1. Introduction & scope
Vezraa (“Vezraa”, “we”, “us”, or “our”) operates the website at vezraa.com and the related security-scanning platform (the “Service”). The Service performs production-readiness audits on web applications across security, performance, SEO, observability, AI/payment integrations, email deliverability, legal/compliance posture, accessibility, and infrastructure. This Privacy Policy explains what personal data we collect, why we collect it, how we use, share, retain, and protect it, and the rights you have under applicable data-protection laws.
This Policy applies to: (a) visitors of our website; (b) account holders and customers of the Service; (c) individual users acting on behalf of an organization; and (d) in limited circumstances, individuals whose information is processed through the Service (for example, contact information surfaced by a public scan you initiate). It does not apply to third-party websites or services we link to, or to the websites you submit for scanning, which remain under their own privacy policies.
This Policy should be read together with our Terms of Service.
2. Who we are; data controller
For the purposes of the EU General Data Protection Regulation (“GDPR”), the UK GDPR, the Swiss Federal Act on Data Protection (revFADP), the Digital Personal Data Protection Act, 2023 of India (“DPDP Act”), the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and other applicable laws, the data controller (or the “Data Fiduciary” under the DPDP Act) for personal data collected about our website visitors and account holders is:
- Operator: Vezraa, India
- General contact: udayakirantumma@gmail.com
- Privacy & data-subject requests: udayakirantumma@gmail.com
- Legal notices: udayakirantumma@gmail.com
For data we process strictly on behalf of our business customers (for example, content that appears in scans they initiate, or end-visitor data collected through any future customer-deployed tag), we act as a processor (or, under the DPDP Act, a Data Processor) and the customer is the controller / Data Fiduciary.
EU/UK representatives. Vezraa is established in India and our processing of EU and UK personal data is currently limited. We do not currently meet the threshold for appointing an Article 27 GDPR or UK GDPR representative. If our activities meet that threshold, we will appoint and publish a representative. EU and UK data subjects may continue to send all requests and complaints to udayakirantumma@gmail.com and we will respond promptly.
3. Information we collect
3.1 Account information
Email address, authentication-provider identifier (where you sign in with Google, GitHub, or a magic link via Supabase Auth), account-creation and last-sign-in timestamps, plan tier, scan counter, and an automatically generated affiliate code. We do not store passwords ourselves; authentication is handled by Supabase Auth. If you create an admin account, we store a bcrypt-style password hash, never the password itself.
3.2 Scan input & results
For each scan you submit we collect the URL or domain, your email (for report delivery), the plan you selected, an optional domain-verification token (DNS TXT or file-based), the time-stamps of scan creation, verification, and completion, and detected stack metadata (framework, database, auth, payments, AI provider, deployment platform, CSS framework).
We also collect and store the audit findings produced by the scan: category, severity, title, description, evidence, location, AI-generated remediation prompt, optional CVSS / OWASP / CWE identifiers, compliance tags, and a non-reversible fingerprint used to deduplicate findings across scans. For the “attack replay” feature, we store the request and response bodies that were exchanged with your own application during the scan, redacted of obvious secret-shaped values.
3.3 Raw scan data & transient cache
To produce the report, we temporarily store a copy of the HTML returned by your application, its response headers, DNS records, JS bundle hashes, discovered route list, and PageSpeed Insights output. This raw data is associated with your scan record. We do not retain raw HTML beyond the retention windows in Section 10.
3.4 Payment & billing information
Subscription billing is processed by Razorpay Software Private Limited. We receive from Razorpay a customer ID, subscription ID, plan and billing-cycle status, transaction amounts, billing email, country, and any tax identifier where applicable. We do not store full credit-card numbers, CVC/CVV, bank-account numbers, or UPI handles on our servers. See Razorpay's Privacy Policy.
3.5 Technical & log data
IP address, user-agent string, browser type and version, operating system, language preferences, referring URL, pages requested, response codes, request timestamps, and similar diagnostic telemetry generated automatically by your interactions with the Service. We use this data for security, fraud prevention, debugging, abuse mitigation, rate-limiting, and performance monitoring.
3.6 Integration tokens & API keys
When you connect a GitHub account for the “Open PR with fix” feature, we store the OAuth access token and the repository identifier you select. When you create Vezraa API keys (CLI, MCP, or CI/CD use), we store only a hash of the key (never the key itself). You can revoke a GitHub connection or any API key from your dashboard at any time; revocation deletes the token or hash from our systems.
3.7 Notifications & webhooks
If you configure Slack or Discord notifications, we store the webhook URL you supply along with the event types you opted in to. You can edit or delete these at any time.
