Privacy Policy

Last updated: 8 June 2026

This Privacy Policy explains how DataDike ("CVEsafe", "we") collects, uses, shares and protects personal data when you use the CVEsafe platform and website. We process personal data in accordance with the Brazilian General Data Protection Law (LGPD, Law No. 13.709/2018) and other applicable laws. For personal data you provide, DataDike acts as the data controller.

1. Data we collect

• Account data: name, email, organization, country, password (stored hashed), and authentication/MFA data.
• Usage data: log-in records, IP address, device/user-agent, and product activity needed to operate and secure the Service.
• Customer content: the assets you add (domains, hosts, IP ranges) and the scan results generated for your organization.
• Billing data: handled by our payment processor (see below). We receive limited billing metadata (plan, status, country, last digits), not full card numbers.

2. How we use data

To provide and secure the Service, run scans you request, prioritize findings, send transactional emails and reports, manage your subscription, prevent abuse, comply with the law, and improve the product.

3. Legal bases (LGPD)

We rely on: performance of our contract with you; your consent where required; our legitimate interests (e.g. securing the Service, preventing abuse); and compliance with legal obligations.

4. How we share data

• Payments: processed by Paddle.com, our Merchant of Record, under their Privacy Policy.
• Infrastructure providers (hosting, email delivery, threat-intelligence sources) strictly to operate the Service.
• Legal: where required by law or to protect rights and safety.

We never sell your personal data, and we do not access, analyse or share your scan results except as needed to provide the Service to you.

5. Data retention

We keep account data while your account is active and scan history according to your plan's retention period. We retain limited records longer where required for legal, tax or security purposes, then delete or anonymize them.

6. Security

We use encryption in transit and at rest for sensitive credentials, per-organization data isolation (multi-tenant), access controls and MFA. No method is 100% secure, but we work to protect your data.

7. International transfers

Some providers may process data outside your country. Where that happens, we use appropriate safeguards consistent with the LGPD and applicable law.

8. Your rights

Subject to the LGPD, you may request access, correction, anonymization, portability, deletion, information about sharing, and withdrawal of consent. To exercise these rights, contact us at contact@cvesafe.com.

9. Cookies

We use strictly necessary cookies for authentication and security, and minimal analytics to understand site usage. You can control cookies in your browser.

10. Children

The Service is not directed to children under 18 and we do not knowingly collect their data.

11. Changes

We may update this Policy; material changes will be notified and the "last updated" date will change.

12. Contact

Privacy questions and data-subject requests: contact@cvesafe.com.

CVEsafe is operated by DataDike. Payments are processed by Paddle.com as Merchant of Record.