penreport

Privacy Policy

Last updated: March 21, 2026

1. Introduction

PenReport (“we,” “us,” or “our”) operates the website at penreport.app and the PenReport web application (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, retain, and protect your personal data when you visit our website or use our Service.

PenReport is a web application that converts penetration testing findings into professional PDF and DOCX reports. Our target users are freelance penetration testers, bug bounty hunters, and small security firms.

By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use the Service.

2. Data Controller

For the purposes of the General Data Protection Regulation (GDPR) and other applicable data protection laws, the operator of PenReport is the data controller responsible for the personal data processed through the Service. For inquiries regarding data protection, please contact us at [email protected].

3. Information We Collect

3.1 Account Registration Data

When you create an account using email and password, we collect:

  • Email address (used as your primary identifier and for transactional communications)
  • Password — we never store your password in plain text. It is immediately hashed using the Argon2id algorithm (OWASP-recommended) and only the irreversible hash is stored in our database.

3.2 Google OAuth Data

If you sign in with Google, we receive the following from Google's OAuth service:

  • Your Google account email address
  • Your display name
  • Your Google profile picture URL
  • Your Google account identifier (used to link your Google account to your PenReport account)

We store the OAuth access token and refresh token provided by Google solely to maintain your authenticated session. We do not access your Google Drive, Gmail, contacts, or any other Google services beyond the basic profile information listed above.

3.3 Tester Profile Data

When you complete your tester profile in settings, you may optionally provide:

  • Full name
  • Company or organization name
  • Professional certifications (e.g., OSCP, CEH, CREST)

This information is used to populate report headers and cover pages. It is entirely optional.

3.4 Report and Finding Content

When you create reports and findings, we store:

  • Report metadata (title, client name, engagement dates, scope, executive summary, disclaimer text)
  • Finding details (title, description, severity, CVSS score, affected assets, proof of concept, remediation steps, references)
  • Finding templates you create (Pro plan only)
  • Finding attachments and screenshots you upload (Pro plan only)
  • Custom branding assets including uploaded logos and color configurations (Pro plan only)
  • Generated PDF and DOCX report files
  • Report sharing status and share tokens

Field-level encryption: All sensitive report and finding fields listed above are encrypted with AES-256-GCM at the application layer before being written to the database. This is in addition to Neon's disk-level encryption. The encryption key is stored only in the server environment and is never written to the database or included in backups. Even with direct database access, your client data remains protected as ciphertext.

Important disclaimer regarding report content: The reports you create may contain sensitive information about your clients' systems, vulnerabilities, and security posture. You are solely responsible for ensuring you have proper authorization to document and store this information, and that your use of the Service complies with any confidentiality agreements or non-disclosure obligations you have with your clients. PenReport acts as a data processor for report content and does not access, review, or analyze the substance of your reports except as necessary to provide the Service (e.g., AI enhancement when you explicitly request it, PDF generation).

3.5 AI Interaction Data

When you use the AI finding enhancement feature, the following data is sent to our AI provider (Anthropic) for processing:

  • Finding title
  • Any optional finding fields you have already filled in (description, severity, affected assets)

The raw JSON response from the AI is stored in your report record for debugging and audit purposes. See Section 8 for full details on AI data processing.

3.6 Payment and Billing Data

We do not directly collect or store credit card numbers, bank account details, or other financial instrument data. All payment processing is handled by Polar, our Merchant of Record. We store:

  • Your Polar customer ID
  • Your Polar subscription ID
  • Subscription status (active, cancelled, expired, paused, past_due)
  • Current plan tier (free or pro)
  • Plan expiration date (when a cancellation is pending)
  • Webhook event IDs (for idempotent processing of billing events)

3.7 Technical and Usage Data

We automatically collect the following when you use the Service:

  • IP address — used for rate limiting, brute force protection, and abuse prevention. IP addresses are processed in memory for rate limiting purposes via Upstash Redis and are not permanently stored in our primary database.
  • User agent string — may be captured in error reports sent to Sentry for debugging purposes.
  • Error and performance data — when errors occur, diagnostic information including the error message, stack trace, and contextual identifiers (user ID, report ID) is sent to Sentry for investigation.
  • Request metadata — HTTP method, request path, response status codes, and timestamps are logged for operational monitoring.