3.8 Analytics & product events
We record a small number of product events (such as scan_started, scan_completed, payment_success, signup, badge_earned) to understand usage patterns and improve the Service. Where these events are linked to an identified user, that linkage is via your Vezraa user ID. We do not sync these events to advertising platforms.
3.9 Support & communications
When you contact us by email, we collect your email address, message content, attachments, and metadata necessary to respond. Support correspondence is retained for the duration of your account plus thirty (30) days after closure, and then deleted unless retention is required by law, dispute, or an ongoing security investigation.
3.10 Waitlist signups
If you joined the Vezraa waitlist, we store your email and (optional) name on Resend Audiences and in our database. You can unsubscribe at any time via the link in the confirmation email.
3.11 Sensitive personal data
Vezraa does not knowingly request or process “special category” data under GDPR Art. 9, “sensitive personal information” under CPRA, or analogous categories under the DPDP Act or other laws. We do not collect genetic, biometric, health, racial, ethnic, religious, philosophical, union-membership, sex-life, sexual-orientation, or precise-geolocation data. If such data inadvertently appears in scan content or support correspondence, we will treat it under the elevated standards required by applicable law and you may request deletion.
4. How we use information
- To create, authenticate, and maintain your account.
- To deliver the Service: running scans, surfacing findings, generating remediation prompts, producing PDF and JSON reports, sending email summaries, and managing dashboards.
- To run optional features you enable: GitHub PR auto-fix, Slack/Discord notifications, recurring monitoring, custom rules, team workspaces, and the MCP server.
- To process payments, manage subscriptions, issue invoices, calculate affiliate referrals, and handle billing disputes.
- To send transactional, security, and service-related communications (scan completion, payment receipts, threat alerts, policy updates).
- To detect, investigate, and respond to fraud, abuse, security incidents, unlawful activity, and violations of our Terms.
- To provide customer support and respond to your inquiries.
- To monitor and improve the performance, reliability, security, and quality of the Service, including by analyzing aggregated usage patterns and conducting limited product research.
- To comply with legal obligations, court orders, and lawful requests from public authorities, and to enforce our agreements and protect our rights.
- To anonymize or aggregate data for any lawful purpose, including statistical analysis, benchmarking, and product development.
5. Legal bases for processing (GDPR / UK GDPR / FADP)
Where the GDPR, UK GDPR, or revFADP apply, we rely on the following legal bases:
- Performance of a contract (Art. 6(1)(b)): processing account, scan, integration, and payment data to create your account, run scans you initiate, deliver results, and otherwise fulfil our Terms.
- Legitimate interests (Art. 6(1)(f)): operating, securing, and improving the Service; fraud and abuse prevention; protecting the rights, property, and safety of Vezraa, our users, and third parties; investigating security incidents; aggregated analytics; and limited responsible-disclosure outreach in connection with publicly observable security findings. Where we rely on legitimate interests, we have balanced our interests against your rights and freedoms.
- Consent (Art. 6(1)(a)): any non-essential cookies, optional integrations, and any future opt-in marketing communications. You can withdraw consent at any time without affecting prior processing.
- Compliance with a legal obligation (Art. 6(1)(c)): keeping accounting and tax records, responding to lawful requests by authorities, and meeting our other statutory obligations.
- Vital or public interest (Art. 6(1)(d)/(e)): rarely, where necessary to protect a person's vital interests or where required by law.
6. Scan data & target websites
A Vezraa scan is performed against the URL you submit. To produce the report, we make read-only HTTP and DNS requests against that URL, parse the responses, and analyze them against our rule set. The Service does not perform destructive actions, attempt to write or modify data on your application, or attempt to log in with credentials you have not provided. The Service is best-effort and is not a guarantee of security; see the “Disclaimer of Warranties” section of our Terms.
The active-pentest “probes” that ship with paid plans send small, well-known test payloads (for example, header probes, redirect-target tests, content-type sniffing checks, and read-only authentication-flow checks) that are intended to be safe for a healthy production site. We will not run probes against domains you have not verified ownership of for paid plans, and we apply rate limits to all scans to avoid causing disproportionate load.
By submitting a URL, you confirm that you own that URL or that you have the authorization required to test it. Submitting URLs without authorization may breach computer-misuse laws and our Terms, and may expose you to civil and criminal liability. We have no obligation to verify your authorization independently and do not do so.
