Privacy Policy

Information We Collect

Contact Information: When you submit an audit application or contact us, we collect your name, email address, and any other information you provide.

Protocol Information: We collect details about your protocol, including name, website, codebase links, and technical specifications necessary to scope and perform security audits.

Usage Data: We automatically collect certain information when you visit our website, including IP address, browser type, pages visited, and time spent on pages.

Authentication Data: When you create an account, we collect your name, email address, organization affiliation, and multi-factor authentication configuration. We may infer your organizational affiliation from your email domain to facilitate account approval for verified protocol teams.

Subscription Data: We collect subscription tier, billing history, and feature usage data to manage your account and improve our services.

Portal Activity: We collect data about your interactions within the portal, including findings viewed, discussion messages, notification preferences, and feature usage.

How We Use Your Information

We use the information we collect to:

• Evaluate and respond to audit applications
• Provide security auditing and monitoring services
• Communicate with you about our services
• Improve our website and services
• Comply with legal obligations

Data Security

We implement appropriate technical and organizational security measures to protect your information against unauthorized access, alteration, disclosure, or destruction. This includes encryption, access controls, and secure data storage practices.

All audit findings and vulnerability reports are treated as strictly confidential and are only shared with authorized personnel within your organization.

Third-Party Services

We use the following third-party services to operate our platform:

• Supabase: Database and authentication infrastructure. Privacy policy: supabase.com/privacy
• Stripe: Payment processing and subscription management. Privacy policy: stripe.com/privacy
• Resend: Transactional email delivery, including finding notifications and security alerts. Privacy policy: resend.com/legal/privacy-policy
• Vercel: Website hosting and deployment. Privacy policy: vercel.com/legal/privacy-policy

Email notifications may contain finding identifiers, severity levels, and summary information necessary to alert you to security events. You can control notification types in your portal settings.

Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. Audit reports and related documentation are retained according to our contractual obligations and applicable law.

Discussion and Collaboration Data

The BlackHart portal includes discussion features for communicating with our research team. Discussion messages may be visible to your team members, BlackHart researchers, or both, depending on the visibility setting selected by the message author.

Discussion data is retained for the duration of your subscription and for 12 months following termination.

Lead and Application Data

Information submitted through our audit application form (protocol details, contact information, technical specifications, and engagement preferences) is used to evaluate and respond to your inquiry. This data may be retained for up to 24 months for non-converted applications. We do not sell or share application data with third parties.

Security Logging

We log IP addresses, request metadata, and rate-limiting data to protect against abuse and ensure platform security. Security logs are retained for 90 days and are not used for marketing or analytics purposes.

PoC Access Logging

Access Logging: We log all access to PoC Materials including: subscriber identity, timestamp, IP address, user agent, and specific materials accessed. These logs are retained for 7 years for security and compliance purposes.

Watermark Data: Unique identifiers embedded in PoC Materials are linked to your subscriber account. This data is used exclusively for security forensics in the event of unauthorized disclosure.

Data Sharing: PoC access logs and watermark data may be shared with:

• Law enforcement pursuant to valid legal process
• Affected protocols in the event of unauthorized exploitation
• Legal counsel in connection with enforcement of these terms

Watermark Data Retention

Watermark identifiers and associated account mappings are retained for the duration of your subscription and for 7 years following termination. This extended retention period is necessary because PoC Materials may remain in a subscriber's possession after account termination, and forensic traceability must be maintained for the useful life of the materials.

Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your personal information
• Object to or restrict processing of your information
• Request data portability

To exercise these rights, please contact us using the information provided below.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

privacy@blackhart.io