HackerSec
Trust Status Terms
Terms of Service Privacy Acceptable Use Sub-processors
Contents
1. Data Controller 2. Data Collected 3. Purposes & Legal Basis 4. Data Sharing 5. International Transfer 6. Data Retention 7. Data Subject Rights 8. Cookies 9. Information Security 10. Security Incidents 11. Data Processing (DPA) 12. Brazil — LGPD 13. EU — GDPR 14. US — CCPA/CPRA 15. Minors 16. Changes 17. Contact & DPO

Privacy Policy

Last updated: May 3, 2026 · Version: 1.1
Changes in this version: Data Retention Policy (Section 6) updated with specific retention periods per data category.

1. Data Controller

HackerSec Inovação em Cibersegurança Ltda., a Brazilian limited liability company, registered under CNPJ No. 34.960.944/0001-22, with its principal office at Avenida Ipanema, 165, Alphaville, Barueri, State of São Paulo, ZIP Code 06472-002, Brazil ("HackerSec", "we", "us", or "our"), is the data controller for the personal data processed through the HAS — HackerSec Advanced Security platform ("Platform").

This Privacy Policy describes how we collect, use, share, and protect your personal data when you use the Platform, our website, or interact with us in any way. By accessing or using our services, you confirm that you have read and understood this Policy.

HackerSec is committed to processing personal data in a transparent, adequate, and purpose-limited manner, in compliance with the Brazilian General Data Protection Law (Law No. 13,709/2018 — LGPD), the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection legislation.

2. Data Collected

2.1. Data Provided by the User

We collect the following personal data when you register, use the Platform, or contact us:

  • Identification data: full name, corporate email address, phone number/WhatsApp
  • Organization data: legal entity name, CNPJ/EIN/VAT ID, business address, industry sector
  • Account data: username, password (stored as cryptographic hash), language preference, timezone
  • Payment data: processed directly by a third-party payment processor compliant with the PCI-DSS standard. We do not store credit card numbers, bank account details, or PIX keys on our servers
  • Test data: URLs, IP addresses, scope descriptions, test credentials (voluntarily provided for the execution of security tests), technical documentation
  • Communications: content of messages exchanged via the Platform, emails, support tickets, and calls

2.2. Automatically Collected Data

When you access the Platform, we automatically collect:

  • Access data: IP address, browser type and version, operating system, internet service provider
  • Usage data: pages visited, features used, date and time of access, session duration, clicks and interactions
  • Device data: device identifiers, screen resolution, browser language
  • Location data: approximate location derived from IP address (we do not use precise geolocation)

2.3. Data Generated During Services

During the provision of security testing services, the following data may be generated:

  • Vulnerability reports: technical descriptions, severity classifications (CVSS), evidence, screenshots
  • Test logs: technical records of tools used, requests made, responses obtained
  • Incidental data: personal data of third parties that may be incidentally found during security tests on the Client's systems

Important: Incidental third-party data found during tests is treated with the highest confidentiality, used exclusively for vulnerability report documentation purposes, and deleted after test completion, unless legally required to be retained.

3. Purposes and Legal Basis

We process your personal data for the following purposes, with the respective legal bases under the LGPD:

Purpose Legal Basis (LGPD Art. 7)
Account creation and management on the Platform Performance of contract (Art. 7, V)
Provision of security testing services Performance of contract (Art. 7, V)
Payment processing and billing Performance of contract (Art. 7, V)
Service communications (notifications, alerts, support) Performance of contract (Art. 7, V)
Marketing and commercial communications Consent (Art. 7, I) or Legitimate interest (Art. 7, IX)
Platform improvement and new feature development Legitimate interest (Art. 7, IX)
Fraud prevention and Platform security Legitimate interest (Art. 7, IX)
Compliance with legal and regulatory obligations Legal obligation (Art. 7, II)
Exercise of rights in judicial, administrative, or arbitration proceedings Regular exercise of rights (Art. 7, VI)
Credit protection Credit protection (Art. 7, X)

When processing is based on consent, you may withdraw it at any time, without prejudice to the lawfulness of processing carried out prior to the withdrawal. Withdrawal can be requested through the contact channels indicated in Section 17.

