Skip to main content
Vantyris

Legal

Privacy Policy

Effective 2026-05-23.

This policy explains what data Vantyris (operated by Shield Trust Holdings, registered in United Kingdom) collects, why, where it is stored, and what rights you have. We are the data controller; the contact for any data request is privacy@vantyris.com.

What we collect

  • Account data: your name, email, hashed password, workspace memberships, billing address. Provided by you.
  • Scan inputs: the domains and targets you enter, the verification evidence you submit (DNS record, file, meta tag), and the technical configuration we observe during a scan.
  • Scan outputs: findings, severity classifications, remediation advice, PDF reports, scan history.
  • Billing data: records of credits purchased, transaction IDs from our payment processor, invoice metadata. We never store full payment-card details, Stripe handles that.
  • Usage data: server-side request logs (timestamp, route, status), used for security and reliability. We do not run third-party analytics, advertising pixels, or tracking cookies.
  • Support correspondence: the content of emails or contact-form messages you send us.

Why we collect it (legal basis under UK-GDPR / EU-GDPR)

  • Contract: account data and scan data are needed to perform our contract with you (to run scans, deliver reports, support you).
  • Legal obligation: billing records and audit logs are retained as long as the law requires.
  • Legitimate interests: security logging, abuse detection, and improving the service. We balance these against your interests on each new use.
  • Consent: we will ask for your consent before sending any marketing-style email (we don't currently send any). You can withdraw at any time.

Where it is stored

Our primary data store is Supabase, hosted in the European Union (the EU region of AWS). Backups are encrypted and retained in the same region. Static assets and report PDFs are stored in Supabase Storage with signed-URL access. We do not transfer personal data outside the UK / EEA except where required to deliver email through our chosen email provider, that provider is contractually bound by Standard Contractual Clauses and operates with appropriate technical safeguards.

How long we keep it

  • PDF reports, 12 months from generation.
  • Raw scanner artefacts (intermediate output), 30 to 90 days.
  • Account data, for as long as your account is active, plus 90 days after deletion for revival.
  • Audit logs (security and authorisation events), 12 months.
  • Billing records, for the minimum period required by UK tax law (currently six years).

Who we share with

Only the processors we need to operate the service:

  • Supabase, database, authentication, file storage (EU region).
  • Stripe, payment processing.
  • Our email provider, transactional email delivery (verification, receipts, password reset). Listed in our processor register, available on request.
  • Our hosting / VPS provider, runtime infrastructure.

We never sell, rent, or licence your data. We never share with advertisers. We will only disclose data to a third party where compelled to do so by a court order or where required by law, and only the minimum data the order specifies.

Cookies

We use a small number of strictly necessary cookies: a session cookie to keep you logged in, a CSRF cookie for security, and a preference cookie to remember your currency selection. We do not use analytics, advertising, or tracking cookies. We do not display a cookie consent banner because under UK PECR / EU ePrivacy, strictly necessary cookies do not require it.

Your rights

Under UK-GDPR and EU-GDPR you have the right to:

  • Access, request a copy of the personal data we hold about you.
  • Rectification, ask us to correct inaccurate data.
  • Erasure, ask us to delete your data ("right to be forgotten"). Subject to the retention periods listed above and any legal obligation to retain.
  • Portability, request an export of your data in a machine-readable format.
  • Object, object to processing based on legitimate interests.
  • Restrict, ask us to restrict (pause) processing while a dispute is resolved.
  • Complain, to the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority.

To exercise any of these, email privacy@vantyris.com. We respond within 30 calendar days and never charge a fee unless your request is manifestly unfounded or excessive.

For US residents (CCPA notice)

California residents have the right to know what personal information we collect, the right to delete it, the right to opt out of any "sale" (we do not sell), and the right to non-discrimination for exercising these rights. To make a request, email privacy@vantyris.com.

Changes

We will update this Policy as the service evolves. Material changes will be notified by email and at the top of this page at least 14 days before they take effect.

Contact

Data protection: privacy@vantyris.com. Shield Trust Holdings, [TBD: registered address], United Kingdom.