Privacy

Privacy Policy

Last updated: May 25, 2026

HyprVuln Labs ("we", "us", "our") is committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our website and security audit and bug hunting services, in compliance with the General Data Protection Regulation (GDPR - EU Regulation 2016/679) and applicable French data protection laws.

1. Data Controller

Data controller: HyprVuln Labs

Location: France

Contact: contact@hyprvuln.xyz

2. Data We Collect

We collect and process the following categories of personal data:

Data category	Purpose	Legal basis
Client identity (name, email, workspace, approved communication handles)	Service delivery, account access, communication	Contract performance
Program scope (assets, repositories, test accounts, exclusions)	Operating the security audit service	Contract performance
Source code (cloned temporarily)	Authorized testing and triage	Contract performance
Payment information	Processing transactions via Stripe	Contract performance
Technical data (IP address, browser type)	Website functionality and security	Legitimate interest

We do not collect data beyond what is strictly necessary for providing our services.

3. How We Use Your Data

Your personal data is used exclusively to:

Deliver the security audit and bug hunting services you request
Communicate findings, triage notes, monitoring alerts, and reports
Process payments through our payment provider (Stripe)
Ensure the security and proper functioning of our website
Comply with legal obligations

4. Source Code and Program Handling

Source code is our most sensitive material. We follow strict protocols:

Code is cloned into an isolated, ephemeral environment dedicated to authorized testing or triage
Temporary source code copies are deleted when no longer required for the program or report workflow
Code is encrypted at rest (AES-256) and in transit (TLS 1.3)
We do not use your code to train models or for any purpose beyond the audit
We do not share your code with any third party
A mutual NDA is available upon request

5. Data Sharing

We do not sell, rent, or trade your personal data. We share data only with:

Stripe — for payment processing (see Stripe's privacy policy)
Approved communication platforms such as Slack or Discord when configured by the client
OVH — for website hosting in France (see OVH's privacy policy)

All processors are bound by data processing agreements compliant with the GDPR.

6. Data Retention

Temporary source code copies: Deleted when no longer required for authorized testing or triage
Program reports: Retained for the duration of your subscription, then deleted within 30 days of cancellation unless a longer legal retention period applies
Payment records: Retained as required by French tax and accounting regulations (up to 10 years)
External communication messages: Subject to the configured platform's own retention policies

You may request deletion of all your data at any time by contacting us at contact@hyprvuln.xyz or via Discord.

7. Your Rights (GDPR)

Under the GDPR, you have the following rights:

Right of access — Obtain a copy of all personal data we hold about you
Right to rectification — Request correction of inaccurate data
Right to erasure — Request deletion of your personal data
Right to restriction — Request limitation of processing
Right to data portability — Receive your data in a structured, machine-readable format
Right to object — Object to processing based on legitimate interest
Right to withdraw consent — Where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at contact@hyprvuln.xyz. We will respond within 30 days.

You also have the right to lodge a complaint with the French data protection authority: CNIL (Commission Nationale de l'Informatique et des Libertes) — www.cnil.fr.

8. International Transfers

Some of our processors (Stripe, Discord, GitHub) are based in the United States. These transfers are protected by appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions where applicable.

9. Security Measures

We implement industry-standard security measures to protect your data:

AES-256 encryption at rest
TLS 1.3 encryption in transit
Isolated, ephemeral environments for code analysis and report reproduction
Access restricted to authorized HyprVuln operators and vetted researchers as required by the approved program scope
No persistent storage of source code beyond the approved program workflow

10. Cookies

For information about how we use cookies, please see our Cookie Policy.

11. Changes to This Policy

We may update this privacy policy from time to time. Any changes will be posted on this page with an updated revision date. We encourage you to review this policy periodically.