HackerSec Inovação em Cibersegurança Ltda., a Brazilian limited liability company, registered under CNPJ No. 34.960.944/0001-22, with its principal office at Avenida Ipanema, 165, Alphaville, Barueri, State of São Paulo, ZIP Code 06472-002, Brazil ("HackerSec", "we", "us", or "our"), is the data controller for the personal data processed through the HAS — HackerSec Advanced Security platform ("Platform").
This Privacy Policy describes how we collect, use, share, and protect your personal data when you use the Platform, our website, or interact with us in any way. By accessing or using our services, you confirm that you have read and understood this Policy.
HackerSec is committed to processing personal data in a transparent, adequate, and purpose-limited manner, in compliance with the Brazilian General Data Protection Law (Law No. 13,709/2018 — LGPD), the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection legislation.
We collect the following personal data when you register, use the Platform, or contact us:
When you access the Platform, we automatically collect:
During the provision of security testing services, the following data may be generated:
Important: Incidental third-party data found during tests is treated with the highest confidentiality, used exclusively for vulnerability report documentation purposes, and deleted after test completion, unless legally required to be retained.
We process your personal data for the following purposes, with the respective legal bases under the LGPD:
| Purpose | Legal Basis (LGPD Art. 7) |
|---|---|
| Account creation and management on the Platform | Performance of contract (Art. 7, V) |
| Provision of security testing services | Performance of contract (Art. 7, V) |
| Payment processing and billing | Performance of contract (Art. 7, V) |
| Service communications (notifications, alerts, support) | Performance of contract (Art. 7, V) |
| Marketing and commercial communications | Consent (Art. 7, I) or Legitimate interest (Art. 7, IX) |
| Platform improvement and new feature development | Legitimate interest (Art. 7, IX) |
| Fraud prevention and Platform security | Legitimate interest (Art. 7, IX) |
| Compliance with legal and regulatory obligations | Legal obligation (Art. 7, II) |
| Exercise of rights in judicial, administrative, or arbitration proceedings | Regular exercise of rights (Art. 7, VI) |
| Credit protection | Credit protection (Art. 7, X) |
When processing is based on consent, you may withdraw it at any time, without prejudice to the lawfulness of processing carried out prior to the withdrawal. Withdrawal can be requested through the contact channels indicated in Section 17.
HackerSec may share your personal data with the following categories of recipients, always under appropriate confidentiality and data protection obligations:
The sub-processor categorization above covers the processing purposes. The specific nominal list is available on a dedicated page and may be obtained in detailed form upon execution of an NDA. Additional information may be requested through the channels listed in Section 17.
Pentesters who conduct security tests receive limited access strictly necessary to test data (scope, URLs, test credentials). All pentesters are subject to confidentiality and non-disclosure obligations equivalent to those of HackerSec.
We may share personal data when required by law, court order, administrative decision, or when necessary to:
In the event of a merger, acquisition, corporate reorganization, or asset sale, personal data may be transferred to the acquirer or successor, who will be subject to the same obligations of this Privacy Policy.
We do not sell, rent, or trade your personal data with third parties for advertising purposes.
Due to the nature of the services provided and the technological infrastructure used, your personal data may be transferred to and processed in countries other than your country of residence, including, but not limited to, the United States of America and Brazil.
When international data transfers occur, HackerSec ensures that appropriate safeguards are adopted, including:
Sub-processors that receive personal data in international transfers are indicated in Section 4.1 above, with additional details available upon request.
HackerSec retains personal data for the period necessary to fulfill the purposes described in this Policy, observing the following criteria:
| Data Category | Retention Period |
|---|---|
| Account and user profile data | While the account is active, plus the applicable legal period after closure |
| Test reports and evidence (including POCs) | Up to 7 years after test completion |
| Operational and audit logs | Up to 5 years |
| Communications and support tickets | Up to 5 years after resolution |
| Financial and tax data | Minimum 5 years, per Brazilian Tax Code (Art. 174) |
| Marketing data (consent-based) | Until withdrawal of consent by the data subject |
The periods indicated above represent the maximum retention. Upon Client request or exercise of data subject rights (Art. 18 LGPD), data may be deleted before the period elapses, unless retention is required by law (notably for defense in judicial, administrative or arbitration proceedings, per Art. 16 of the LGPD).
