Privacy Policy
Last updated: January 2025
This Privacy Policy explains how Vulnotes ("we", "us", "our"), operated by Hippolyte QUERE (sole trader under French law), collects, uses, stores, and protects your personal data when you use our website at https://vulnotes.com and the Vulnotes service (together, the "Service").
We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable French data protection laws.
1. Data Controller
The data controller responsible for processing your personal data is:
Hippolyte QUERE
Operating as Vulnotes (sole trader / micro-entrepreneur)
14 Square des Corsaires
35740 Pacé
France
SIREN: 833 665 292
Email: contact@vulnotes.com
2. Personal Data We Collect
We collect different types of personal data depending on how you interact with the Service:
2.1 Account and Registration Data
- Email address
- Name (if provided)
- Password (stored hashed, never in plain text)
- Organization name and role (if applicable)
2.2 Waitlist and Newsletter Data
- Email address submitted via the waitlist or newsletter subscription form
2.3 Usage and Technical Data
- IP address
- Browser type and version
- Operating system
- Pages visited, time spent on pages, referring URLs
- Device identifiers
2.4 User Content
Reports, findings, notes, screenshots, and other content you create or upload within the Service. You retain ownership of your User Content as described in our Terms of Use.
2.5 Payment Data
Payment information (credit card details, billing address) is processed directly by Stripe and is never stored on our servers. We only receive confirmation of payment status, subscription details, and a truncated card identifier for display purposes.
3. Purposes and Legal Bases for Processing
We process your personal data for the following purposes under the indicated legal bases (Article 6 GDPR):
| Purpose | Legal Basis |
|---|---|
| Providing and operating the Service | Performance of contract (Art. 6(1)(b)) |
| Account creation and authentication | Performance of contract (Art. 6(1)(b)) |
| Processing payments and billing | Performance of contract (Art. 6(1)(b)) |
| Waitlist and newsletter communications | Consent (Art. 6(1)(a)) |
| Analytics and website improvement | Consent (Art. 6(1)(a)) via cookie banner |
| AI-powered features (content generation) | Consent / Performance of contract (Art. 6(1)(a)/(b)) |
| Security monitoring and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance and dispute resolution | Legal obligation (Art. 6(1)(c)) |
4. Third-Party Processors (Sub-processors)
We share personal data with the following third-party service providers, who process data on our behalf:
| Provider | Purpose | Location |
|---|---|---|
| Contabo GmbH | Infrastructure hosting | Germany (EU) |
| Stripe, Inc. | Payment processing | USA (EU SCCs) |
| Mistral AI | AI features (Vulnotes AI) | France (EU) |
| Google LLC | Analytics (Google Tag Manager) | USA (EU SCCs) |
| OpenAI / Anthropic / Other | Optional AI providers (user-configured) | Varies |
For transfers outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate safeguards under Chapter V of the GDPR.
AI features can be completely disabled in the administration interface if you do not wish your data to be processed by any AI provider.
5. Cookies and Tracking Technologies
5.1 Types of Cookies
We use the following categories of cookies:
- Strictly necessary cookies: essential for the website to function (authentication, session management). These do not require consent.
- Analytics cookies: used to understand how visitors interact with the website (Google Tag Manager / Google Analytics). These are only loaded after you give consent via our cookie banner.
5.2 Managing Cookies
When you first visit our website, a cookie banner allows you to accept or decline analytics cookies. You can change your preference at any time by clearing your browser cookies and revisiting the site.
You can also configure your browser to block or delete cookies. Note that blocking strictly necessary cookies may affect the functionality of the Service.
6. Data Retention
We retain your personal data only as long as necessary:
| Data Type | Retention Period |
|---|---|
| Account data | Duration of active account + 30 days after deletion |
| User Content (reports, findings) | Duration of active account + 30 days after deletion |
| Waitlist / newsletter emails | Until unsubscribe request or 3 years of inactivity |
| Payment and billing records | 10 years (French tax obligations) |
| Analytics data | 26 months (Google Analytics default) |
| Security and audit logs | 12 months |
After the applicable retention period, data is permanently deleted or anonymized so that it can no longer identify you.
7. Your Rights Under GDPR
Under the GDPR and applicable French law, you have the following rights regarding your personal data:
- Right of access (Art. 15): obtain confirmation of whether we process your data and request a copy of it.
- Right to rectification (Art. 16): request correction of inaccurate or incomplete personal data.
- Right to erasure (Art. 17): request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
- Right to restriction (Art. 18): request that we limit the processing of your data in certain circumstances.
- Right to data portability (Art. 20): receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
- Right to object (Art. 21): object to processing based on legitimate interests, including profiling.
- Right to withdraw consent (Art. 7(3)): withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing carried out before withdrawal.
How to Exercise Your Rights
To exercise any of these rights, contact us at contact@vulnotes.com. We will respond within 30 days of receiving your request. We may ask you to verify your identity before processing.
If you believe that we have not adequately addressed your request, you have the right to lodge a complaint with the French Data Protection Authority (CNIL): www.cnil.fr
8. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption of data in transit (TLS/HTTPS)
- Encrypted exports (AES-256) for secure report delivery
- Hashed passwords using industry-standard algorithms
- Role-based access control and granular permissions
- Two-factor authentication (2FA) support
- Regular security updates and vulnerability monitoring
Despite these measures, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it through our responsible disclosure policy.
9. International Data Transfers
Our primary infrastructure is hosted in the European Union (Contabo, Germany). Some of our sub-processors (Stripe, Google) are based in the United States.
For transfers of personal data outside the EU/EEA, we ensure adequate protection through:
- EU Standard Contractual Clauses (SCCs)
- EU-US Data Privacy Framework, where applicable
- Adequacy decisions by the European Commission, where available
10. AI Features and Data Processing
Vulnotes offers AI-powered features that may process portions of your User Content (e.g., findings, screenshots, report sections). When using AI features:
- Vulnotes AI (powered by Mistral AI, France) is included by default. You can also configure third-party providers (OpenAI, Anthropic, Google Gemini, or any OpenAI API-compatible provider including local models).
- An automatic anonymization feature is available to strip sensitive data before it is sent to the AI provider.
- AI features can be completely disabled from the administration panel.
- Data sent to AI providers is used solely for generating responses and is not used for model training by Vulnotes.
For details on how each AI provider handles data, please refer to their respective privacy policies.
11. Self-Hosted Deployments
If you use the Self-Hosted Version of Vulnotes, you are the data controller for all personal data stored and processed within your own infrastructure.
Vulnotes does not access, store, or process User Content on self-hosted instances, except:
- License validation (limited to license key verification)
- Update checks (no user data transmitted)
- AI features, if enabled and configured to use cloud providers
12. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the CNIL within 72 hours of becoming aware of the breach (Art. 33 GDPR)
- Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms (Art. 34 GDPR)
- Document the breach, its effects, and remedial actions taken
13. Children's Privacy
The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us so we can delete it promptly.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or legal requirements.
- Significant changes will be communicated via email or in-app notification.
- The updated policy will be posted on this page with a revised "Last updated" date.
We encourage you to review this page periodically to stay informed about how we protect your data.
15. Contact
For any questions about this Privacy Policy, your personal data, or to exercise your rights, contact us:
Vulnotes / Hippolyte QUERE
Email: contact@vulnotes.com
You may also lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés) at www.cnil.fr