4. Data Sharing

HackerSec may share your personal data with the following categories of recipients, always under appropriate confidentiality and data protection obligations:

4.1. Service Providers (Processors)

  • Payment processor — financial transactions (credit card, PIX, bank slip), compliant with PCI-DSS
  • Cloud provider — infrastructure, hosting and processing
  • CDN/WAF provider — DDoS protection, content delivery and application firewall
  • Transactional email provider — delivery of notifications and communications
  • AI/LLM provider — artificial intelligence models with restricted retention controls

The sub-processor categorization above covers the processing purposes. The specific nominal list is available on a dedicated page and may be obtained in detailed form upon execution of an NDA. Additional information may be requested through the channels listed in Section 17.

4.2. Authorized Pentesters

Pentesters who conduct security tests receive limited access strictly necessary to test data (scope, URLs, test credentials). All pentesters are subject to confidentiality and non-disclosure obligations equivalent to those of HackerSec.

4.3. Authorities and Legal Obligations

We may share personal data when required by law, court order, administrative decision, or when necessary to:

  • Comply with legal or regulatory obligations
  • Respond to legal proceedings or requests from competent authorities
  • Protect the rights, property, or safety of HackerSec, our Clients, or the public
  • Detect, prevent, or investigate fraud, security incidents, or illegal activities

4.4. Corporate Transactions

In the event of a merger, acquisition, corporate reorganization, or asset sale, personal data may be transferred to the acquirer or successor, who will be subject to the same obligations of this Privacy Policy.

We do not sell, rent, or trade your personal data with third parties for advertising purposes.

5. International Data Transfer

Due to the nature of the services provided and the technological infrastructure used, your personal data may be transferred to and processed in countries other than your country of residence, including, but not limited to, the United States of America and Brazil.

When international data transfers occur, HackerSec ensures that appropriate safeguards are adopted, including:

  • Standard contractual clauses approved by the Brazilian National Data Protection Authority (ANPD) or the European Commission, as applicable
  • Adequacy decisions issued by competent authorities, when available
  • Recognized data protection certifications or seals
  • Supplementary technical and organizational measures to ensure effective data protection

Sub-processors that receive personal data in international transfers are indicated in Section 4.1 above, with additional details available upon request.

6. Data Retention

HackerSec retains personal data for the period necessary to fulfill the purposes described in this Policy, observing the following criteria:

Data Category Retention Period
Account and user profile data While the account is active, plus the applicable legal period after closure
Test reports and evidence (including POCs) Up to 7 years after test completion
Operational and audit logs Up to 5 years
Communications and support tickets Up to 5 years after resolution
Financial and tax data Minimum 5 years, per Brazilian Tax Code (Art. 174)
Marketing data (consent-based) Until withdrawal of consent by the data subject

The periods indicated above represent the maximum retention. Upon Client request or exercise of data subject rights (Art. 18 LGPD), data may be deleted before the period elapses, unless retention is required by law (notably for defense in judicial, administrative or arbitration proceedings, per Art. 16 of the LGPD).

After the expiration of the retention period, personal data will be securely deleted or irreversibly anonymized, unless additional retention is required or authorized by law.

7. Data Subject Rights

You have the following rights regarding your personal data, as guaranteed by the LGPD and other applicable legislation:

  • Confirmation and access: confirm the existence of processing and access your personal data
  • Correction: request correction of incomplete, inaccurate, or outdated data
  • Anonymization, blocking, or deletion: request anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data
  • Portability: request portability of data to another service provider, upon express request, under ANPD regulations. For completed tests, portability will be provided through delivery of reports in PDF format
  • Deletion: request deletion of data processed based on consent
  • Information about sharing: obtain information about public and private entities with which we share your data
  • Withdrawal of consent: withdraw consent at any time, when processing is based on this legal basis
  • Objection: object to processing based on legitimate interest, if you believe there is a violation of the LGPD
  • Review of automated decisions: request review of decisions made solely based on automated processing of personal data that affect your interests

To exercise any of these rights, contact us through the channels indicated in Section 17. We will respond to requests without undue delay, within the timeframes established by applicable law.

HackerSec may request additional information to verify the identity of the requester before processing the request, as a security measure for the protection of personal data.