7. AI processing & no-training commitment
Vezraa uses third-party large-language-model APIs (currently OpenAI; optionally Anthropic) to (a) generate human-readable executive summaries of scan results and (b) generate remediation “fix prompts” for individual findings. The minimal context required — finding metadata, redacted evidence, and stack metadata — is sent to the model provider over TLS via their commercial API. We use these APIs under their commercial-API terms which prohibit training on customer inputs and outputs.
We do not use your scan data, source code, repository contents, integration tokens, or report contents to train, fine-tune, or evaluate any Vezraa-owned or third-party machine-learning model, except strictly to run the specific scan or feature you requested. Where we improve our own rule set or scoring logic, we work from anonymized aggregates rather than from individual customer content.
Outputs of automated analysis (rule matches, AI-generated explanations, severity ratings, remediation suggestions) are informational and require human review. They are not used to make decisions that produce legal or similarly significant effects on any individual; see Section 14.
8. Subprocessors & service providers
We share personal data only with the categories of recipients listed below and only to the extent necessary for the relevant purpose. Each subprocessor is bound by contractual obligations consistent with applicable data-protection law, including, where required, the European Commission Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum.
| Provider | Purpose | Data shared | Region |
|---|---|---|---|
| Vercel Inc. | Web hosting, edge functions, CDN | Request metadata, IP, technical logs | USA / global edge |
| Neon (Neon Inc.) | Primary Postgres database | Account, scan, finding, billing data | USA (us-east-1) |
| Supabase Inc. | Authentication (OAuth, magic link) | Email, OAuth identifier, session tokens | Region-configurable |
| Razorpay Software Private Limited | Subscription billing, invoicing, fraud screening | Email, billing country, transaction metadata | USA / EU |
| Resend, Inc. | Transactional and waitlist email delivery | Email, message content, delivery metadata | USA / EU |
| Upstash, Inc. | Redis-based rate limiting and queueing | Hashed IP / key identifiers, counters | Region-configurable |
| OpenAI, L.L.C. | AI fix prompts and executive summaries | Finding metadata and redacted evidence | USA |
| Anthropic, PBC (optional) | Alternative AI provider | Same as OpenAI, when configured | USA |
| Sentry (Functional Software, Inc.) | Error tracking and performance monitoring | Stack traces, user ID (hashed), request paths | USA / EU |
| GitHub (Microsoft, Inc.) | Optional repository integration | OAuth token, repo identifier, PR contents | USA |
| Google PageSpeed Insights | Performance metrics for scans | Public URL submitted for scanning | USA / global |
| Have I Been Pwned (optional) | Breach-monitoring lookups (Max plan only) | Hashed email or domain lookups | EU / global |
We may also share personal data with our professional advisors (lawyers, accountants, auditors) under confidentiality obligations; with courts, regulators, and law enforcement where required by law; and with successors in interest in connection with a corporate transaction, subject to appropriate confidentiality and continuity of this Policy.
9. International data transfers
Vezraa is operated from India. Some of our service providers process personal data in countries outside India, the European Economic Area, the United Kingdom, and Switzerland, including in the United States. When we transfer personal data internationally, we rely on one or more transfer mechanisms recognized under applicable law, including:
- European Commission adequacy decisions (where available, including for transfers under the EU-U.S. Data Privacy Framework where the recipient is certified);
- UK adequacy regulations and the UK Extension to the Data Privacy Framework;
- European Commission Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum;
- Supplementary technical and organizational measures (encryption in transit and at rest, access controls, and minimization).
Under the DPDP Act, personal data may be transferred outside India to any country other than those notified by the Government of India as restricted destinations; we will comply with any such notifications when published. A copy of the relevant transfer mechanism for a specific recipient is available on request to udayakirantumma@gmail.com.
10. Data retention
We retain personal data only for as long as necessary for the purposes set out in this Policy or as required by law. Indicative retention periods:
- Account data: active for the life of your account; deleted within thirty (30) days of account closure, except where retention is required by law.
- Scan results & findings: retained for one (1) year on free accounts and for the duration of the subscription on paid accounts; deleted within thirty (30) days of account closure.
- Raw HTML, headers, DNS, and other transient scan inputs: retained no longer than ninety (90) days, then purged.
- Attack-replay request/response pairs: retained for thirty (30) days after scan completion on paid plans, then purged. These are not stored or generated for free standalone tools.
- GitHub OAuth tokens and Vezraa API key hashes: deleted immediately on disconnect or revocation.
- Payment records, invoices, and tax-related accounting data: retained as required by Indian tax and commercial law (currently up to eight years under section 44AA of the Income-tax Act, 1961, and analogous laws in other jurisdictions).
- Server, security, and abuse logs: retained up to ninety (90) days, longer where necessary to investigate or respond to an incident or to defend legal claims.