3.8 Verification Tokens and Security Data

For security operations, we generate and store:

  • Account activation tokens (SHA-256 hashed; raw token sent to your email only)
  • Password reset tokens (SHA-256 hashed; raw token sent to your email only; expires after 1 hour)
  • Email change confirmation tokens (SHA-256 hashed; raw token sent to your new email only)
  • Session tokens (stored as-is in the database; associated with your user ID and an expiration timestamp)
  • Rate limiting counters (stored in Upstash Redis with automatic expiration; keyed by IP address or user identifier)
  • Failed login attempt counters (stored in Upstash Redis; used to calculate progressive delays for brute force protection)

3.9 Information We Do Not Collect

We want to be explicit about data we do not collect:

  • We do not use tracking cookies, advertising cookies, or third-party analytics cookies
  • We do not collect biometric data
  • We do not collect geolocation data beyond what is derivable from an IP address
  • We do not collect data from social media profiles (other than basic Google OAuth profile data if you choose that sign-in method)
  • We do not use web beacons, pixel tags, or similar tracking technologies in our application
  • We do not collect information from third-party data brokers

4. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:

  • Performance of a contract (Art. 6(1)(b) GDPR): Processing your account data, report content, and payment information is necessary to provide the Service you have signed up for, including account creation, report generation, PDF export, AI enhancement, and subscription management.
  • Legitimate interests (Art. 6(1)(f) GDPR): We process IP addresses, failed login attempt counters, and rate limiting data to protect the Service from abuse, brute force attacks, and unauthorized access. We process error reports and diagnostic data to maintain and improve the reliability of the Service. We process webhook event identifiers to ensure idempotent handling of billing events. Our legitimate interests do not override your fundamental rights and freedoms.
  • Consent (Art. 6(1)(a) GDPR): When you voluntarily use the AI finding enhancement feature, you consent to your finding data being sent to Anthropic for processing. You may withdraw this consent at any time by simply not using the AI feature. Manual entry of all finding fields is always available as an alternative.
  • Legal obligation (Art. 6(1)(c) GDPR): We may process and retain certain data where required by applicable law, such as tax regulations related to billing records or legal requests from law enforcement.

5. How We Use Your Information

We use the information we collect for the following purposes:

5.1 Service Delivery

  • To create and maintain your account
  • To authenticate your identity via password or Google OAuth
  • To store and manage your reports, findings, templates, and attachments
  • To generate PDF and DOCX reports from your data
  • To provide AI-powered finding enhancement when you request it
  • To manage your subscription and process payments via Polar
  • To enable report sharing via public read-only links when you opt in
  • To apply your custom branding (logo and colors) to generated reports (Pro plan)

5.2 Transactional Communications

  • To send account activation emails upon registration
  • To send password reset emails when you request them
  • To send email change confirmation notices
  • To send billing-related emails (subscription created, cancelled, resumed, expired, payment failed, payment recovered)
  • To send account deletion confirmations
  • To send feedback notifications when someone comments on your shared reports (you can disable this from Settings > Account)

We send transactional emails only. We do not send marketing emails, newsletters, or promotional communications. You can control which notification emails you receive from Settings > Account.

5.3 Security and Abuse Prevention

  • To enforce rate limits on registration, login, password reset, and API endpoints
  • To apply progressive delays after failed login attempts (brute force protection)
  • To block registration with disposable or temporary email addresses
  • To detect and prevent fraudulent or abusive activity
  • To flag accounts for manual review when suspicious activity is detected
  • To automatically delete unverified accounts that are not activated within 24 hours

5.4 Service Reliability and Improvement

  • To track and resolve errors via Sentry (with user ID and report ID context where relevant)
  • To monitor Service performance and availability
  • To identify and fix bugs reported through error tracking

5.5 Plan Enforcement

  • To enforce free tier limits (maximum 2 PDF reports per calendar month, maximum 5 AI calls per calendar month)
  • To enforce Pro tier limits (maximum 200 AI calls per calendar month)
  • To gate Pro-only features (templates, attachments, custom branding, DOCX/HTML/CSV/JSON export, custom disclaimers)
  • To track monthly report generation counts and reset them at the beginning of each billing cycle

