Privacy Policy
Effective date: June 2026
Overview
This Privacy Policy explains how Expose Security Research collects, uses, stores, and shares personal data and security evidence when operating the website, team portal, authorization forms, client agreements, disclosure workflows, and security research services.
Data We Collect
We may collect names, job titles, organization names, email addresses, phone numbers, domains, scope details, emergency contacts, agreement records, authorization records, IP addresses, timestamps, payment metadata, case status metadata, report files, evidence summaries, remediation notes, and communications submitted to us.
Security Evidence
Security evidence may include screenshots, response metadata, URLs, headers, redacted samples, severity analysis, and technical notes. We avoid collecting raw personal data, credentials, secrets, customer content, or regulated data unless strictly necessary to document a finding or support remediation.
How We Use Data
We use data to verify authorization, operate the team portal, document consent, manage disclosure cases, prepare private reports, coordinate remediation, process payments, respond to inquiries, maintain audit trails, prevent abuse, comply with law, and protect the security of our systems and clients.
Legal Bases
Where GDPR or similar laws apply, we rely on contract performance, legitimate interests in security research and fraud prevention, consent where requested, and legal obligations. We apply data minimization, purpose limitation, storage limitation, integrity, confidentiality, and accountability principles.
Service Providers
We may use trusted providers for hosting, database storage, forms, email, analytics, IP address capture, payment processing, and deployment. Current or planned providers may include Vercel, Neon/Postgres, Formspree, api.ipify.org, email providers, and payment processors. Providers process data only as needed to operate these services.
Sharing
We may share data with the affected organization, authorized client representatives, professional advisers, remediation vendors approved by the client, service providers, payment processors, insurers, auditors, or authorities when required by law. Public disclosure pages do not include private reports, credentials, private user data, or sensitive evidence.
Retention
Authorization records, agreement records, invoices, and payment metadata may be retained for up to seven years for legal, accounting, and audit purposes. Private reports and evidence may be retained for up to twelve months after case closure unless a longer period is required by law, dispute handling, client instruction, or security need. Operational logs are retained only as long as reasonably needed.
Security Measures
We use access controls, role-based workflows, restricted report visibility, provider security controls, and reasonable administrative and technical safeguards to protect data. No internet service can guarantee absolute security.
International Processing
Data may be processed in the United States, Nigeria, the European Economic Area, or other countries where we or our providers operate. When required, we use appropriate contractual or organizational safeguards for international transfers.
Your Rights
Depending on your location, you may have rights to request access, correction, deletion, restriction, objection, portability, withdrawal of consent, or complaint to a data protection authority. Some requests may be limited by legal, security, accounting, or evidence-preservation obligations.
Contact
For privacy requests, correction requests, or data protection questions, contact security@exposesecurity.online.
Changes
We may update this Privacy Policy as our services, providers, or legal obligations change. Material updates apply prospectively unless required otherwise by law.