Privacy Policy

Last updated: March 28, 2026

1. Overview

HAVOC Cloud ("we", "us") is committed to protecting your privacy. This policy describes what data we collect, how we use it, and your rights. We operate under Texas law and comply with applicable privacy regulations including GDPR and CCPA.

2. Data We Collect

Account Data

  • Email address and GitHub username (via GitHub OAuth)
  • GitHub OAuth access tokens (stored encrypted)
  • Team memberships and invitation records

Scan Data

  • Scan targets: URLs, IP addresses, repository names
  • Vulnerability findings and scan results
  • Scan history and audit logs

Billing Data

  • Subscription plan and status
  • Payment history (Stripe manages payment card details; we do not store card numbers)

Usage Data

  • Log data: IP addresses, browser type, pages visited, timestamps
  • Performance and error telemetry

3. How We Use Your Data

  • Authenticate you and provide access to the Service
  • Run security scans on your authorized targets
  • Process payments and manage subscriptions
  • Send transactional emails (scan results, billing, security alerts)
  • Improve the Service through aggregated, anonymized analytics
  • Comply with legal obligations

4. Third Parties

We share data with the following third parties only as necessary to operate the Service:

  • GitHub — OAuth authentication
  • Stripe — Payment processing (subject to Stripe's Privacy Policy)
  • Cloud hosting providers — Infrastructure and database hosting
  • Error tracking services — Anonymized error telemetry

We do not sell your personal data to third parties.

5. Data Retention

We retain your account data for as long as your account is active. Scan results are retained for 90 days by default unless you delete them earlier or your plan includes extended retention.

After account deletion, we remove your personal data within 30 days, except where retention is required by law.

6. Your Rights

Depending on your location, you may have the right to:

  • Access a copy of your personal data
  • Correct inaccurate data
  • Request deletion of your data ("right to be forgotten")
  • Opt out of data sale (we do not sell data)
  • Data portability
  • Lodge a complaint with your local supervisory authority (GDPR)

To exercise these rights, contact privacy@havoc.cloud.

7. Security

We use industry-standard encryption in transit (TLS) and at rest. OAuth tokens are stored encrypted. No data security measure is 100% guaranteed; in the event of a breach we will notify affected users as required by law.

8. Cookies

We use session cookies necessary for authentication and application functionality. We do not use advertising or tracking cookies.

9. Contact

Privacy questions or requests: privacy@havoc.cloud