6. Cookies and Local Storage

6.1 Session Cookie

PenReport uses a single, strictly necessary session cookie to maintain your authentication state:

  • Cookie name: authjs.session-token (development / HTTP) or __Secure-authjs.session-token (production / HTTPS)
  • Purpose: Contains a session token (UUID) that links your browser to your authenticated server-side session stored in our database.
  • Duration: The cookie expires when your session expires. Sessions are database-backed and can be revoked instantly by you or by an administrator.
  • Scope: The cookie is scoped to the penreport.app domain and is not accessible to third-party domains.
  • Security flags: In production, the cookie is set with the Secure, HttpOnly, and SameSite=Lax flags.

6.2 Local Storage

We may store your UI theme preference (light or dark mode) in your browser's localStorage. This data never leaves your browser and is not transmitted to our servers.

6.3 No Tracking Technologies

We do not use tracking cookies, advertising cookies, third-party analytics cookies, web beacons, pixel tags, fingerprinting scripts, or any other tracking technologies. We do not participate in any advertising networks or cross-site tracking programs.

6.4 Cookie Consent

Because our only cookie is strictly necessary for the functioning of the Service (session authentication), it is exempt from cookie consent requirements under the ePrivacy Directive (EU) and similar legislation. We do not require a cookie consent banner. If we introduce non-essential cookies in the future, we will update this policy and implement appropriate consent mechanisms.

7. Third-Party Data Processors

We share your personal data with the following third-party service providers, each acting as a data processor on our behalf. We rely on each provider's standard terms of service and privacy policies to govern data processing. We do not currently have separate Data Processing Agreements (DPAs) in place.

  • Neon (Neon Inc.)
    Purpose: PostgreSQL database hosting. All user accounts, reports, findings, templates, profiles, branding configurations, sessions, and billing data are stored in Neon's managed PostgreSQL service.
    Data processed: All persistent application data.
    Data location: United States.
    Encryption: Data encrypted at rest and in transit (TLS). Sensitive report and finding fields are additionally protected by application-layer AES-256-GCM field-level encryption.
    Privacy policy: neon.tech/privacy
  • Anthropic (Anthropic PBC)
    Purpose: AI-powered finding enhancement. When you use the AI feature, finding data is sent to Anthropic's Claude API for processing.
    Data processed: Finding titles, descriptions, severity levels, and related metadata that you choose to enhance.
    Data location: United States.
    See Section 8 for detailed AI data processing information.
    Privacy policy: anthropic.com/privacy
  • Vercel (Vercel Inc.)
    Purpose: Application hosting and deployment. PenReport runs on Vercel's infrastructure.
    Data processed: All HTTP requests pass through Vercel's edge network.
    Data location: Global edge network; primary region United States.
    Privacy policy: vercel.com/legal/privacy-policy
  • ImageKit (ImageKit.io)
    Purpose: File storage and delivery. Generated PDF/DOCX report files, uploaded branding logos, and finding attachment images are stored on ImageKit's infrastructure.
    Data processed: Generated report files, branding logos, and finding attachment images.
    Data location: Global CDN; origin storage in configurable regions.
    Encryption: Data encrypted in transit (TLS). Files served over HTTPS.
    Privacy policy: imagekit.io/privacy
  • Polar (Polar Software Inc)
    Purpose: Payment processing and subscription management. Polar acts as the Merchant of Record for all PenReport transactions.
    Data processed: Email address, billing information (collected directly by Polar), subscription status, and payment history. PenReport never sees or stores your credit card number or full payment details.
    Data location: United States.
    Privacy policy: polar.sh/legal/privacy
  • Resend (Resend Inc.)
    Purpose: Transactional email delivery. All emails sent by PenReport (activation, password reset, billing notices, email change confirmations, account deletion confirmations) are delivered through Resend.
    Data processed: Recipient email address, email subject, and email body content.
    Data location: United States.
    Privacy policy: resend.com/legal/privacy-policy
  • Upstash (Upstash Inc.)
    Purpose: Rate limiting and brute force protection. We use Upstash Redis to enforce request rate limits and to track failed login attempts for progressive delay calculations.
    Data processed: IP addresses (as rate limit keys), user identifiers (as rate limit keys), and request counters. All data is ephemeral with automatic TTL-based expiration.
    Data location: United States.
    Privacy policy: upstash.com/trust/privacy.pdf
  • Sentry (Functional Software Inc.)
    Purpose: Error tracking and performance monitoring. When errors occur in the application, diagnostic information is sent to Sentry to help us identify and fix issues.
    Data processed: Error messages, stack traces, user ID (for context), report ID (for context), user agent string, request URL, and request metadata. Sentry does not receive report content, finding details, or passwords.
    Data location: United States.
    Privacy policy: sentry.io/privacy
  • Google (Google LLC)
    Purpose: OAuth 2.0 authentication. If you choose to sign in with Google, the OAuth flow is handled by Google's identity services.
    Data processed: Google receives the fact that you are authenticating with PenReport. We receive your Google profile information as described in Section 3.2.
    Data location: Global (Google's infrastructure).
    Privacy policy: policies.google.com/privacy
  • Cloudflare (Cloudflare, Inc.)
    Purpose: DNS management and domain security. Our domain's DNS is managed through Cloudflare, which provides DNS resolution and DDoS protection at the DNS layer.
    Data processed: DNS query metadata (domain lookups). Cloudflare does not proxy or inspect application traffic for PenReport — it serves only as a DNS provider.
    Data location: Global (Cloudflare's network).
    Privacy policy: cloudflare.com/privacypolicy

