Privacy Policy

Effective 17 June 2026 · Version 2.0 · [Legal entity to confirm]

Obexum is a security-auditing product. We hold ourselves to the standard we audit others against, and we collect as little personal data as the service can run on. This policy explains what we collect, why, the legal basis for it, who we share it with, how long we keep it, and the rights you have. It is written to align with the EU/UK GDPR, the California CCPA/CPRA, and equivalent data-protection laws.

Data-minimised by design. The Obexum scanner runs on your own host or jump-box. Your scans, findings, evidence and target details stay on your infrastructure and are never transmitted to us unless you deliberately upload them to the optional hosted portal. The local binary sends no telemetry — no findings, no target identifiers, no usage beacons.
Contents
  1. Who we are
  2. Data we collect
  3. What we never collect
  4. How and why we use it
  5. Legal bases (GDPR)
  6. Sub-processors & sharing
  7. International transfers
  8. Retention
  9. Security
  10. Your rights
  11. Cookies
  12. Children
  13. Changes
  14. Contact

1. Who we are

This service is operated by [Legal Entity Name] (“Obexum”, “we”, “us”), registered at [Registered Address], jurisdiction of [Country / State]. For all data-protection matters we are the data controller of the account and billing data described below, and a data processor for any engagement data you choose to upload to the hosted portal (see our Data Processing Agreement).

Privacy contact: privacy@obexum.com · Data Protection Officer / EU representative: [to appoint if required].

2. Data we collect

CategorySpecific dataSource
AccountEmail address, display name, and (for two-factor authentication) mobile phone number. Chosen plan and seat/host allowance.You, at sign-up
AuthenticationPassword (stored only as a salted bcrypt hash — never in clear text), one-time verification codes sent by email and WhatsApp, session tokens, “trusted device” tokens, backup codes, and API tokens you generate. We log sign-in attempts (timestamp, IP, outcome) to detect abuse.You / generated
BillingPlan, subscription status, and the customer/subscription identifiers returned by our payment processor. Card and payment-instrument data is collected and stored by Stripe, not by us — we never see or store full card numbers.You / Stripe
Engagement data (hosted portal only, opt-in)If you use the hosted portal: the engagements, scans, findings, generated reports and downloadable builds you create or upload. This may include technical details about your own systems (hostnames, configuration findings). It never includes target credentials.You, when you upload
TechnicalIP address, browser/user-agent, request logs, and cookies needed to run the site and portal.Automatic
CorrespondenceMessages you send us (contact form, support email) and any attachments you choose to share.You

3. What we never collect

  • Telemetry from the local scanner binary — no “phone home”, no usage analytics, no findings beacon. It runs fully air-gapped if you wish.
  • Your local engagement directories, scan findings, or evidence — unless you explicitly upload them to the hosted portal.
  • Target credentials, SSH keys, or other access secrets. The scanner resolves these from where you keep them and excludes auth state from the engagement directory by default.
  • Full payment-card numbers (handled entirely by Stripe), biometric data, or special-category data. Please do not send us such data.

4. How and why we use it

  • Provide the service — create and secure your account, deliver your signed per-OS builds, run the hosted portal features you subscribe to.
  • Authenticate & protect — multi-factor sign-in (email + WhatsApp one-time codes), trusted-device handling, and abuse/fraud detection from sign-in logs.
  • Billing — process subscriptions and trials through Stripe.
  • Support & communication — respond to you and send essential service notices. Marketing email is sent only with your consent and always with an unsubscribe link.
  • Legal & security — meet legal obligations and protect the rights, safety and integrity of the service.

We do not sell or rent personal data, and we do not use it for automated decision-making that produces legal effects.

5. Legal bases (GDPR)

  • Performance of a contract — account, authentication, billing and the portal features you buy.
  • Legitimate interests — securing the service, preventing fraud/abuse, and basic service analytics; balanced against your rights.
  • Consent — optional marketing communications and any non-essential cookies; withdrawable at any time.
  • Legal obligation — tax, accounting and lawful requests.

6. Sub-processors & sharing

We share personal data only with vetted sub-processors under data-protection agreements, strictly to run the service:

Sub-processorPurposeData
StripePayment & subscription processingBilling details, card data (held by Stripe)
Green-APIWhatsApp delivery of one-time sign-in codesPhone number, the one-time code
Email delivery [provider to confirm]Verification codes, password reset, service emailEmail address, message content
Hosting [VPS provider to confirm]Runs the website and hosted portalAll portal data, server logs

A current list is maintained and provided on request. We will give notice before adding a sub-processor that materially affects portal customers. We also disclose data where legally compelled, after validating the request, and will notify you where lawfully permitted.

7. International transfers

Where personal data is transferred outside your jurisdiction (for example to a sub-processor in another country), we rely on an adequacy decision where one exists, or otherwise on Standard Contractual Clauses (SCCs) / equivalent safeguards. Governing jurisdiction for this service: [Country / State].

8. Retention

  • Account data — for as long as your account is active, then deleted or anonymised within [30–90 days] of closure, except where we must keep records longer for legal/tax reasons.
  • Billing records — kept for the statutory period required by tax law in [jurisdiction].
  • Engagement data (portal) — retained while present in your account; deleted when you delete the engagement or close the account. You control this directly in the portal.
  • Logs / one-time codes — sign-in logs kept for a short rolling window for security; one-time codes expire within minutes.

9. Security

Passwords are stored as salted bcrypt hashes. Sign-in is protected by multi-factor authentication (email + WhatsApp one-time codes) with optional trusted-device tokens and single-use backup codes. Portal data is encrypted in transit (TLS) and at rest, tenants are logically isolated, and access is least-privilege. No system is perfectly secure, but we apply the same hardening discipline we sell. To report a vulnerability see our security page.

10. Your rights

Subject to applicable law, you may:

  • Access a copy of your personal data and port it in a portable format.
  • Rectify inaccurate data and erase data (“right to be forgotten”).
  • Restrict or object to certain processing, and withdraw consent at any time.
  • CCPA/CPRA (California): know, delete, correct, and opt out of “sale”/“sharing” — we do not sell or share personal data — and you will not be discriminated against for exercising these rights.

Exercise any right at privacy@obexum.com; we respond within 30 days (CCPA: 45 days). You may also lodge a complaint with your data-protection authority: [supervisory authority for the chosen jurisdiction].

11. Cookies

The marketing site uses a single functional cookie to remember your theme preference and no third-party tracking cookies. The portal uses essential, strictly-necessary session cookies (HttpOnly, Secure, SameSite) to keep you signed in. We do not use advertising or cross-site tracking cookies.

12. Children

Obexum is a business tool not directed to children. We do not knowingly collect data from anyone under 16 (or the age of digital consent in your jurisdiction).

13. Changes

We may update this policy; we will revise the version and effective date above and, for material changes affecting portal customers, give reasonable notice. Continued use after the effective date constitutes acceptance.

14. Contact

Questions or requests: privacy@obexum.com. See also our Terms of Service and Data Processing Agreement.

Highlighted fields are placeholders to be finalised with counsel before publication (legal entity, address, jurisdiction, providers, retention windows). This document is a thorough, standards-aligned draft and is not legal advice.