Privacy Policy

"VCI", "we", "us", or "our" refers to Vendetta Cyber Intelligence, the operator of VCI SCRAPER at vciscraper.com. For privacy purposes, we are the data controller of the information described below.

Contact our Data Protection Officer at privacy@vciscraper.com.

We collect only what we need to operate the Service. Specifically:

Information You Give Us

• Account data: name, email address, password (hashed with bcrypt)
• OAuth data: if you sign up with Google, we receive your email and basic profile
• Billing data: we use Stripe — we receive transaction metadata (amount, status) but never your full card number or CVV
• Queries: the natural-language data requests you submit to SPYDER
• Support communications: messages you send to our support channels

Information We Collect Automatically

• Session data: session identifiers (stored in your browser as a cookie) and last-seen timestamps
• Technical data: IP address, browser type, device type, operating system, referring URL
• Usage data: pages visited, features used, jobs submitted, credits consumed, API calls made
• Logs: server logs that capture request paths, response codes, latency, and error traces

Information We Do Not Collect

• Your credit card or bank account numbers (handled by Stripe)
• Your contacts, calendar, files, or any data outside the Service
• Biometric data
• Precise location data (we infer approximate city from IP address only)
• Sensitive personal data such as health, race, sexual orientation, or political beliefs

We use the information we collect for these specific purposes:

1. Provide the Service. Authenticate you, deduct credits, run jobs, deliver datasets.
2. Process payments. Charge you for credit purchases through Stripe.
3. Communicate. Send transactional emails (account confirmation, magic links, job completion, billing receipts) and important Service notices.
4. Support. Respond to your questions, troubleshoot issues.
5. Improve. Analyze aggregated usage to improve SPYDER's planner, expand source coverage, fix bugs.
6. Security. Detect and prevent fraud, abuse, unauthorized access, AUP violations.
7. Comply with law. Respond to lawful requests from authorities, enforce our Terms.

If you are in the EEA or UK, our legal bases for processing your personal data are:

We only share your data with a small set of service providers that help us operate, under strict contractual obligations:

Legal & Safety Disclosures

We may disclose your information when required by law, valid legal process, or to protect the rights, property, or safety of VCI, our users, or the public. Where legally permitted, we will notify you before such disclosure.

Business Transfers

If VCI is involved in a merger, acquisition, or asset sale, your personal information may be transferred. We will notify you before any such transfer and any change to this Privacy Policy.

We use a minimal set of cookies and similar technologies:

We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking. We do not currently use Google Analytics or any comparable tracking suite.

We retain personal data only as long as needed for the purposes described above:

• Account data: retained while your account is active and for up to 90 days after you delete it (for fraud prevention and dispute resolution).
• Query history & job records: retained while your account is active. Deleted within 90 days of account deletion.
• Delivered datasets: retained in your account for 90 days, then permanently deleted unless you save them locally.
• Billing records: retained for 7 years for tax and audit purposes.
• Server logs: retained for 30 days, then rolled off.
• Aggregated & anonymized data: may be retained indefinitely (no longer personal data).

We implement the following safeguards:

• Encryption in transit: all traffic to and from the Service uses TLS 1.2 or higher (HTTPS).
• Encryption at rest: database and file storage are encrypted on disk.
• Password hashing: passwords are stored using bcrypt with appropriate work factors. We never store plaintext passwords.
• Access controls: internal access to user data is logged and restricted to authorized personnel on a need-to-know basis.
• Network protection: Cloudflare provides DDoS mitigation and WAF rules. Rate-limiting protects against brute force.
• Vulnerability management: dependencies are monitored and patched on a regular cadence.

No system is 100% secure. If we ever detect a breach affecting your data, we will notify you in accordance with applicable law (typically within 72 hours).

If you discover a security vulnerability, please report it responsibly to security@vciscraper.com. We do not currently run a paid bug bounty program but will acknowledge legitimate reports.

Regardless of where you live, you have the following rights with respect to your personal data:

• Access — request a copy of the personal data we hold about you
• Correct — ask us to fix inaccurate or incomplete data
• Delete — ask us to delete your data (subject to legal retention obligations)
• Export — request your data in a portable format
• Object — object to processing based on legitimate interest
• Restrict — ask us to limit how we use your data
• Withdraw consent — where processing is based on consent, you may withdraw it

To exercise any of these rights, email privacy@vciscraper.com. We will respond within 30 days. We do not charge a fee for these requests except where they are manifestly unfounded or excessive.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (as amended by the CPRA):

• Right to know what personal information we collect, use, and share
• Right to delete personal information we have collected from you
• Right to correct inaccurate personal information
• Right to opt out of "sale" or "sharing" of personal information (we do not sell or share for cross-context advertising)
• Right to limit use of sensitive personal information (we do not collect or use sensitive PI as defined by CPRA)
• Right to non-discrimination for exercising your rights

To exercise CCPA rights, email privacy@vciscraper.com with the subject line "CCPA Request".

If you are in the EEA, UK, or Switzerland, you have the rights described in Section 09 above, plus:

• The right to lodge a complaint with your local data protection authority
• The right to be informed of automated decision-making with legal effects (we do not use such automated decision-making)

To exercise GDPR rights, email privacy@vciscraper.com. We do not currently have a representative in the EU. For EU complaints we will cooperate with the relevant Data Protection Authority.

VCI SCRAPER is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. We rely on Standard Contractual Clauses approved by the European Commission for transfers of EEA personal data to the United States, where applicable.

The Service is not intended for anyone under 18. We do not knowingly collect personal information from minors. If we discover we have collected personal information from a child without parental consent, we will delete it. If you believe a child has provided us with personal data, contact privacy@vciscraper.com.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the "Effective" date at the top of this page. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

For minor edits (clarifications, typo fixes), we will simply update the page without notice.

Questions, requests, or complaints about this Privacy Policy: