Legal

Privacy Policy

Version 2026-05-04

Privacy Policy

Effective: 2026-05-04

1. Who we are

SolEye is a hosted continuous-pentest platform operated at soleye.tech. For the hosted product the SolEye team is the data processor and you (the account / organisation owner) are the data controller. For self-hosted deployments you operate the platform yourself and you are both controller and processor.

For any privacy question, data-subject request, or breach correspondence, contact us at [soleye.support@gmail.com](mailto:soleye.support@gmail.com).

2. What we collect

Account data (kept while your account exists, deleted on request):

  • email, display name, hashed password (bcrypt, never reversible)
  • IP address and user-agent of every authenticated request (audit log)
  • two-factor secret (TOTP), if you enable it

Operational data (kept 90 days then purged unless you renew the scan):

  • targets you submit and the verification artifact you placed
  • scan output: phase status, findings, evidence snippets, response captures
  • AI agent transcripts (prompts + tool calls + tool outputs)
  • generated reports (executive PDF, technical PDF, JSON)

Lead-form data (only if you contact us via the public contact form):

  • the name, contact handle, and message you submit
  • the IP and user-agent of the submission, for spam mitigation
  • forwarded immediately to our private Telegram channel; not retained on

application servers beyond the request lifecycle.

Telemetry (aggregated, no PII):

  • counts of scans / findings / API calls per organisation
  • per-mission AI token usage and cost

3. What we don't collect

  • We do not train models on your scan output. The AI agent uses Anthropic's

API; the bring-your-own-key option lets you sever even that link.

  • We do not sell or share data with third parties for marketing.
  • We do not deploy third-party tracking scripts, ad pixels, or session

recorders on the marketing site or the dashboard.

  • We do not store the plaintext of secrets you upload (Anthropic key,

Slack webhook, Telegram bot token, etc.) — only AES-256-GCM ciphertext and a short hint.

4. Sub-processors

By using the hosted version you accept the following sub-processors:

  • Anthropic (claude.ai) — AI agent inference, only when you trigger an

AI mission. Bring-your-own-key lets you bypass.

  • Cloudflare R2 — encrypted artifact storage (PDF reports, JSON exports).
  • Telegram (Bot API) — delivery channel for inbound contact-form leads

and, optionally, your scan-completion alerts if you wire a bot in Settings.

  • Resend — transactional email (scan-complete notifications, alerts).

Optional; not all deployments enable it.

  • Stripe / NowPayments — payment processing, only if you upgrade

beyond the trial.

If you self-host you control all sub-processors directly.

5. Where data lives

  • Hosted (default): EU data residency. Cloudflare R2 EU jurisdiction;

primary Postgres in EU; Anthropic processes in the US under their DPA.

  • Self-hosted: you control everything.

6. Your rights (GDPR / CCPA)

  • Access / portability — download a complete export of your data from

Settings → Account → "Download my data". Returned as a zip of JSON files.

  • Erasure — delete your account from Settings → Account → "Delete

account". Solo-owned organizations (and their entire history, including artifact blobs) are removed immediately.

  • Rectification — edit your name / email from Settings.
  • Objection / restriction — email

soleye.support@gmail.com to request a hold or correction.

7. Retention

  • Operational scan data: 90 days from scan completion (matches TOS §3).
  • Audit log: 12 months (compliance need).
  • Account data: until deletion.
  • Aggregated telemetry: indefinite (already de-identified).
  • Lead-form messages: held in Telegram; not retained on app servers.

8. Security

  • TLS 1.2+ in transit (HSTS preload, no plaintext fallback).
  • Postgres row-level security enforces per-tenant isolation; cross-tenant

reads are physically impossible at the database layer.

  • Sandbox containers are network-isolated to your verified target IPs only

(egress firewall via iptables) — they cannot accidentally reach unrelated systems.

  • Encryption at rest for secrets (AES-256-GCM with platform-derived key).
  • Daily Postgres backups, 14-day retention.

9. Breach notification

Material breaches are notified by email within 72 hours of confirmation, per GDPR Article 33. We publish an incident page during active incidents.

10. Changes

We notify in-app and by email at least 14 days before changes to this policy take effect.

Contact

Privacy queries, data-subject requests, and breach correspondence: [soleye.support@gmail.com](mailto:soleye.support@gmail.com).

For faster, conversational support: Telegram @soleye.