Privacy Policy
Last updated: March 23, 2026
1. Who We Are
CVEPing is operated by Lazariuc-Hadrava S. Adrian Persoana Fizica Autorizata, based in Romania (EU). We are the data controller for personal data processed through the Service.
Contact: privacy@cveping.com
2. Data We Collect
Account Data (provided by you)
| Data | Purpose | Retention |
|---|
| Email address | Authentication, notifications, account recovery | Until account deletion |
| Name | Personalization | Until account deletion |
| Password | Authentication (stored as bcrypt hash, never in plaintext) | Until account deletion |
Usage Data (generated by your use)
| Data | Purpose | Retention |
|---|
| Technology selections | CVE monitoring | Until removed or account deletion |
| CVE status markings | Vulnerability tracking | Per plan retention period |
| Alert preferences | Notification delivery | Until changed or account deletion |
| Webhook URLs (Slack, Discord) | Alert delivery to your channels | Until disconnected or account deletion |
Data We Do NOT Collect
- We do not scan your source code or repositories
- We do not access your servers or infrastructure
- We do not use tracking cookies or third-party analytics
- We do not sell or share your personal data with third parties for marketing
3. How We Use Your Data
- Provide the Service: Monitor CVEs for your selected technologies, send alerts, display your dashboard
- Account management: Authentication, password recovery, email verification
- Service communications: Security alerts, product updates, billing notifications
- Service improvement: Aggregate, anonymized usage statistics (e.g., most monitored technologies)
4. Legal Basis (GDPR)
We process your data under the following legal bases:
- Contract performance: Processing necessary to provide the Service you signed up for (account data, technology selections, alert delivery)
- Legitimate interest: Service security, fraud prevention, aggregate analytics
- Consent: Optional marketing communications (you can opt out at any time)
5. Data Storage and Security
Your data is stored on servers located in Frankfurt, Germany (EU), hosted by Hostinger. We implement the following security measures:
- Passwords hashed with bcrypt (12 rounds)
- Authentication via JWT tokens in HTTP-only secure cookies
- HTTPS/TLS encryption for all data in transit
- PostgreSQL database with encrypted connections
- Daily automated database backups with 30-day retention
- Security headers (HSTS, CSP, X-Frame-Options) via helmet.js
- Rate limiting on authentication and API endpoints
6. Third-Party Services
We use the following third-party services to operate CVEPing:
| Service | Purpose | Data shared |
|---|
| Paddle (paddle.com) | Payment processing (Merchant of Record) | Email, billing info (handled by Paddle) |
| Resend (resend.com) | Transactional email delivery | Email address, email content |
| Slack (via user-provided webhook) | Alert delivery | CVE alert content (sent to user's own workspace) |
| NVD / GitHub / OSV.dev | CVE data sources | No personal data sent |
7. Your Rights (GDPR)
As an EU-based service, we fully comply with the General Data Protection Regulation. You have the right to:
- Access: Request a copy of all personal data we hold about you
- Rectification: Update or correct your personal data via Account Settings
- Erasure: Delete your account and all associated data (Account Settings → Danger Zone)
- Data portability: Export your vulnerability data as CSV (Dev plan and above)
- Restriction: Request that we limit processing of your data
- Objection: Object to processing based on legitimate interest
To exercise any of these rights, contact privacy@cveping.com. We will respond within 30 days.
8. Data Retention
- Account data: Retained until you delete your account
- CVE vulnerability data: Retained per your plan (Free: 30 days, Dev: 90 days, Pro: 1 year, Agency: unlimited)
- Notification logs: Retained for the same period as vulnerability data
- After account deletion: All personal data is permanently deleted within 30 days. Anonymized aggregate statistics may be retained.
9. Cookies
CVEPing uses a single essential cookie:
| Cookie | Purpose | Duration |
|---|
token | Authentication session (HTTP-only, secure) | 7 days |
We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
10. Children
CVEPing is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top reflects the most recent revision.
12. Contact
For privacy-related questions or to exercise your rights:
Email: privacy@cveping.com
Lazariuc-Hadrava S. Adrian PFA
Romania, EU