We do not sell your personal data to any third party. We do not share your data with third parties for their marketing purposes. Data is shared with the processors listed above solely to provide, secure, and improve the Service.

8. AI Data Processing

This section provides detailed information about how data is processed when you use the AI finding enhancement feature.

8.1 What Data Is Sent to Anthropic

Finding enhancement: When you click the AI enhancement button on a finding, we send the following to Anthropic's Claude API:

  • The finding title you entered
  • Any optional finding fields you have already populated (description, severity, affected assets)
  • A system prompt that instructs the AI model to return structured JSON with specific fields (description, CVSS score, remediation steps, references)

For individual finding enhancement, we do not send your email address, account information, client names, full report content, or other findings from the same report.

Executive summary generation: When you generate an AI-powered executive summary, we send additional report metadata to Anthropic, including: the report title, client name, target system, engagement dates, scope, and all finding details (titles, severities, descriptions, and remediations). This broader context is necessary for the AI to produce a coherent summary of the full engagement.

In both cases, we do not send your email address, account credentials, or billing information to Anthropic. A confirmation dialog is shown before each AI call so you can review what data will be transmitted.

8.2 AI Model and Processing

  • Model used: Claude Haiku (Anthropic's smallest, fastest model). We do not use larger models to minimize data exposure and cost.
  • Processing type: Stateless API calls. Each AI enhancement is an independent request with no conversation history or context from previous requests.
  • Maximum response size: 1,500 tokens per call.
  • Output validation: All AI responses are validated against a strict Zod schema before being used. Invalid responses are discarded and an error is returned to you.

8.3 Anthropic's Data Handling

According to Anthropic's API usage policy (as of the date of this Privacy Policy):

  • Anthropic does not use data submitted through their API to train their AI models.
  • API inputs and outputs may be retained by Anthropic for a limited period for trust and safety purposes (abuse detection and prevention), after which they are deleted.
  • Anthropic processes API data in the United States.

We encourage you to review Anthropic's current privacy policy and API usage terms for the most up-to-date information on their data handling practices.

8.4 Opting Out of AI Processing

The AI finding enhancement feature is entirely optional. You are never required to use it. Every finding field can be filled in manually without any AI involvement. If you choose not to use the AI feature, no finding data is sent to Anthropic. There is no account-level setting to disable the feature — simply do not click the AI enhancement button.

8.5 AI Response Storage

The raw JSON response from each AI enhancement call is stored temporarily in the raw_ai_json field of the associated report record for debugging purposes. This data is automatically cleared after 7 days by a scheduled cleanup process, or when you delete the associated report or your entire account.