- Support correspondence: account life plus thirty (30) days.
- Backups: backups containing personal data are retained for short rolling periods and overwritten on a regular schedule. Deletion from production triggers deletion from backups on the next overwrite cycle.
- Anonymized / aggregated data: may be retained indefinitely.
11. Cookies & tracking
We use a minimal set of strictly necessary cookies and similar local-storage technologies for authentication, session management, and rate-limiting. Specifically:
- Supabase auth cookies (e.g.
sb-*-auth-token): keep you signed in. Strictly necessary. - Admin session cookie (
admin_session): used only on/adminroutes. Strictly necessary. - Local storage: occasional caching of UI preferences (collapsed sidebar, last viewed scan) — never personal data of identifiable third parties.
We do not use third-party advertising cookies, retargeting pixels, or cross-context behavioral advertising. We do not run Google Ads, Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, or similar trackers. Because we do not engage in cross-context behavioral advertising and do not sell personal data, browser-based “Do Not Track” and Global Privacy Control (GPC) signals do not change our processing. We honor GPC as an opt-out request to the extent required by applicable law.
12. Security measures
We implement appropriate technical and organizational measures designed to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure, including without limitation:
- TLS encryption in transit on all endpoints; HSTS preload submission for our public domain.
- Encryption at rest on the Postgres database (Neon) and on cached scan artifacts in cloud storage.
- OAuth tokens and integration credentials are stored encrypted at rest and never echoed in API responses or log output.
- API keys are stored only as one-way hashes; the plaintext is shown to you exactly once at creation.
- Role-based access controls; principle of least privilege for staff and machine accounts.
- Multi-factor authentication is enforced on all administrative accounts and all infrastructure consoles.
- Rate limiting on all authentication, scan, and checkout endpoints (Upstash Redis).
- Audit logging on database mutations and on access to scan-related secrets.
- Vendor-risk review of subprocessors before onboarding and on a recurring schedule.
- Periodic vulnerability assessment and dependency scanning of our own platform.
- Secure software-development lifecycle including code review and pre-deploy CI checks.
- Security training for personnel with access to personal data.
No method of transmission over the Internet or method of electronic storage is 100% secure. While we use commercially reasonable means to protect your data, we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and notifying us of any suspected compromise.
13. Data breach notification
In the event of a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay and, where feasible, not later than seventy-two (72) hours after becoming aware of it, as required by Art. 33 GDPR (and analogous obligations under the UK GDPR and revFADP). Where the breach is likely to result in a high risk to affected individuals, we will also notify those individuals without undue delay as required by Art. 34 GDPR. Under the DPDP Act, we will notify the Data Protection Board of India and affected Data Principals in accordance with the Act and the rules notified under it.
14. Automated decision-making & profiling
We do not make decisions that produce legal effects or similarly significant effects on you based solely on automated processing within the meaning of Art. 22 GDPR. Our scanning, fingerprinting, scoring, and AI-assisted analysis features apply automated rules to data you submit, but the outputs are informational and require human review and action; they are not used to make decisions that legally or significantly affect any individual.
15. Your rights — EEA, UK & Switzerland
Subject to conditions and exceptions in applicable law, you may have the following rights with respect to personal data we hold about you:
- Right of access — request confirmation that we process your personal data and a copy of that data.
- Right to rectification — have inaccurate or incomplete data corrected.
- Right to erasure (“right to be forgotten”) — request deletion of your data.
- Right to restriction of processing — ask us to limit processing in certain circumstances.
- Right to data portability — receive your data in a structured, commonly-used, machine-readable format.
- Right to object — object to processing based on legitimate interests, including profiling, and to direct marketing.
- Right to withdraw consent — where processing is based on consent, withdraw consent at any time without affecting prior processing.
- Right not to be subject to solely automated decision-making — see Section 14.
- Right to lodge a complaint — file a complaint with a supervisory authority. In the EEA, you may contact the supervisory authority of your country of habitual residence, place of work, or place of the alleged infringement. In the UK, you may contact the Information Commissioner's Office (ICO).
To exercise any of these rights, contact udayakirantumma@gmail.com. We will respond within thirty (30) days (extendable by sixty (60) days for complex requests, with notice to you). We may need to verify your identity before responding.
16. Your rights — India (DPDP Act)
If you are a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights, subject to the conditions and exceptions of the Act and any rules notified under it:
- Right to access information about the personal data being processed, the processing activities, and the third parties with whom your data has been shared.
- Right to correction and erasure of your personal data.
- Right of grievance redressal — a readily available means to register a grievance with us.