8. Cookies and Tracking Technologies

8.1. What Are Cookies

Cookies are small text files stored on your device when you access the Platform. They help us provide a better and more personalized experience.

8.2. Cookies Used

Type Purpose Duration
Essential Platform functionality, authentication, session security, language preference Session / up to 1 year
Functional User preferences, theme settings, navigation state Up to 1 year
Analytics Usage analysis, performance metrics, error detection Up to 2 years

8.3. Cookie Management

You can manage your cookie preferences directly in your browser settings. Disabling essential cookies may affect the proper functioning of the Platform. We do not use third-party advertising cookies.

9. Information Security

HackerSec implements appropriate technical and organizational measures to protect your personal data against unauthorized access, destruction, loss, alteration, disclosure, or any form of inadequate or unlawful processing, including:

  • Encryption: data in transit protected by TLS 1.2+ and sensitive data stored with encryption at rest
  • Access control: role-based authentication (RBAC), principle of least privilege, periodic permission reviews
  • Infrastructure: hosting on certified providers (SOC 2, ISO 27001), DDoS protection, web application firewalls (WAF)
  • Monitoring: access log recording, anomaly detection, security alerts
  • Passwords: stored exclusively as one-way cryptographic hashes, never in plain text
  • Network: network segmentation, encrypted internal communications, secure tunneling for administrative access
  • Personnel: confidentiality obligations for all employees and contractors, data protection training
  • Backups: regular encrypted backups, periodically tested

No system is 100% secure. Despite employing commercially reasonable efforts to protect your data, we cannot guarantee absolute security against all possible threats. In the event of an incident, we will follow the procedure described in Section 10.

10. Security Incidents

In the event of a security incident that may pose a relevant risk to personal data subjects, HackerSec will:

  • Notify the Brazilian National Data Protection Authority (ANPD) and/or the competent supervisory authority, without undue delay, as required by applicable law
  • Notify affected data subjects, without undue delay, when the incident may pose a high risk to their rights and freedoms
  • Adopt technical and organizational measures to mitigate the effects of the incident and prevent recurrence
  • Internally document all incidents, regardless of severity, including nature, effects, and measures adopted

Incident notifications will include, at a minimum: the nature of the personal data affected, information about the data subjects involved, technical and security measures adopted, related risks, and measures that have been or will be adopted to reverse or mitigate the effects of the incident.

11. Data Processing (Data Processing Agreement)

This section establishes the terms under which HackerSec processes personal data on behalf of Clients in the performance of security testing services, functioning as an integrated Data Processing Agreement (DPA).

11.1. Roles

  • The Client is the Controller of the personal data present in their systems and applications submitted for testing
  • HackerSec is the Processor of such data, processing it exclusively according to the Client's instructions and for the purpose of providing the contracted services

11.2. Processing Instructions

HackerSec will process the Client's personal data exclusively:

  • As documented in the Terms of Service and in the test scope defined on the Platform
  • According to additional written instructions provided by the Client
  • As necessary for compliance with legal obligations applicable to HackerSec

If HackerSec considers that a Client's instruction violates applicable data protection legislation, it will inform the Client without undue delay.

11.3. Sub-processors

The Client authorizes HackerSec to use sub-processors for the provision of services, provided that:

  • Sub-processors are bound by data protection obligations equivalent to those in this Policy
  • HackerSec maintains an updated list of sub-processors, as per Section 4.1
  • HackerSec notifies Clients of changes to the sub-processor list with reasonable advance notice
  • HackerSec remains responsible to the Client for the acts of its sub-processors

11.4. Security Measures

HackerSec will implement the technical and organizational measures described in Section 9 to protect personal data processed on behalf of the Client. Such measures will be continuously reviewed and updated according to the state of the art and the risks involved.