9. Shared Reports and Public Links

PenReport allows you to generate a public, read-only link for any report. When you enable sharing for a report:

  • A unique share token is generated using a cryptographically secure random generator (nanoid, 21 characters).
  • Anyone with the share link can view the full report content without authentication. This includes the report title, client name, executive summary, all findings, severity ratings, remediation steps, and any attachments.
  • Shared report pages include a noindex meta tag to discourage search engine indexing, but we cannot guarantee that search engines will respect this directive.
  • You can disable sharing at any time, which immediately invalidates the share link.
  • Share analytics: When someone views a shared report, we collect limited analytics data including: a daily-rotating SHA-256 hash of their IP address (not the raw IP), their user agent string (truncated to 500 characters), their approximate country (derived from a server-side header), and time spent viewing the report. This data helps you understand how your shared reports are being accessed. The IP hash rotates daily and cannot be used to identify individual viewers across days.
  • Share feedback: If you enable comments on a share link, viewers may optionally provide their name, email address, and a text comment. This information is stored in our database and is visible to you (the report owner) through the share settings. Viewers are not required to provide their name or email — they may submit feedback anonymously.

Important: You are solely responsible for determining whether it is appropriate to share a report via a public link. Consider your confidentiality obligations to your clients before enabling report sharing. Once a link is shared, anyone with the URL can access the report content until you disable sharing.

10. International Data Transfers

Our third-party service providers are primarily located in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States and other countries where our providers operate.

Several of our infrastructure providers (including Vercel, Neon, and Anthropic) are certified under the EU-U.S. Data Privacy Framework or incorporate Standard Contractual Clauses (SCCs) in their terms of service. We rely on these provider-level transfer mechanisms for cross-border data transfers. PenReport does not independently maintain separate SCCs or Data Privacy Framework certifications.

If you have questions about how your data is transferred internationally, please contact us at [email protected].

11. Data Retention and Deletion

11.1 Active Account Data

Your account data, reports, findings, templates, attachments, and profile information are retained for as long as your account is active. You can delete individual reports at any time (soft delete — the record is marked as deleted and excluded from all queries but may be retained in database backups for a limited period).

11.2 Account Deletion

You can delete your account at any time from the Settings > Account page. When you delete your account:

  • If you have an active Pro subscription, it is cancelled with Polar first
  • All your reports, findings, templates, and attachments are permanently deleted
  • All generated PDF and DOCX files are deleted from ImageKit storage
  • Your branding assets (logos) are deleted from ImageKit storage
  • Your tester profile is deleted
  • All active sessions are invalidated
  • Your account record is permanently removed from the database
  • A deletion confirmation email is sent to your email address

Account deletion is permanent and irreversible. We cannot recover deleted accounts or their associated data. Deletion is completed within 30 days, though most data is removed immediately. Residual data may persist in encrypted database backups for a limited period consistent with our backup retention schedule.

11.3 Unverified Account Cleanup

Accounts that are registered but not activated (email not verified) within 24 hours are automatically hard-deleted by a scheduled cleanup process. This includes the user record, associated session data, and any tester profile created during registration.

11.4 Soft-Deleted Content

When you delete a report or finding through the application, it is soft-deleted (a deleted_at timestamp is set). Soft-deleted content is immediately excluded from all application queries and is no longer visible or accessible to you. Soft-deleted records will be permanently hard-deleted within 30 days by a scheduled cleanup process, including all associated files stored in ImageKit.

11.5 Security Token Retention

  • Account activation tokens: deleted upon successful activation or when the unverified account is cleaned up (24 hours)
  • Password reset tokens: expire after 1 hour and are deleted upon use or expiration
  • Email change tokens: deleted upon successful confirmation or expiration
  • Rate limiting data in Redis: automatically expires based on configured TTL (typically seconds to minutes)
  • Brute force counters in Redis: automatically expire based on configured TTL

11.6 Billing Data Retention

Polar customer IDs, subscription IDs, and webhook event records are retained for as long as required for billing reconciliation, dispute resolution, and legal compliance. These records may be retained after account deletion to the extent required by tax and financial regulations.

11.7 Error Tracking Data Retention

Error reports sent to Sentry are retained according to Sentry's data retention policies (typically 90 days). We do not have direct control over Sentry's retention periods, but Sentry provides tools to delete specific user data upon request.

11.8 Blob Storage Cleanup

Orphaned files in ImageKit storage (files that are no longer referenced by any active record in the database) are periodically identified and deleted by a scheduled cleanup process. When a report PDF is regenerated, the previous PDF is deleted before the new one is stored.

