Privacy Policy
Last updated 11 July 2026
VulniPulse provides vulnerability intelligence, monitoring, email alerts, and Android phone notifications. This policy explains the information used to operate those services.
Information we process
- Account information such as email address, display name, password hash, verification state, and optional encrypted two-factor authentication secret.
- Monitoring configuration including vendor rules, severity thresholds, fleet products and versions, alert preferences, webhooks, comments, and referral state.
- Android installation information including an installation identifier, app version, locale, timezone, notification permission, quiet hours, and Firebase registration token.
- Subscription information including Google Play or Stripe purchase identifiers, entitlement status, renewal state, and expiry. VulniPulse does not receive full card details.
- Security and operational records such as rate-limit keys, delivery status, login/session tokens stored as hashes, and service diagnostics.
How information is used
We use this information to authenticate accounts, match advisories to rules, deliver requested alerts, verify subscriptions, prevent abuse, provide support, and keep the service secure. We do not sell personal information or use fleet data for advertising.
Service providers
VulniPulse may use Fly.io for hosting, Firebase Cloud Messaging for Android delivery, Google Play for Android purchases and sign-in, Stripe for web purchases, and configured email providers for account and alert email. Each provider processes only the information needed for its role.
Retention and deletion
Account data is retained while the account is active. Successful delivery diagnostics are pruned on a rolling basis. Revoked tokens and minimal deduplication records may be retained for security and delivery integrity. You can permanently delete your account and associated rules, fleet items, devices, comments, webhooks, sessions, and entitlements from the Android app or website account settings.
Security
Connections use HTTPS. Passwords are salted and hashed, mobile refresh tokens rotate and are stored hashed on the server, and Android credentials use Keystore-backed encryption. No security system is infallible; contact us promptly if you suspect account compromise.
Your choices
You can disable phone notifications or email per rule, revoke individual devices, change digest and quiet-hour preferences, export fleet data, or delete your account. Android notification permission can also be changed in system settings.
Contact
Privacy and support enquiries can be sent to suggesstionsvulnspulse@gmail.com.