This is the policy that governs every byte of customer data we touch. It's written so a non-lawyer can read it once and understand it. If you find a sentence that doesn't pass that bar, email privacy@celvexgroup.com and we'll fix it.
CelvexGroup runs an autonomous penetration-testing service. To do that we need a small amount of personal data: your email address, an account password (or verification-link token), the domain you ask us to scan, and the IP address you submit from. We use that data only to run the scan you asked for, deliver the report to you, bill you correctly, and keep abusive traffic off the platform. We do not sell it. We do not share it with marketing networks. We do not run analytics scripts that profile you across the web. The only cookies we set are the ones required to keep you signed in.
Below is the long version, written so you can verify the summary above. If anything reads like a contradiction, the long version governs.
CELVEX Group_celvex-authorize.<your-domain>), we store the issued token until verification or 90-day expiry, whichever is first.security@, privacy@, or support@.For each category, the lawful basis under GDPR Article 6:
| Category | Purpose | GDPR Art. 6 basis |
|---|---|---|
| Account data | Authenticate you, deliver the service you signed up for | (b) Contract performance |
| Scan-target data | Run the scan you authorised; eTLD+1 dedupe; share rules per SOP | (b) Contract performance |
| Billing data | Bill you; tax record retention | (b) Contract; (c) Legal obligation (US tax) |
| IP & rate-limit data | Abuse detection, bot mitigation | (f) Legitimate interest (platform integrity) |
| Audit logs | Security, dispute resolution, compliance evidence | (f) Legitimate interest; (c) Legal obligation |
| Support correspondence | Respond to you | (b) Contract; (a) Consent (initiating the email) |
For California residents under CCPA, these categories map to the standard Cal. Civ. Code §1798.140 categories: identifiers (email, IP), commercial information (billing), internet activity (scan logs, audit logs), and inferences (none, since we do not build behavioural profiles).
For Canadian customers under PIPEDA, we collect, use, and disclose personal information only for the identified purposes above, with consent (express where required, implied for the operation of a requested service), and we limit collection to what those purposes require. PIPEDA's accountability, openness, and individual-access principles are served by this policy and by the rights process in section 6. Canadian customers may also request a Canadian-region residency option (see section 9).
| Category | Retention |
|---|---|
| Scan reports & Proof Capsules | 24 months from creation |
| Account data (email, name, org) | Until cancellation + 6 months, then permanent purge |
| Audit logs | 24 months, append-only, immutable |
| Billing & tax records | 7 years (US tax-record retention; cannot be shortened on request) |
| Free-tier dedupe index (eTLD+1) | 9 months from scan |
| Free-tier auth tokens | 90 days from form submission, then HTTP 410 |
| IP addresses (hashed) | 30 days |
| Support correspondence | 24 months |
The 24-month report retention runs from report creation, not from cancellation. A report created 2026-01-15 expires 2028-01-15 regardless of subscription state. After 24 months, rows move to cold archive and are retrievable only via an ops ticket; they are then permanently destroyed at the end of the cold-archive window.
We share customer data only with the subprocessors listed publicly in our Trust Center subprocessor table. Each subprocessor has a written DPA, a defined purpose, and a defined data scope. As of the effective date above:
We give customers 30 days' written notice before adding a new subprocessor with material customer-data scope, per the DPA. We do not sell personal data. We do not share personal data with advertising networks. We do not run cross-site analytics or fingerprinting.
Two narrow exceptions where we may disclose: (a) when legally required by a valid subpoena or court order from a US court of competent jurisdiction, in which case we will notify you unless the order specifically prohibits notification; (b) if we believe disclosure is necessary to prevent imminent physical harm or fraud against you. Both are rare; both are logged.
Whether PIPEDA, GDPR, UK GDPR, CCPA / CPRA, or another applicable regime governs your relationship with us, you have these core rights:
Email privacy@celvexgroup.com from the email address on your account, or include account-verification context if writing from a different address. We respond within 30 days for GDPR / UK-GDPR requests and 45 days (extendable to 90 with notice) for CCPA requests.
For account-deletion requests: subscription must be cancelled before final deletion, but you can submit the deletion request the same day. The 6-month wind-down handles reactivation; if you confirm permanent deletion, we purge ahead of schedule. Audit logs and tax records remain for the legally-required minimums above.
As a brand statement and as policy: we run no marketing trackers, no behavioural analytics, and no cross-site advertising pixels. The cookies we set are:
celvex_session): keeps you signed in. HTTP-only, Secure, SameSite=Lax, expires on sign-out or after 14 days of inactivity.celvex_csrf): protects authenticated form submissions from cross-site attacks. HTTP-only, Secure.cf_clearance): bot mitigation on public forms. Set by Cloudflare, governed by their cookie policy.No Google Analytics. No Facebook Pixel. No LinkedIn Insight tag. No HubSpot tracker. No Hotjar / FullStory / session replay. We measure operational metrics (latency, error rates) server-side and aggregate; nothing client-side that profiles you.
Default deployment is US-only. If you are an EU or UK customer and require EU-residency for compliance reasons, the EU residency option (CF Workers EU + EU Postgres replica) is available behind a customer flag with a signed addendum to the DPA.
Celvex is Canadian-built and Canadian-owned. If you are a Canadian customer and require your data to stay in Canada under PIPEDA, a Canadian-region residency option is available on request, behind a customer flag with a signed addendum to the DPA, the same way the EU option is provisioned. Equivalent in-region residency options for APAC customers are available on request.
Where customer data is transferred from the EU / UK to the US, the transfer is governed by Standard Contractual Clauses (Module 2: Controller-to-Processor) attached to the DPA. We have not relied on the EU-US Data Privacy Framework as the primary transfer mechanism, though we will comply with it where it overlaps. For EU-specific DPA queries, including a signed copy of the SCCs and our supplementary measures statement, contact privacy@celvexgroup.com.
The CelvexGroup service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has submitted personal data to us, email privacy@celvexgroup.com and we will delete it.
TLS 1.2+ in transit. AES-256 at rest in Postgres and the KV store. Argon2id password hashing. Audit logs append-only with hash-chain integrity. Per-scan Ed25519-signed scope manifests so a compromised scheduler cannot launch out-of-scope scans. Full detail on the security overview page.
We cannot promise zero breaches, and anyone who does is lying. We can promise a 24-hour triage SLA, a 72-hour customer-notification SLA on confirmed incidents, and a public post-mortem on material events. See incident response on the Trust Center.
We will update this policy when we change a material practice (new subprocessor, new data category, new retention rule, etc.). Material changes are announced by email to active customers at least 30 days before they take effect. The last updated date at the top of this page reflects the most recent revision. Old versions are available on request.
Privacy questions, rights requests, complaints: privacy@celvexgroup.com.
If you are an EU resident and you believe we have not handled your data lawfully, you also have the right to lodge a complaint with your local supervisory authority, though we'd ask you to write to us first; we want to fix it before a regulator has to.
Postal address (US): [PLACEHOLDER: registered office address, to be added on incorporation paperwork update].
This policy is intentionally readable. If a reasonable non-lawyer reading it could come away confused about what we do with their data, the policy has failed and we'll rewrite the paragraph. Email privacy@celvexgroup.com with the line that confused you.