Legal

Privacy Policy

Last updated: April 1, 2026 · Download PDF

1. Overview

SecureHup Inc. ("SecureHup", "we", "us") provides an autonomous AI pentesting platform that scans applications for security vulnerabilities. This Privacy Policy explains what personal data we collect, why we collect it, and the choices you have about it. It applies to securehup.com, our APIs, and our authenticated product (the "Service").

If you are a resident of Türkiye, the EU/EEA, the UK or California, you also have specific statutory rights summarized in section 7. Turkish residents should additionally read our KVKK Aydınlatma Metni.

2. Data we collect

Account & identity data

When you create an account we collect your name, work email, hashed password (or Google OAuth identifier), company, role, and country. If you sign up via Google we receive your Google account email and basic profile info — never your Google password.

Target & scan data

To run a pentest you provide a target — a URL, repository, API spec, or staging environment. The Service may temporarily process source code, HTTP requests/responses, and configuration files solely to perform security testing. We do not train models on your code or scan results.

Usage & device data

  • Log data: IP address, browser type, OS, pages visited, timestamps, referring URL.
  • Product telemetry: agent runtimes, scans launched, features used, error traces.
  • Cookies & similar — see our Cookie Policy.

Billing data

For paid plans we collect billing name, address, VAT/tax ID, and last-4 of payment method. Full card data is processed by Stripe — we never see or store it.

Communications

If you contact our sales or support teams we keep a record of your message and any attachments to respond and improve our service.

3. How we use it

We process personal data on these legal bases (GDPR Art. 6):

  • Contract performance — provisioning your account, running scans, generating findings, billing.
  • Legitimate interests — securing the platform, preventing abuse, improving the product, sending operational notices.
  • Consent — marketing emails, optional analytics cookies, beta-feature opt-ins. Withdraw any time.
  • Legal obligations — tax records, fraud prevention, valid legal process.

4. Sharing & subprocessors

We don't sell personal data. We share it only with vetted subprocessors that perform services on our behalf under written data-processing agreements:

  • AWS (us-east-1, eu-west-1) — primary infrastructure & storage.
  • Cloudflare — edge security & DDoS protection.
  • Stripe — payment processing.
  • Anthropic / OpenAI — LLM inference for agent reasoning (Zero Data Retention enabled).
  • Postmark, Slack, HubSpot — transactional email, support, sales CRM.

A live subprocessor list is published at securehup.com/subprocessors; you can subscribe to receive 30-day notice of changes.

5. Retention

Account data is retained while your account is active and for 90 days after deletion (to recover from accidental deletion). Scan artifacts (source snapshots, request traces) are retained for 30 days then automatically purged. Findings & reports are retained for the lifetime of the account so you can audit historical security posture. Logs are kept for 12 months. Billing records are kept 10 years for tax compliance.

6. Security

SecureHup is SOC 2 Type II certified. Highlights:

  • Data encrypted in transit (TLS 1.3) and at rest (AES-256).
  • Per-tenant key isolation; agent sandboxes are ephemeral and torn down after each scan.
  • Mandatory SSO + MFA for all employees; no production access without quorum approval.
  • Annual third-party pentest + ongoing internal Strix-based pentesting of our own platform.

If you discover a vulnerability please email security@securehup.com.

7. Your rights

Depending on your jurisdiction you may have the right to:

  • Access, correct, port, restrict, or delete your personal data.
  • Object to processing based on legitimate interests.
  • Withdraw consent at any time.
  • Lodge a complaint with your local supervisory authority (in Türkiye: KVKK; in the EU: your national DPA).

Submit requests to privacy@securehup.com. We respond within 30 days (KVKK: 30 days; GDPR: 30 days, extendable to 90 for complex requests).

8. International transfers

SecureHup is headquartered in the United States. When we transfer personal data outside the EEA/UK/Türkiye we rely on Standard Contractual Clauses (SCCs) and supplementary technical measures (encryption, pseudonymization). EU customers can request EU-only data residency on Enterprise plans.

9. Children's privacy

The Service is not directed to anyone under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

10. Changes & contact

We may update this policy. Material changes will be announced via email and a banner in the product at least 30 days before they take effect. Continued use after the effective date constitutes acceptance.

Data Controller: SecureHup Inc. · 548 Market St #62412, San Francisco, CA 94104, USA · privacy@securehup.com · EU representative: eu-rep@securehup.com