inventory against known vulnerability databases (CVEs).
- Generate your scheduled security reports.
- Detect abandoned or outdated software components.
C. Limitations We do not collect content from your website database (such as blog posts, user data, customer orders, or passwords). The agent operates in a read-only capacity regarding your site’s content.
3. Payment Processing
We use Stripe for payment processing.
- No Storage of Sensitive Card Data: We do not collect or store your full payment card details on our servers.
- Vaulted Credentials: Payment information is provided directly to Stripe, whose use of your personal information is governed by their Privacy Policy. We utilise Stripe’s API to store “vaulted credentials” (tokens), which allow us to process renewal payments securely without having access to your banking details.
4. Infrastructure & Emails
A. Hosting All data is processed and stored on our own secure infrastructure located in the United Kingdom.
B. Email Delivery Unlike many SaaS providers, we do not share your data with third-party email marketing platforms. All transactional emails and weekly security reports are routed through our own secure mail servers (nexus.headwall.co.uk).
5. Account Security & Liability
You are responsible for maintaining the confidentiality of your account login credentials (username and password).
Vulnz cannot and will not be liable for any loss, damage, or data exposure arising from your failure to comply with this security obligation. Given the sensitive nature of the data inside your dashboard (which reveals potential vulnerabilities on your monitored sites), we strongly recommend using a unique, complex password.
6. Data Security
We employ industry-standard security measures to protect the data we hold, including encryption of data in transit (TLS/SSL) and strict access controls on our backend infrastructure. We treat vulnerability data as confidential and will never publicly disclose the vulnerability status of a monitored domain.
7. GDPR & Your Rights
We operate in the United Kingdom and comply with the General Data Protection Regulation (GDPR). You have the right to:
- Access the personal data we hold about you.
- Request the deletion of your account and all associated monitoring data.
- Export your data.
To exercise these rights, please contact support via your dashboard.
8. Consent
By using our website and installing our plugin, you hereby consent to this Privacy Policy and agree to our Terms and Conditions.