Short version: we do not sell your data, we do not run ad trackers, and we keep what we collect to the minimum needed to do business with you.
Who we are
pentest [systems] operates this website and the associated services. To contact us about anything in this policy, use the contact form on the homepage.
What we collect and why
Contact and inquiry data
When you email us or book a scoping call, we collect your name, email address, and message content. We use this to respond and, if you become a client, to run the engagement. Legal basis: legitimate interest (GDPR Art. 6(1)(f)); contract performance where applicable.
Website analytics
If you accept analytics cookies, we collect anonymized page-view data (pages visited, time on page, referrer). We do not track individuals across sites. Analytics are off by default in the EU/EEA/UK and in US states with consumer privacy laws. Legal basis: consent (GDPR Art. 6(1)(a)).
Essential cookies
We set one cookie to remember your cookie consent choice. It contains no personal data beyond that preference. Legal basis: legitimate interest under GDPR; not classified as a sale or share under US state laws.
Engagement data
For clients, we process technical data (IP ranges, hostnames, credentials provided for testing) strictly within the scope agreed in the statement of work. This data is handled under a separate data processing agreement.
What we do not do
- We do not sell personal data to third parties.
- We do not share personal data for cross-context behavioral advertising.
- We do not use tracking pixels, fingerprinting, or cross-site tracking.
- We do not send unsolicited marketing email.
How long we keep data
- Inquiry emails: retained until the inquiry resolves or for up to 2 years if no engagement follows.
- Client engagement data: retained for the duration of the engagement plus 3 years for legal and audit purposes, then deleted or returned per the SOW.
- Analytics data: aggregated; individual session data expires after 13 months.
- Consent records: retained for 2 years from consent date.
Your rights
EU / EEA / UK residents (GDPR)
You have the right to access, rectify, erase, restrict, port, and object to processing of your personal data (GDPR Art. 15–22). Send a request via the contact form on the homepage. We respond within 30 days. You also have the right to lodge a complaint with your supervisory authority.
US residents
Depending on your state, you may have rights to know, access, delete, correct, and opt out of the sale or sharing of personal information. These rights apply under CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah), TDPSA (Texas), OCPA (Oregon), and equivalent acts in other states. We do not sell or share personal information for cross-context behavioral advertising. To exercise any right, use the contact form on the homepage.
Cookie preferences
Manage your cookie preferences at any time:
Third-party services
No third-party analytics by default. If analytics are enabled, we use a privacy-first provider that does not receive personally identifiable data. No social media embeds, no advertising trackers, no CDN-loaded scripts from third parties.
Security
We apply appropriate technical and organizational measures to protect personal data. Engagement data is handled under encrypted channels and access controls specified in the SOW. We are a security firm; our own data practices reflect that.
Changes to this policy
Material changes will be posted here with an updated effective date. For significant changes affecting client data, we will notify affected parties directly.
Contact
Privacy questions or rights requests: use the contact form on the homepage.