Cystene Privacy Policy
Effective Date: March 5, 2026
Cystene is committed to safeguarding the privacy of its users and the organizations who use our platform to assess their infrastructure security. This Privacy Policy outlines how we collect, use, share, and protect personal information, in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
1. Information We Collect
1.1 Account Information
When you create a Cystene account, we collect:
- Name and Email Address: Used for account creation, authentication, and communication.
- Organization Details: Organization name and membership information for multi-user access.
- Billing Information: Payment details processed securely through Stripe. We do not store credit card numbers on our servers.
1.2 Scan Target Data
When you add scan targets and run security assessments, we collect and process:
- Target Information: Domains, IP addresses, IP ranges, and URLs you submit for scanning. These are stored to track scan history and provide ongoing security assessments.
- Scan Results: Vulnerability findings, discovered assets (hosts, services, technologies, certificates, DNS records), severity ratings, and remediation guidance generated by our scanning engines.
- Scan Configuration: Templates, schedules, and scan parameters you configure for your targets.
- Reports: Generated security assessment reports including findings summaries and detailed vulnerability data.
1.3 Automatically Collected Data
When you visit our website or use our platform, we may automatically collect:
- Device Information: IP address, browser type, operating system, device identifiers.
- Usage Data: Pages viewed, time spent on each page, navigation paths, and referring URL.
- Location Data: General geographic location inferred from your IP address.
2. How We Use Your Information
We use your information for the following purposes:
- To Provide Our Service: Execute security scans against your verified targets, generate vulnerability findings, discover infrastructure assets, and produce security reports.
- Account Management: Manage your account, authenticate your identity, and process subscription billing through Stripe.
- Security Trend Analysis: Track vulnerability trends and security posture over time to provide you with historical comparison and progress monitoring.
- Communication: Send service-related emails, respond to support inquiries, and notify you of important changes to our platform.
- Compliance and Legal Obligations: Process your data to comply with applicable laws, enforce our terms, and protect our rights or the rights of others.
3. Data Security
We take the security of your data seriously and implement the following measures:
- Data Encryption: Scan results, vulnerability data, and sensitive configuration are encrypted at rest.
- Transport Security: All data transmitted between your browser and our servers is encrypted using TLS/HTTPS.
- Access Controls: Access to personal data and scan results is limited to authorized personnel. Scan targets and results are scoped to the owning user and organization.
- Payment Security: All payment processing is handled by Stripe. We never store credit card numbers on our servers.
- Scan Data Isolation: Your vulnerability findings and infrastructure data are strictly isolated from other users. No cross-tenant data access is possible.
Despite these measures, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security.
4. Cookies and Tracking Technologies
We use cookies and similar technologies to enhance user experience and track website performance. Cookies enable us to:
- Authenticate Sessions: Maintain your login state and secure access to your account.
- Track Website Performance: Using Vercel Analytics to collect and analyze anonymous usage data.
- Remember Preferences: Store your theme preference (light/dark mode) and other settings.
You can control cookie preferences through your browser settings. Please note that disabling cookies may affect certain platform features, including authentication.
5. Third-Party Services
We use third-party services to help us operate our platform, including but not limited to:
- Stripe: Subscription billing and payment processing. Stripe collects and processes payment information under its own privacy policy.
- Vercel: Hosts our website and provides anonymous analytics. Subject to Vercel's privacy policy.
These third parties may collect personal data subject to their own privacy policies. We recommend reviewing the privacy policies of these third parties.
6. Data Sharing and Disclosure
We may share your personal information with:
- Service Providers: Third parties who assist us in providing our services (e.g., hosting, payment processing).
- Legal Obligations: When required by law, regulation, or court order, or in response to a valid legal process.
- Business Transfers: In the event of a merger, sale, or acquisition, your personal information may be transferred to the acquiring entity.
We do not sell or rent your personal information to third parties for their marketing purposes. Your scan data (targets, findings, assets, reports) is only used to provide the Service to you and is never shared with other Cystene users.
7. Your Rights and Choices
7.1 Access and Control Over Your Data
You have the following rights regarding your personal data:
- Right to Access: You may request access to the personal data we hold about you.
- Right to Rectification: You can request correction of inaccurate or incomplete information.
- Right to Deletion: You can request the deletion of your data, including all scan targets, findings, and associated data.
- Right to Restrict Processing: You can request limitations on how your data is processed.
- Right to Object: You can object to data processing based on legitimate interests.
- Right to Data Portability: You can request a copy of your data in a structured, machine-readable format.
To exercise these rights, please contact us at contact@cystene.com. We may require verification of your identity before processing your request.
7.2 Scan Data Deletion
You can delete scan targets at any time through the Cystene dashboard. When you delete a target, all associated scan jobs, findings, assets, schedules, templates, and reports are permanently removed from our systems.
8. Data Retention
We retain your personal information for as long as your account is active or as needed to provide you with our services. When you delete your account or a scan target, we will delete the associated data within 30 days, except where we are required to retain it for legal or compliance purposes. Aggregated analytics data may be retained in anonymized form for service improvement.
9. International Data Transfers
Your personal data may be transferred to, and processed in, countries other than the country in which you reside. These countries may have data protection laws that are different from those in your country. We take appropriate steps to ensure that your personal information is protected in accordance with this Privacy Policy wherever it is processed.
10. Children's Privacy
Our services are not directed to children under 16, and we do not knowingly collect personal information from children under 16. If we learn that we have inadvertently collected such information, we will delete it as soon as possible.
11. Data Controller
The data controller responsible for processing your personal data is Buraro Technologies, located in Bucharest, Romania. For any questions or requests regarding data protection, please contact us at contact@cystene.com.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make changes, we will revise the effective date at the top of the policy and post the updated policy on our website. We encourage you to review this policy regularly.
13. Contact
If you have any questions about this Privacy Policy or our data practices, please contact us at contact@cystene.com.