After the expiration of the retention period, personal data will be securely deleted or irreversibly anonymized, unless additional retention is required or authorized by law.
You have the following rights regarding your personal data, as guaranteed by the LGPD and other applicable legislation:
To exercise any of these rights, contact us through the channels indicated in Section 17. We will respond to requests without undue delay, within the timeframes established by applicable law.
HackerSec may request additional information to verify the identity of the requester before processing the request, as a security measure for the protection of personal data.
Cookies are small text files stored on your device when you access the Platform. They help us provide a better and more personalized experience.
| Type | Purpose | Duration |
|---|---|---|
| Essential | Platform functionality, authentication, session security, language preference | Session / up to 1 year |
| Functional | User preferences, theme settings, navigation state | Up to 1 year |
| Analytics | Usage analysis, performance metrics, error detection | Up to 2 years |
You can manage your cookie preferences directly in your browser settings. Disabling essential cookies may affect the proper functioning of the Platform. We do not use third-party advertising cookies.
HackerSec implements appropriate technical and organizational measures to protect your personal data against unauthorized access, destruction, loss, alteration, disclosure, or any form of inadequate or unlawful processing, including:
No system is 100% secure. Despite employing commercially reasonable efforts to protect your data, we cannot guarantee absolute security against all possible threats. In the event of an incident, we will follow the procedure described in Section 10.
In the event of a security incident that may pose a relevant risk to personal data subjects, HackerSec will:
Incident notifications will include, at a minimum: the nature of the personal data affected, information about the data subjects involved, technical and security measures adopted, related risks, and measures that have been or will be adopted to reverse or mitigate the effects of the incident.
This section establishes the terms under which HackerSec processes personal data on behalf of Clients in the performance of security testing services, functioning as an integrated Data Processing Agreement (DPA).
HackerSec will process the Client's personal data exclusively:
If HackerSec considers that a Client's instruction violates applicable data protection legislation, it will inform the Client without undue delay.
The Client authorizes HackerSec to use sub-processors for the provision of services, provided that:
HackerSec will implement the technical and organizational measures described in Section 9 to protect personal data processed on behalf of the Client. Such measures will be continuously reviewed and updated according to the state of the art and the risks involved.
HackerSec will demonstrate compliance with its data protection obligations through:
Upon termination of service provision, HackerSec will:
For users located in Brazil, the following additional rights and provisions apply in accordance with Law No. 13,709/2018 (LGPD):
ANPD — Brazilian National Data Protection Authority
Website: www.gov.br/anpd
For users located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional rights and provisions apply in accordance with the GDPR:
For residents of California and other US states with privacy legislation, the following rights apply:
To exercise these rights, use the contact channels indicated in Section 17 or send your request to the email provided in that section.
The Platform and HackerSec's services are intended exclusively for individuals over 18 years of age and representatives of organizations. We do not intentionally collect personal data from individuals under 18 years of age.
If we become aware that we have inadvertently collected personal data from minors under 18 years of age, we will take reasonable steps to delete such data as soon as possible. If you are aware that a minor has provided personal data to HackerSec, please contact us immediately through the channels indicated in Section 17.
HackerSec may update this Privacy Policy periodically to reflect changes in our practices, in the services offered, or in applicable legislation. When we make material changes:
We recommend that you review this Policy periodically. Continued use of the Platform after the publication of changes constitutes your acceptance of the updated Policy.
For questions related to this Privacy Policy, to exercise your rights as a data subject, or to contact our Data Protection Officer (DPO), please use the following channels:
HackerSec Inovação em Cibersegurança Ltda.
Data Protection Officer (DPO): [email protected]
General contact: [email protected]
Website: hackersec.com/contato
Address: Avenida Ipanema, 165, Alphaville, Barueri, SP, 06472-002, Brazil
We will respond to requests without undue delay, within the timeframes established by applicable law.