11.5. Compliance and Certifications

HackerSec will demonstrate compliance with its data protection obligations through:

  • Security certifications maintained by the company or its infrastructure providers
  • Independent third-party audit reports, when available
  • Documentation of internal data protection policies and procedures

11.6. Return and Deletion

Upon termination of service provision, HackerSec will:

  • Make final reports available to the Client in PDF format
  • Delete the Client's personal data from its systems after the applicable retention period, unless retention is required by law
  • Upon request, provide the Client with written confirmation of data deletion

12. Brazil-Specific Provisions (LGPD)

For users located in Brazil, the following additional rights and provisions apply in accordance with Law No. 13,709/2018 (LGPD):

  • You may exercise all rights provided in Art. 18 of the LGPD, as detailed in Section 7
  • Our Data Protection Officer (DPO) is identified in Section 17
  • You have the right to petition the Brazilian National Data Protection Authority (ANPD) if you believe the processing of your data violates the LGPD
  • HackerSec maintains records of personal data processing operations as required by Art. 37 of the LGPD
  • When processing is based on legitimate interest, HackerSec will prepare a data protection impact report when required by the ANPD

ANPD — Brazilian National Data Protection Authority
Website: www.gov.br/anpd

13. European Union-Specific Provisions (GDPR)

For users located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional rights and provisions apply in accordance with the GDPR:

  • Legal bases: in addition to the legal bases indicated in Section 3, processing may be based on consent (Art. 6(1)(a)), performance of a contract (Art. 6(1)(b)), legal obligation (Art. 6(1)(c)), or legitimate interest (Art. 6(1)(f)) of the GDPR
  • Right to portability: you have the right to receive your personal data in a structured, commonly used, and machine-readable format (Art. 20 GDPR). For pentest services, this will be fulfilled through delivery of reports in PDF format
  • Right to erasure: you may request the erasure of your personal data under the circumstances provided in Art. 17 of the GDPR
  • Right to restriction: you may request the restriction of processing under the circumstances of Art. 18 of the GDPR
  • International transfers: transfers outside the EEA are carried out based on standard contractual clauses of the European Commission (Art. 46(2)(c) GDPR) or other appropriate safeguards
  • Complaint: you have the right to lodge a complaint with the data protection supervisory authority of your country of residence

14. United States-Specific Provisions (CCPA/CPRA)

For residents of California and other US states with privacy legislation, the following rights apply:

  • Right to know: you may request information about the categories and specific pieces of personal data we have collected about you
  • Right to delete: you may request deletion of your personal data, subject to legal exceptions
  • Right to non-discrimination: we will not discriminate against you for exercising your privacy rights
  • We do not sell personal data: HackerSec does not sell and has never sold personal data of its users, as defined by the CCPA/CPRA
  • No cross-context behavioral advertising: we do not share personal data for cross-context behavioral advertising purposes

To exercise these rights, use the contact channels indicated in Section 17 or send your request to the email provided in that section.

15. Minors

The Platform and HackerSec's services are intended exclusively for individuals over 18 years of age and representatives of organizations. We do not intentionally collect personal data from individuals under 18 years of age.

If we become aware that we have inadvertently collected personal data from minors under 18 years of age, we will take reasonable steps to delete such data as soon as possible. If you are aware that a minor has provided personal data to HackerSec, please contact us immediately through the channels indicated in Section 17.

16. Changes to This Policy

HackerSec may update this Privacy Policy periodically to reflect changes in our practices, in the services offered, or in applicable legislation. When we make material changes:

  • We will publish the updated version on this page with the new effective date
  • We will notify active Clients by email or notification on the Platform
  • When required by law, we will request new consent before the changes take effect

We recommend that you review this Policy periodically. Continued use of the Platform after the publication of changes constitutes your acceptance of the updated Policy.

17. Contact and Data Protection Officer (DPO)

For questions related to this Privacy Policy, to exercise your rights as a data subject, or to contact our Data Protection Officer (DPO), please use the following channels:

HackerSec Inovação em Cibersegurança Ltda.

Data Protection Officer (DPO): [email protected]

General contact: [email protected]

Website: hackersec.com/contato

Address: Avenida Ipanema, 165, Alphaville, Barueri, SP, 06472-002, Brazil

We will respond to requests without undue delay, within the timeframes established by applicable law.

© 2026 HackerSec Inovação em Cibersegurança Ltda.

Trust Trust and Security Status
Legal Terms of Service Privacy Acceptable Use Sub-processors Code of Ethics
Security security.txt Report Vulnerability Contact