Privacy Policy

PenReport AI ("we", "our", "us") operates the PenReport AI platform — an AI-assisted penetration testing report tool. This policy explains how we collect, use, and protect your personal data.

For privacy enquiries, contact us at privacy@penreport.ai.

Account Data

When you create an account: email address, name, and workspace name.

Usage Data

Log data including API requests, feature usage, browser type, and IP addresses. This is used solely for security monitoring and service improvement.

Finding and Report Data

Security findings, reports, and evidence files that you create within the platform. This data is encrypted at rest and isolated to your workspace via PostgreSQL Row-Level Security.

Billing Data

Payment information is handled entirely by Polar, our Merchant of Record. We store only your Polar customer ID and subscription status. We never see or store full card numbers.

AI Job Audit Data

Logs of AI calls made on your behalf, including the model used, token counts, and completion status. This is used for quota tracking and transparency. You can view this log in Settings → AI Usage.

• To provide and operate the Service
• To process AI requests on your behalf via Anthropic's Claude API
• To enforce usage quotas and billing
• To monitor for security incidents and abuse
• To send transactional emails (account verification, billing receipts, job failure notifications)
• To comply with legal obligations

We do not use your security findings or report data for any purpose beyond delivering the Service to you. We do not sell your data, share it with advertisers, or use it to train AI models.

When you request AI expansion of a finding, we send the finding text to Anthropic's Claude API. Before doing so, we automatically strip:

• Internal IP addresses (RFC 1918 ranges)
• Email addresses matching internal patterns
• Internal hostnames (.corp, .local, .staging, .internal)
• Apparent credential values (passwords, API keys, tokens)

Anthropic's API usage policy prohibits training on API inputs. Your finding data is processed and discarded — not retained by Anthropic for model training. Verify Anthropic's policy directly.

We use the following third-party services to deliver the Service:

• Account data: retained for the lifetime of your account
• Findings and reports: retained while your account is active
• AI job audit logs: retained for 12 months
• Billing records: retained for 7 years as required by law
• All data: permanently deleted within 30 days of account deletion

Under UK GDPR and applicable data protection law, you have the right to:

• Access — request a copy of your personal data
• Rectification — correct inaccurate data
• Erasure — request deletion of your data
• Portability — export your workspace data (Settings → Data & Privacy)
• Objection — object to certain processing activities
• Restriction — request we limit processing of your data

To exercise any of these rights, email privacy@penreport.ai. We will respond within 30 days.

We use only essential cookies required for authentication and session management (via Supabase Auth). We do not use advertising cookies, tracking pixels, or third-party analytics cookies. No cookie consent banner is shown because no non-essential cookies are set.

We implement appropriate technical and organisational measures to protect your data, including AES-256 encryption at rest, TLS 1.3 in transit, database-layer Row-Level Security, and short-lived signed URLs for evidence files. For full details, see our Security page.

We will notify you by email at least 14 days before any material changes to this policy. The effective date at the top of this page reflects the most recent update.

For privacy questions or to exercise your rights: privacy@penreport.ai

If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.