Privacy Policy

Template — review by counsel before public registration.

What we collect

• API token holders — your name, organisation, email, billing details (if Pro/Enterprise), token usage logs.
• Authenticated UI sessions — email, IP, user agent, last-seen timestamp (for session validity).
• Anonymous visitors — server access logs (IP, referrer, requested path, response code) retained 30 days for abuse / debugging only.

What we do not collect

• No third-party analytics, no trackers, no advertising IDs.
• No fingerprinting. No location. No social embeds at runtime.
• Logged-out users see zero JavaScript telemetry — only first-party static JS bundled with the page.

Cookies

VIR sets only strictly-necessary cookies (per ICO + EDPB ePrivacy guidance). No consent banner is required because we never set analytics, advertising, or third-party cookies.

Cookie	Purpose	Lifespan	Type
vir_admin_session	Authenticated admin session token (HttpOnly, SameSite=Strict, Secure)	Browser session	Strictly necessary

User preferences (theme, etc.) are stored in localStorage, not cookies — they never leave your browser and aren't sent on any request.

Third-party data sources

VIR aggregates from authoritative CVE feeds: NVD, MITRE CVE.org, CISA KEV, ENISA EUVD, GHSA, OSV, distro security advisories (Ubuntu USN, Debian DSA, Red Hat OVAL, etc.), and vendor security pages. All sources are public; we attribute and link to originals.

How we use it

Account data + token logs → service delivery, billing, abuse prevention. Anonymous access logs → debugging, capacity planning, abuse rate-limiting. We don't profile users or sell data.

Sharing

None, except: (a) when required by court order in the operating jurisdiction (UK), (b) Stripe for payment processing when you subscribe, (c) email-delivery providers for transactional mail (token resets, billing receipts).

Retention

• API token usage logs: 90 days rolling.
• Session records: 24h sliding window.
• Anonymous access logs: 30 days.
• Account data: indefinite while active. Deletion on request — we keep a hash-only record of past tokens for fraud prevention.
• Audit chain (mitigation decisions, signing events): indefinite — tamper-evident provenance is the core service.

Your rights (GDPR + UK GDPR)

Access, correction, deletion, portability, restriction. Email privacy@lbreeze.com from the account email; we respond within 30 days.

Security

Ed25519 signing on every outbound payload. Tokens are scrypt-hashed at rest, only the prefix is logged. TLS 1.2+ enforced. PostgreSQL backups encrypted at rest. Hash-chained audit log makes any silent edit detectable.

Contact

Privacy queries: privacy@lbreeze.com
DPA: dpo@lbreeze.com