Privacy Policy

Last updated: May 16, 2026

This Privacy Policy describes how BreachVex ("BreachVex", "we", "us") collects, processes, and protects personal data when you interact with our website breachvex.com and the services we provide. We comply with the EU General Data Protection Regulation (GDPR — Regulation 2016/679) and the French Loi Informatique et Libertés.

1. Data controller

The data controller is BreachVex, operating from Paris, France. You can reach our data protection contact at privacy@breachvex.com. For all other inquiries: contact@breachvex.com.

2. Data we collect

We only collect data we genuinely need. Specifically:

• Email address — when you join the waitlist, request a demo, or contact us.
• IP address — stored as a one-way hash (SHA-256, salted) for rate-limiting and abuse prevention; retained 7 days then deleted.
• Browser user-agent — used by our anonymized analytics (no cross-site tracking, no advertising cookies).
• Submission metadata — source page, locale, and an optional referral string you choose to provide.
• Email engagement — open and click events from transactional emails (via our processor Resend), used to measure delivery health.

3. Legal basis for processing

We process your data under one of the following GDPR Article 6 legal bases:

• Consent (Art. 6(1)(a)) — when you opt in to the waitlist or marketing communications. You can withdraw consent at any time via the unsubscribe link in our emails or by emailing privacy@breachvex.com.
• Legitimate interest (Art. 6(1)(f)) — to operate, secure, and improve our services; detect and prevent fraud, abuse, and security incidents; and respond to your inquiries.
• Legal obligation (Art. 6(1)(c)) — to retain records required by French and EU law (e.g. accounting).

4. Data retention

• Waitlist entries — up to 24 months from signup, or until you unsubscribe (whichever is sooner).
• Rate-limit and security logs — 7 days (rolling), then deleted.
• Anonymized analytics — 14 months maximum (CNIL recommendation).
• Customer / billing records — 10 years per French commercial law (Code de commerce, Art. L. 123-22).

5. Your GDPR rights

Under Articles 15-22 of the GDPR, you have the right to:

• Access (Art. 15) — obtain a copy of the personal data we hold about you.
• Rectification (Art. 16) — correct inaccurate or incomplete data.
• Erasure / right to be forgotten (Art. 17) — request deletion when lawful.
• Restriction (Art. 18) — limit our processing under certain conditions.
• Portability (Art. 20) — receive your data in a structured, machine-readable format.
• Objection (Art. 21) — object to processing based on legitimate interest or direct marketing.
• Automated decision opt-out (Art. 22) — we do not currently make decisions about you based solely on automated processing.

To exercise any right, email privacy@breachvex.com. We respond within one month (Art. 12(3)). You also have the right to lodge a complaint with the French data-protection authority (CNIL) at www.cnil.fr.

6. Recipients and processors

We share your data only with the strict minimum of processors required to deliver the service:

• Resend (transactional email delivery) — operates under a Data Processing Agreement.
• PostgreSQL hosting — EU-located managed database (data stored at rest in the European Economic Area).
• Vercel Inc. (website hosting). Hosting address available on request via privacy@breachvex.com.
• PostHog (anonymized analytics, EU region) — operates under a Data Processing Agreement. Only contacted after explicit consent via the cookie banner.

7. International data transfers

By default, your data is stored and processed within the European Economic Area (EEA). When a processor (e.g. Vercel) is located outside the EEA, transfers are governed by the European Commission's Standard Contractual Clauses (Decision 2021/914) and any complementary safeguards required by the CJEU Schrems II ruling.

8. Children

Our services are not directed at, and we do not knowingly collect data from, individuals under 16 years of age. If you believe a child has provided us data, please contact privacy@breachvex.com and we will delete it immediately.

9. Security

We apply technical and organisational measures appropriate to the risk (GDPR Art. 32): encryption in transit (TLS 1.3), encryption at rest, least-privilege access, audit logging, and incident response procedures. No system is perfect — if we detect a breach affecting your data, we will notify you and the CNIL within 72 hours as required by Art. 33-34.

10. Cookies and similar trackers

We separate cookies into two strict categories. We never use cookies for advertising, profiling, or cross-site tracking.

• Strictly necessary — required for the site to function. Includes the consent cookie (bvx_consent_v1, 1 year), session, CSRF token, and locale preference. Exempt from consent under ePrivacy Directive Art. 5(3).
• Analytics (PostHog, EU region) — anonymized usage measurement hosted on EU servers. Active only after explicit opt-in via the cookie banner. Raw events retained 90 days, aggregated metrics 12 months. No advertising, no cross-site tracking. Processor: PostHog, GDPR Data Processing Agreement available.

You can withdraw or change your consent at any time using the Manage cookie preferences button below, or by clearing the bvx_consent_v1 cookie in your browser.

11. Updates to this policy

We may update this policy as the service evolves. If a change is material, we will notify waitlist subscribers and active customers by email before the change takes effect. The current version is dated below.

12. Contact

Data protection contact: privacy@breachvex.com · General: contact@breachvex.com.