Privacy Policy

Violet Security (“Violet”, “we”, “us”) operates the tryviolet.ai platform (“Service”), an AI-powered penetration testing service. This Privacy Policy explains how we collect, use, and protect your information when you use our Service.

Account information: When you create an account, we collect your name, email address, and password (stored as a bcrypt hash). If you sign in via OAuth (Google, GitHub), we receive your name, email, and profile image from the provider.

Organization data: Organization name, workspace slug, and team member information (names, emails, roles).

Scan data: Target URLs you submit for testing, scan configuration, repository URLs (if provided), scan results, vulnerability findings, and generated reports.

Payment information: We do not store credit card numbers. Payments are processed by Stripe (USD) and PayMongo (PHP). We store your Stripe customer ID and transaction records (amount, date, description).

Usage data: We log activity such as sign-ins, scan creation, and page views to provide analytics and improve the Service.

We use your information to:

• Provide and operate the penetration testing Service
• Process payments and manage your credit balance
• Send transactional emails (scan completion, critical findings, password resets)
• Improve the Service through aggregated, anonymized usage analytics
• Respond to support requests
• Comply with legal obligations

Lawful basis for processing. We process your personal data on the following legal bases: (a) contract performance — to provide the Service you signed up for; (b) legitimate interests — to improve the Service, detect abuse, and ensure security; (c) legal obligation — to comply with applicable laws; (d) consent — where you have agreed, such as receiving transactional emails. You may withdraw consent where consent is the legal basis by contacting us.

We share data with the following processors to operate the Service:

• Anthropic — AI model provider for security analysis agents
• Stripe — Payment processing (USD subscriptions and credit bundles)
• PayMongo — Payment processing (PHP credit packs via GCash, Maya, GrabPay)
• Amazon Web Services — Hosting, storage, and transactional email delivery (SES)
• Upstash — Rate limiting infrastructure
• Neon — Application database (Postgres) hosting

We do not sell your personal information to third parties.

In addition to the above third-party processors, Violet personnel may access your data on a minimum-necessary basis as described in § 6 (Service Operations).

Violet performs automated security testing only on targets you explicitly submit. Scan data (findings, evidence, reports) is stored in your organization’s account and is not shared with other customers. You are responsible for ensuring you have authorization to test any target URL you submit.

To deliver, support, and improve the Service, Violet staff may access your scan data, vulnerability reports, and audit logs for the following limited purposes: (a) providing customer support and diagnosing scan failures; (b) improving service quality and investigating anomalies; (c) investigating violations of our Terms of Service; (d) complying with legal obligations.

Audit logging. All internal staff access to your organization’s data is recorded in an internal audit log. You may request a copy of this log for your organization by contacting [email protected] with the subject line “Audit Log Request.” We will respond within 30 days.

Report regeneration. Violet may re-process or regenerate your security reports to correct errors or improve quality. When this is done at Violet’s initiative (not at your request), you will be notified by email. The prior version of the report is preserved and available on request.

Minimum-necessary access. Staff access is limited to what is required for the stated purpose. All personnel are subject to confidentiality obligations.

Account and organization data is retained while your account is active. Scan results and findings are retained for as long as your organization exists, so they remain available for your reference.

Account deletion. You can request deletion of your account from the Service. When you do, we begin a 30-day grace period during which the request can be cancelled using the link in the confirmation email. Your active sign-in sessions are ended immediately. After 30 days, the personal information associated with your account (such as your name, email address, password, and IP address) is irreversibly removed. Security reports and findings that belong to your organization are retained without any link to your personal identity, because they are work product owned by the organization rather than personal data.

High-sensitivity scan artifacts. Raw scan audit logs (the detailed internal record of a scan, which can contain sensitive evidence) are automatically deleted 90 days after the scan. The customer-facing report is retained separately for your reference.

Financial records. Billing and transaction records are retained for up to 7 years to meet tax and accounting obligations, even after account deletion.

You may:

• Access and export your scan data and findings (CSV/JSON report export available)
• Download a machine-readable copy of your personal data at any time using the self-service personal-data export
• Update your account information in Settings
• Delete your account from the Service. Deletion has a 30-day grace period during which it can be cancelled via the link in the confirmation email; after that the personal information on your account is irreversibly removed
• Contact us to exercise any other data-protection right (such as correction, restriction, or receiving your data in a specific portable format)

For users in the European Economic Area (EEA) or United Kingdom. Under GDPR or UK GDPR, you have the right to: access your data; request correction of inaccurate data; request erasure (subject to legal retention obligations); receive your data in a portable, machine-readable format; restrict or object to processing based on legitimate interests; and lodge a complaint with your local supervisory authority. Access and erasure can be exercised directly in the Service through the self-service personal-data export and account deletion described in the list above, and you can correct basic profile fields in Settings. For any other right, contact [email protected] and we will respond within 30 days.

For California residents. Under the CCPA/CPRA, you have the right to: know what personal information we collect and how it is used; request deletion or correction of your personal information; and opt out of sale — we do not sell your personal information to third parties. We will not discriminate against you for exercising these rights. You can delete your account directly in the Service (in the list above) and correct basic profile fields in Settings; for any other request, contact [email protected] with the subject line “California Privacy Request.”

Violet is operated from the United States. If you access the Service from the EEA, UK, or other regions with data transfer restrictions, your personal data may be transferred to and processed in the United States.

For EEA and UK users, such transfers are made under the European Commission’s Standard Contractual Clauses (SCCs) or equivalent lawful mechanism where applicable.

Questions about international data transfers: [email protected].

We use essential cookies for authentication (session tokens) and geo-detection (billing region). We do not use advertising or tracking cookies.

We may update this policy from time to time. We will notify registered users of material changes via email.

For privacy-related questions, contact us at [email protected].

Enterprise customers who require a signed Data Processing Agreement (DPA) before submitting data may request one at the same address.