12. Data Security

We implement the following technical and organizational measures to protect your data:

12.1 Encryption

  • All data in transit is encrypted using TLS (HTTPS). Unencrypted HTTP connections are automatically redirected to HTTPS.
  • Database data is encrypted at rest (Neon Postgres encryption at rest).
  • Session cookies are set with the Secure flag in production, ensuring they are only transmitted over HTTPS.

12.2 Password Security

  • Passwords are hashed using Argon2id, the algorithm recommended by OWASP for password storage.
  • We never store, log, or transmit plain text passwords.
  • Password strength is enforced server-side (minimum 8 characters, must include uppercase letter, number, and special character).
  • Google OAuth users do not have passwords stored in our system.

12.3 Session Security

  • Sessions are stored in the database (not in JWT tokens), allowing instant revocation.
  • You can invalidate all active sessions from your account settings.
  • Suspended accounts have their sessions immediately invalidated.
  • Session cookies use HttpOnly (not accessible to JavaScript), Secure (HTTPS only), and SameSite=Lax flags.

12.4 Token Security

  • All security tokens (activation, password reset, email change) are generated using cryptographically secure random bytes (32 bytes).
  • Only SHA-256 hashes of tokens are stored in the database. The raw token is sent to the user's email and is never stored by PenReport.
  • Tokens are single-use and expire after a defined period.

12.5 Abuse Prevention

  • Rate limiting is applied to registration, login, password reset, AI enhancement, and other sensitive endpoints.
  • Progressive delays are applied after consecutive failed login attempts (brute force protection). We never lock accounts — only slow down attempts.
  • Registration with disposable or temporary email addresses is blocked.
  • Login error messages never reveal whether an email address exists in the system.
  • Webhook payloads from Polar are cryptographically verified before processing.

12.6 Access Controls

  • Every API route authenticates the user as the first operation.
  • Every API route that accesses user data verifies resource ownership (you can only access your own reports, findings, and templates).
  • Route protection is enforced at the proxy layer (proxy.ts), not in individual page components, ensuring consistent enforcement.
  • The admin panel is protected by a separate secret key header and is not accessible to regular users.

12.7 Input Sanitization

  • All user input is validated against Zod schemas before processing.
  • All user content is sanitized (HTML tags stripped, special characters escaped) before being rendered in PDF templates to prevent injection attacks.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR (where applicable).
  • Notify affected users without undue delay via email if the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 of the GDPR (where applicable).
  • Provide details about the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.

For users in California, we will comply with the notification requirements of the California Consumer Privacy Act (CCPA) and California Civil Code Section 1798.82.

14. Your Rights

14.1 Rights Under the GDPR (EEA, UK, Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights:

  • Right of access (Art. 15): You have the right to obtain confirmation of whether we process your personal data and to access that data. You can view all your data through the application interface (account settings, reports, profile).
  • Right to rectification (Art. 16): You have the right to correct inaccurate personal data. You can update your profile, email address, and report content directly through the application.
  • Right to erasure (Art. 17): You have the right to request deletion of your personal data. You can delete your account and all associated data from Settings > Account. You can also delete individual reports and findings.
  • Right to restriction of processing (Art. 18): You have the right to request restriction of processing in certain circumstances (e.g., while we verify the accuracy of your data following a contestation).
  • Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format. You can export a complete JSON archive of all your data (profile, reports, findings, templates, branding configuration, and account metadata) from Settings > Account. You can also export individual reports as PDF or DOCX files.
  • Right to object (Art. 21): You have the right to object to processing based on legitimate interests. If you object, we will cease processing unless we have compelling legitimate grounds.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent (e.g., AI finding enhancement), you can withdraw consent at any time by simply not using the feature. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
  • Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority if you believe our processing of your personal data violates the GDPR.

14.2 Rights Under the CCPA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to know: You have the right to know what personal information we collect, use, disclose, and sell (we do not sell personal information). This Privacy Policy serves as our disclosure.
  • Right to delete: You have the right to request deletion of your personal information. Use the account deletion feature in Settings > Account or contact us.
  • Right to correct: You have the right to request correction of inaccurate personal information held about you.
  • Right to opt out of sale or sharing: We do not sell or share your personal information for cross-context behavioral advertising. There is no sale or sharing to opt out of.
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

Categories of personal information collected (as defined by the CCPA): Identifiers (email address, name, IP address), Internet or electronic network activity information (error logs, usage metadata), Professional information (certifications, company name), and content you create (reports, findings).

