Privacy Policy

How CVEalert.io collects, uses, and protects your data

Last updated: February 22, 2026

This Privacy Policy explains how CVEalert.io (“Service”) collects and processes personal data.

The data controller is:

Kamil Vavra
Nove sady 988/2
602 00 Brno
Czech Republic

IC: 75345773

  • Sole trader registered in the Trade Register since 19 July 2022, recorded by the Brno City Hall.

For the purposes of the General Data Protection Regulation (GDPR), we act as the data controller.

If you have questions about this policy, contact: info@cvealert.io

1. Personal Data We Collect

1.1 Account Data

  • Email address
  • Name and surname (optional)
  • Company name (optional)
  • Team member email addresses (if invited)

1.2 Service Data

  • Software selections and monitoring configuration
  • Notification preferences
  • Webhook configuration (including webhook URLs)
  • Logs related to alert delivery

1.3 Technical Data

  • IP address
  • Browser type and device information
  • Authentication logs
  • Usage metadata

Technical data may be collected and processed via our infrastructure providers, security tools, and internal monitoring systems.

1.4 Billing Data

If you subscribe to a paid plan, the following billing information may be processed:

  • Billing name
  • Billing address
  • VAT ID (if provided)
  • Payment method details (processed by Stripe)
  • Invoice and transaction records

Billing data is processed by our payment provider (Stripe).

We do not store full credit card numbers or sensitive payment credentials on our servers.

We process personal data under the following legal bases:

  • Performance of a contract (Article 6(1)(b)) - to provide the Service.
  • Legitimate interests (Article 6(1)(f)) - to secure, maintain, and improve the Service.
  • Legal obligations (Article 6(1)(c)) - where required by law.
  • Consent (Article 6(1)(a)) - for optional newsletter subscriptions.

3. How We Use Personal Data

We use personal data to:

  • Provide and operate the Service (including team collaboration features)
  • Deliver vulnerability alerts
  • Maintain account security
  • Prevent abuse and fraud
  • Respond to support requests
  • Improve system reliability and performance
  • Send service-related communications
  • Send newsletters (only if you opt in)

We do not sell personal data.

4. Data Sharing and Processors

We use trusted service providers to operate the Service, including:

  • Infrastructure hosting providers (DigitalOcean)
  • CDN and security providers (Cloudflare)
  • Email delivery provider (Mailgun)
  • Payment processor (Stripe)
  • Logging and monitoring provider (Datadog)
  • IP geolocation provider (IPinfo)
  • Internal communication provider (Slack)

These providers process data on our behalf under contractual arrangements.

Where providers are located outside the European Union, appropriate safeguards such as Standard Contractual Clauses (SCCs) are applied.

5. International Transfers

Our primary infrastructure is located in the European Union.

Some service providers may process limited data outside the EU. In such cases, transfers are protected using appropriate safeguards in accordance with GDPR.

6. Data Retention

We retain personal data:

  • For as long as your account is active
  • For up to 30 days after account deletion (unless legal obligations require longer retention)
  • Log data is retained for a limited period (typically 15-30 days depending on the provider)
  • Billing data is retained as required by accounting and tax regulations

After retention periods expire, data is deleted or anonymized.

7. Data Security

We implement appropriate technical and organizational measures to protect personal data, including:

  • Encrypted transmission (HTTPS/TLS)
  • Access controls and authentication
  • Role-based access restrictions
  • Infrastructure security measures
  • Logging and monitoring

No system can guarantee absolute security.

8. Your Rights Under GDPR

You have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Request deletion of your data
  • Restrict or object to processing
  • Request data portability
  • Withdraw consent at any time (where processing is based on consent)
  • Lodge a complaint with a supervisory authority

The competent supervisory authority in the Czech Republic is:

9. Children’s Data

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time.

If changes are material, we will update the “lastUpdated” date and may notify users by email.

11. Contact

For privacy-related inquiries:

Email: info@cvealert.io
Website: https://cvealert.io/contact