Privacy Policy

1Information We Collect

1.1 Information You Provide Directly

We collect information that you voluntarily provide when you create an account or register on the platform, complete forms, surveys, or sign up for our newsletter, contact us for customer support or inquiries, purchase or subscribe to our Services, or respond to communications from us. This information may include:

• Full name and job title
• Business email address and phone number
• Company name, size, and industry
• Billing and payment information (processed securely via third-party payment processors)
• Account credentials (username and encrypted password)
• Profile information and preferences

1.2 Information Collected Automatically

When you access our Services, we automatically collect certain technical information, including IP address, browser type, and operating system; device identifiers and hardware information; pages visited, time spent on pages, and navigation paths; referring URLs and search queries; log files, error reports, and crash data; date and time of access; and cookies, pixel tags, and similar tracking technologies (see Section 7).

1.3 Platform Usage Data

Given the nature of our AI autonomous penetration testing platform, we may collect target scope configurations and scan parameters you define, pentest job submissions, results, and report data, AI model interaction logs and prompt history, security findings, vulnerability data, and remediation notes, API keys and integration configurations (stored in encrypted form), and dashboard activity and feature usage patterns.

Important: Any target systems, IP ranges, domains, or credentials you submit to the platform for testing purposes are processed solely to deliver our Services and are never used for any other purpose.

1.4 Information from Third Parties

We may receive information about you from third-party sources, such as identity verification providers, marketing and analytics partners, Single Sign-On (SSO) providers (e.g., Google, Microsoft, Okta), and payment processors and billing services.

2How We Use Your Information

2.1 Providing and Improving Our Services

To create and manage your account; to execute AI-driven penetration tests and deliver results; to generate security reports and provide remediation guidance; to process transactions and manage subscriptions; to improve, personalize, and optimize our platform; to develop new features and capabilities; and to train and improve our AI models (using anonymized, aggregated data only).

2.2 Communications

To send transactional emails (account confirmations, scan completions, alerts); to respond to support requests and inquiries; to send service updates, security advisories, and policy changes; and to send marketing communications (with your consent, where required).

2.3 Security and Compliance

To detect, prevent, and investigate fraud, abuse, or security incidents; to verify user identity and authorization; to enforce our Terms of Service and acceptable use policies; to comply with applicable laws and regulations; and to respond to legal requests, court orders, and governmental inquiries.

2.4 Analytics and Research

To analyze platform usage trends and user behavior (in aggregated, de-identified form); to measure the effectiveness of our Services and marketing campaigns; and to conduct internal research and development.

3Legal Basis for Processing (GDPR & Applicable Law)

If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdictions with data protection laws, we process your personal data under the following legal bases:

• Contract Performance: Processing necessary to fulfill our contractual obligations to you, including providing the platform and delivering pentest reports.
• Legitimate Interests: Processing for our legitimate business interests, such as improving our Services, ensuring security, and preventing fraud, where your rights and interests do not override those interests.
• Legal Obligation: Processing required to comply with applicable laws, regulations, or legal processes.
• Consent: Processing based on your freely given, specific, and informed consent, such as for marketing communications. You may withdraw consent at any time.

4Disclosure of Your Information

We do not sell, trade, or rent your personal information to third parties. We may share your information in the following limited circumstances:

4.1 Service Providers

We engage trusted third-party vendors and service providers who assist us in operating our Services. These parties are contractually obligated to protect your information and may only use it to provide services on our behalf. This includes cloud infrastructure and hosting providers, payment processors and billing platforms, email delivery and communication services, analytics and monitoring tools, customer support platforms, and identity and authentication services.

4.2 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or substantially all of our assets, your information may be transferred to the acquiring entity. We will notify you via email or prominent notice on our website prior to any such transfer and any changes to this Privacy Policy.

4.3 Legal Requirements

We may disclose your information if we believe in good faith that disclosure is necessary to comply with applicable law, regulation, or legal process; enforce our Terms of Service or protect our legal rights; protect the rights, property, or safety of our users, employees, or the public; or investigate or prevent fraud, security incidents, or illegal activity.

4.4 With Your Consent

We may share your information with third parties when you have expressly consented to such sharing, including for integration with third-party tools or for co-marketing activities.

4.5 Aggregated or De-Identified Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you for research, analytics, industry benchmarking, or marketing purposes.

5Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Retention periods are determined based on the following criteria:

• Account Data: Retained for the duration of your active account plus a period of 3 years following termination or closure.
• Pentest Results and Reports: Retained for the duration of your subscription plus 1 year, unless you request earlier deletion or extended retention under an enterprise agreement.
• Transaction Records: Retained for 7 years to comply with financial and tax regulations.
• Log and Security Data: Retained for up to 12 months for security monitoring and incident response purposes.
• Marketing Data: Retained until you opt out or withdraw consent.