We do not sell personal information. We have not sold personal information in the preceding 12 months. We do not have actual knowledge that we sell the personal information of consumers under 16 years of age.

14.3 Exercising Your Rights

To exercise any of the rights described above, you can:

  • Use the self-service features in the application (Settings > Account for account deletion and full data export, Settings > Profile for data correction, report management for content deletion)
  • Email us at [email protected] with your request

We will respond to verified requests within 30 days (GDPR) or 45 days (CCPA). If we need additional time, we will inform you of the reason and extension period. We may need to verify your identity before processing your request to prevent unauthorized access to your data.

15. Account Suspension and Flagging

We may suspend your account or flag it for manual review if we detect activity that violates our Terms of Service or poses a security risk. When an account is suspended:

  • All active sessions are immediately invalidated
  • You will not be able to log in until the suspension is reviewed and lifted
  • Your data is retained during the suspension period and is not deleted
  • If you have an active subscription, it remains active during suspension (we do not automatically cancel subscriptions upon suspension)

Accounts may also be flagged (rather than suspended) for manual review. Flagging does not affect your ability to use the Service but allows our team to investigate potential issues. Accounts may be flagged when a Polar API call fails during account deletion, allowing us to manually reconcile the subscription.

16. Disposable Email Blocking

To prevent abuse and ensure the integrity of our user base, we block registration with disposable or temporary email addresses (e.g., services that provide throwaway email addresses). If your email domain is incorrectly identified as disposable, please contact us at [email protected] and we will review and resolve the issue.

17. Payment Data Handling

All payment processing is handled by Polar, which acts as the Merchant of Record. This means:

  • Credit card details are collected, processed, and stored entirely by Polar. PenReport never receives, processes, or stores your credit card number, CVV, or billing address.
  • Checkout sessions are created server-side. You are redirected to Polar's hosted checkout page to enter payment details.
  • Subscription management (upgrades, cancellations, payment method updates) occurs through Polar's customer portal, which we link to from our billing settings page.
  • Webhook events from Polar (subscription created, cancelled, resumed, expired, payment failed, payment recovered) are received, verified (cryptographic signature validation), and processed to update your plan status in our database. Each webhook event is deduplicated to prevent double-processing.
  • Refund policy: Refund requests are handled by Polar in accordance with their refund policy. When you cancel your subscription, you retain access to Pro features until the end of your current billing period.

18. Children's Privacy

PenReport is designed for professional use by penetration testers and security professionals. The Service is not intended for, directed at, or designed to attract individuals under 18 years of age. We do not knowingly collect personal information from anyone under 18.

If we become aware that we have collected personal information from a person under 18, we will take steps to delete that information as quickly as possible. If you believe that a child under 18 has provided us with personal information, please contact us at [email protected].

19. “Do Not Track” Signals

Some browsers transmit a “Do Not Track” (DNT) signal with HTTP requests. Because PenReport does not engage in cross-site tracking, advertising tracking, or any form of behavioral tracking, the DNT signal does not change how we process your data. We already provide the privacy protections that DNT is designed to achieve.

20. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or the Service itself. When we make changes:

  • Material changes (e.g., new categories of data collected, new third-party processors, changes to data retention periods) will be communicated to you via email at the address associated with your account at least 30 days before they take effect.
  • Minor changes (e.g., clarifications, formatting, typographical corrections) may be made without notice.
  • The “Last updated” date at the top of this page will always reflect the most recent revision date.

Continued use of the Service after the effective date of a revised Privacy Policy constitutes acceptance of the updated policy. If you do not agree with the changes, you should stop using the Service and delete your account.

21. Data Protection Officer and Contact Information

For questions, concerns, or requests related to this Privacy Policy or our data processing practices, please contact us:

We aim to respond to all privacy-related inquiries within 30 days. If your inquiry relates to a GDPR or CCPA rights request, see Section 14.3 for response timelines.