- Right to nominate another individual to exercise your rights in the event of your death or incapacity.
Vezraa's designated grievance contact is the “DPDP Grievance Officer” and can be reached at udayakirantumma@gmail.com. We will respond to grievances within the timelines required by the Act and the rules notified under it. If you are not satisfied with our response, you may approach the Data Protection Board of India.
17. Your rights — California (CCPA / CPRA)
If you are a California resident, you have additional rights under the CCPA as amended by the CPRA:
- Right to know — request information about the categories and specific pieces of personal information we have collected, the sources, the purposes of collection, and the third parties with whom we share it.
- Right to delete — request deletion of your personal information.
- Right to correct — request correction of inaccurate personal information.
- Right to opt out of sale or sharing — we do not sell personal information for monetary or other valuable consideration and we do not share personal information for cross-context behavioral advertising. We have not done so in the preceding twelve (12) months.
- Right to limit use of sensitive personal information — we do not collect sensitive personal information for inferring characteristics; only the limited categories required to provide the Service are processed and only for permitted business purposes.
- Right to non-discrimination — we will not discriminate against you for exercising any CCPA/CPRA right.
- Right to designate an authorized agent — you may use an authorized agent to make a request, subject to identity verification.
Categories of personal information collected in the preceding 12 months: identifiers (email, IP); commercial information (subscription, payment metadata); internet or other electronic-network activity (log, telemetry); inferences for security and abuse detection only. We have not sold or shared (for cross-context behavioral advertising) any personal information in the preceding 12 months. We do not knowingly sell or share information of consumers under sixteen (16).
To exercise a right, email udayakirantumma@gmail.com with the subject “CCPA Request”.
18. Other US state privacy rights
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Tennessee (TIPA), Indiana, New Hampshire, Delaware, New Jersey, Maryland, Minnesota, Rhode Island, and Florida (FDBR), and any other US state that grants equivalent rights, have, subject to the conditions and exceptions of their respective laws, the right to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of (i) the sale of personal data, (ii) targeted advertising, and (iii) profiling for decisions that produce legal or similarly significant effects. Vezraa does not engage in (i), (ii), or (iii). To exercise other rights, contact udayakirantumma@gmail.com. Appeals can be sent to the same address with the subject “Privacy Appeal”.
19. Other jurisdictions
- Brazil (LGPD). Brazilian data subjects have rights of access, correction, anonymization, blocking, deletion, portability, information about sharing, and withdrawal of consent. Direct requests to udayakirantumma@gmail.com.
- Canada (PIPEDA, Quebec Law 25). Canadian residents may request access to and correction of personal information and withdraw consent subject to legal and contractual restrictions. Quebec residents may additionally request the cessation of dissemination, de-indexing, and portability where applicable.
- Australia. Australian residents may access and correct their personal information under the Australian Privacy Principles.
- Japan, South Korea, Singapore, others. We honor analogous rights under applicable local data-protection laws to the extent they apply to our processing.
20. No sale, no targeted advertising, no AI-model training on customer content
Vezraa does not sell personal data for money or any other valuable consideration. We do not share personal data for cross-context behavioral advertising. We do not use Customer Content (your scan data, source code, repository contents, integration credentials, or report contents) to train, fine-tune, or evaluate any Vezraa-owned or third-party large-language model or machine-learning model, except strictly to run the specific scan or feature you requested.
21. Children's privacy
The Service is not directed to, and we do not knowingly collect personal data from, anyone under the age of sixteen (16) (or the higher minimum age in your jurisdiction, including eighteen (18) where required, such as under the DPDP Act's consent rules for children). We do not knowingly collect “personal information from children” within the meaning of the U.S. Children's Online Privacy Protection Act (COPPA). If you are a parent or guardian and believe that we have collected personal data from your child, please contact us at udayakirantumma@gmail.com and we will delete it promptly.
22. Changes to this policy
We may update this Privacy Policy from time to time. For material changes, we will provide advance notice (generally at least thirty (30) days) by email and/or by posting a prominent notice in the Service. The current version is always available at vezraa.com/privacy with a “Last updated” date and version number. Non-material changes (such as clarifications or typographical corrections) take effect on posting. Continued use of the Service after changes take effect constitutes acceptance.
23. Contact us
If you have questions about this Privacy Policy, your personal data, or wish to exercise your rights, contact us:
- Privacy & data-subject requests: udayakirantumma@gmail.com
- General support: udayakirantumma@gmail.com
- Legal: udayakirantumma@gmail.com
- Website: vezraa.com
See also: Terms of Service.