Obexum is a security-auditing product. We hold ourselves to the standard we audit others against, and we collect as little personal data as the service can run on. This policy explains what we collect, why, the legal basis for it, who we share it with, how long we keep it, and the rights you have. It is written to align with the EU/UK GDPR, the California CCPA/CPRA, and equivalent data-protection laws.
This service is operated by [Legal Entity Name] (“Obexum”, “we”, “us”), registered at [Registered Address], jurisdiction of [Country / State]. For all data-protection matters we are the data controller of the account and billing data described below, and a data processor for any engagement data you choose to upload to the hosted portal (see our Data Processing Agreement).
Privacy contact: privacy@obexum.com · Data Protection Officer / EU representative: [to appoint if required].
| Category | Specific data | Source |
|---|---|---|
| Account | Email address, display name, and (for two-factor authentication) mobile phone number. Chosen plan and seat/host allowance. | You, at sign-up |
| Authentication | Password (stored only as a salted bcrypt hash — never in clear text), one-time verification codes sent by email and WhatsApp, session tokens, “trusted device” tokens, backup codes, and API tokens you generate. We log sign-in attempts (timestamp, IP, outcome) to detect abuse. | You / generated |
| Billing | Plan, subscription status, and the customer/subscription identifiers returned by our payment processor. Card and payment-instrument data is collected and stored by Stripe, not by us — we never see or store full card numbers. | You / Stripe |
| Engagement data (hosted portal only, opt-in) | If you use the hosted portal: the engagements, scans, findings, generated reports and downloadable builds you create or upload. This may include technical details about your own systems (hostnames, configuration findings). It never includes target credentials. | You, when you upload |
| Technical | IP address, browser/user-agent, request logs, and cookies needed to run the site and portal. | Automatic |
| Correspondence | Messages you send us (contact form, support email) and any attachments you choose to share. | You |
We do not sell or rent personal data, and we do not use it for automated decision-making that produces legal effects.
We share personal data only with vetted sub-processors under data-protection agreements, strictly to run the service:
| Sub-processor | Purpose | Data |
|---|---|---|
| Stripe | Payment & subscription processing | Billing details, card data (held by Stripe) |
| Green-API | WhatsApp delivery of one-time sign-in codes | Phone number, the one-time code |
| Email delivery [provider to confirm] | Verification codes, password reset, service email | Email address, message content |
| Hosting [VPS provider to confirm] | Runs the website and hosted portal | All portal data, server logs |
A current list is maintained and provided on request. We will give notice before adding a sub-processor that materially affects portal customers. We also disclose data where legally compelled, after validating the request, and will notify you where lawfully permitted.
Where personal data is transferred outside your jurisdiction (for example to a sub-processor in another country), we rely on an adequacy decision where one exists, or otherwise on Standard Contractual Clauses (SCCs) / equivalent safeguards. Governing jurisdiction for this service: [Country / State].
Passwords are stored as salted bcrypt hashes. Sign-in is protected by multi-factor authentication (email + WhatsApp one-time codes) with optional trusted-device tokens and single-use backup codes. Portal data is encrypted in transit (TLS) and at rest, tenants are logically isolated, and access is least-privilege. No system is perfectly secure, but we apply the same hardening discipline we sell. To report a vulnerability see our security page.
Subject to applicable law, you may:
Exercise any right at privacy@obexum.com; we respond within 30 days (CCPA: 45 days). You may also lodge a complaint with your data-protection authority: [supervisory authority for the chosen jurisdiction].
The marketing site uses a single functional cookie to remember your theme preference and no third-party tracking cookies. The portal uses essential, strictly-necessary session cookies (HttpOnly, Secure, SameSite) to keep you signed in. We do not use advertising or cross-site tracking cookies.
Obexum is a business tool not directed to children. We do not knowingly collect data from anyone under 16 (or the age of digital consent in your jurisdiction).
We may update this policy; we will revise the version and effective date above and, for material changes affecting portal customers, give reasonable notice. Continued use after the effective date constitutes acceptance.
Questions or requests: privacy@obexum.com. See also our Terms of Service and Data Processing Agreement.
Highlighted fields are placeholders to be finalised with counsel before publication (legal entity, address, jurisdiction, providers, retention windows). This document is a thorough, standards-aligned draft and is not legal advice.