When information is no longer needed, we securely delete or anonymize it in accordance with our data destruction standards.

6Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our website and platform. These help us operate our Services, understand usage patterns, and improve your experience.

6.1 Types of Cookies We Use

• Essential Cookies: Necessary for the basic operation of our Services, such as session authentication, security tokens, and user preferences. These cannot be disabled.
• Performance & Analytics Cookies: Collect anonymized data about how visitors use our site to help us improve functionality and performance.
• Functional Cookies: Remember your preferences and settings to personalize your experience.
• Marketing Cookies: Used to deliver relevant advertisements and measure campaign effectiveness (only with your consent).

6.2 Managing Cookies

You can control and manage cookies through your browser settings. Disabling certain cookies may affect the functionality of our Services. We also honor browser-based "Do Not Track" (DNT) signals where applicable.

7Data Security

The security of your data is of paramount importance to us, especially given the sensitive nature of cybersecurity information processed by our platform. We implement a comprehensive set of technical and organizational security measures, including:

• Encryption of data in transit using TLS 1.2+ and at rest using AES-256
• Role-based access control (RBAC) and least-privilege access policies
• Multi-factor authentication (MFA) enforced on the platform
• Regular vulnerability assessments and penetration testing of our own infrastructure
• SOC 2-aligned security controls and audit logging
• Secure software development lifecycle (SDLC) practices
• Employee security training and background checks
• Incident response and breach notification procedures

While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, and you use our Services at your own risk. In the event of a data breach affecting your personal information, we will notify you as required by applicable law.

8Your Privacy Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

• Right to Access: Request a copy of the personal information we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete personal information.
• Right to Erasure: Request deletion of your personal information ("right to be forgotten"), subject to certain legal exceptions.
• Right to Restrict Processing: Request that we limit the processing of your personal information in certain circumstances.
• Right to Data Portability: Receive your personal information in a structured, machine-readable format for transfer to another service.
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Withdraw previously given consent at any time, without affecting the lawfulness of prior processing.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, please contact us at privacy@10xpentest.com. We will respond to verified requests within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.

9California and U.S. State Privacy Rights

9.1 California Residents (CCPA / CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information (with certain exceptions)
• Right to opt-out of the sale or sharing of personal information
• Right to limit use and disclosure of sensitive personal information
• Right to non-discrimination for exercising your rights

We do not sell personal information as defined under the CCPA/CPRA. To submit a verifiable consumer request, contact us at privacy@10xpentest.com.

9.2 Other U.S. State Residents

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other states with applicable privacy laws may have similar rights. Please contact us to exercise your state-specific rights.

10Children's Privacy

Our Services are intended for business and professional use by individuals 18 years of age or older. We do not knowingly collect, use, or disclose personal information from children under the age of 13 (or the applicable age of digital consent in your jurisdiction). If we learn that we have inadvertently collected personal information from a child under the applicable age threshold, we will take prompt steps to delete that information. If you believe we may have collected information from a minor, please contact us immediately at privacy@10xpentest.com.

11International Data Transfers

10x Pentest AI, Inc. is based in the United States. If you access our Services from outside the United States, your personal information may be transferred to, stored, and processed in the United States or other countries where we or our service providers operate. Where applicable, we ensure that international data transfers are subject to appropriate safeguards, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with our service providers
• Adequacy decisions or other approved transfer mechanisms under GDPR

By using our Services, you consent to the transfer of your information to countries outside your country of residence, which may have different data protection rules than those in your country.

12Third-Party Websites and Integrations

Our Services may contain links to third-party websites, tools, or services that are not operated by us. We have no control over, and assume no responsibility for, the privacy practices or content of such third parties. Our platform may also integrate with third-party security tools, SIEM platforms, ticketing systems, or APIs. When you connect third-party services, their respective privacy policies govern the data shared with them. We encourage you to review the privacy policies of any third-party services you connect.

13Artificial Intelligence and Automated Processing

Our platform uses AI and machine learning technologies to perform autonomous penetration testing, analyze security vulnerabilities, and generate reports. This involves:

• Automated scanning of target environments you authorize and configure
• AI-driven analysis and classification of security findings
• Natural language generation for security report content
• Pattern recognition and anomaly detection across scan data

We do not make automated decisions about individuals that produce significant legal effects without human oversight. Pentest results and security findings are presented as professional tools to assist your security team and are not determinative of legal or individual rights. Where required by law, you have the right to obtain human review of any automated decisions, to express your point of view, and to contest the decision.

14Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Post the updated Privacy Policy on this page with a revised "Last Updated" date
• Notify registered users via email at least 14 days before the changes take effect
• Display a prominent banner on our website and platform dashboard

Your continued use of our Services after the effective date of the updated Privacy Policy constitutes your acceptance of the changes. If you do not agree with the changes, you must discontinue use of our Services and request account deletion.

15Contact Information