# Privacy Policy — VulnEye **Last updated: June 27, 2026** VulnEye ("we", "our", or "the app") is a security research reference tool for browsing Common Vulnerabilities and Exposures (CVEs). This policy explains what data we collect, how we use it, and your rights. We follow the spirit of Apple's privacy guidelines and the Saudi Personal Data Protection Law (PDPL). --- ## 1. Information We Collect ### 1.1 Without Sign-In (Anonymous Use) You can use most of VulnEye without creating an account. We do **not** collect any personally identifiable information when you browse CVEs anonymously. The following data stays **locally on your device only**: - CVE viewing history (cache) - Bookmarked CVEs (legacy local-only bookmarks) - App preferences ### 1.2 When You Sign In with Phone Number (Optional) If you choose to sign in using Phone Authentication, we collect: - **Phone number** (handled by Firebase Authentication) - **Anonymous Firebase user ID (UID)** generated at sign-in This is required to enable cloud-synced features: - Saving CVEs across devices - AI-powered vulnerability analysis - Critical CVE push notifications ### 1.3 Notification Token (Optional) If you enable critical CVE alerts: - **Firebase Cloud Messaging (FCM) token** — an anonymous device token used solely to deliver push notifications for critical vulnerabilities. ### 1.4 Saved CVEs If signed in, the IDs of CVEs you bookmark are stored in our Firestore database under your user account. ### 1.5 AI Analysis Requests When you request AI mitigation analysis for a CVE, we send the **CVE metadata only** (CVE ID, description, CVSS score, vendor, product) to our Cloud Function, which forwards it to the Anthropic Claude API. We do **not** send any personal information. A daily usage counter is kept per user (max requests per day) to prevent abuse — this counter contains only a numeric value, no personal data. --- ## 2. What We Do NOT Collect We do **not** collect: - Real name, email address, or postal address - Precise location or GPS data - Contacts, photos, calendar, or other device content - Health, financial, or biometric data - Analytics or behavioral tracking data - Advertising identifiers (IDFA) - Browsing history outside the app --- ## 3. How We Use Your Information | Data | Purpose | |------|---------| | Phone number | Verify your identity for sign-in | | Firebase UID | Identify your saved CVEs in the cloud | | FCM token | Deliver critical CVE push notifications | | Saved CVE IDs | Sync your bookmarks across devices | | CVE metadata (sent to Claude) | Generate vulnerability mitigation reports | We do **not** sell, rent, or share your data with third parties for advertising or profiling. --- ## 4. Third-Party Services VulnEye uses the following services. Each has its own privacy policy: ### Google Firebase (by Google LLC) We use: - **Authentication** — Phone number sign-in - **Firestore** — Cloud database for saved CVEs and cached AI reports - **Cloud Functions** — Secure server-side proxy for AI requests - **Cloud Messaging** — Push notifications for critical CVEs Firebase Privacy Policy: https://firebase.google.com/support/privacy ### Anthropic Claude API We send CVE metadata (no personal information) to generate AI mitigation analysis. The request is proxied through our Cloud Function — the Claude API never sees your phone number, UID, or device token. Anthropic Privacy Policy: https://www.anthropic.com/privacy ### National Vulnerability Database (NVD) — by NIST (U.S. Government) We fetch public CVE data from NVD. This is a **read-only** connection; we do not send personal information to NVD. NVD API Privacy: https://nvd.nist.gov/general/privacy-policy ### Apple Push Notification service (APNs) Used for delivering iOS push notifications. Apple's privacy practices apply: https://www.apple.com/legal/privacy/ --- ## 5. Data Storage and Security - **Cloud data** is hosted on Google Firebase servers (multi-region). - **Phone authentication** is handled entirely by Firebase Auth. - **All network traffic** uses HTTPS (TLS 1.2+). - **Firestore Security Rules** restrict cloud data so only the authenticated owner can read their own saved CVEs. - **API keys** for third-party services (e.g., Claude) are kept on our servers — never bundled with the app. --- ## 6. Data Retention | Data | Retention period | |------|------------------| | Phone number & user account | Until you delete your account | | Saved CVE IDs | Until you remove them or delete your account | | FCM token | Until you disable alerts or uninstall the app | | Cached AI mitigation reports | Indefinitely (shared cache, not user-specific) | | Local cache | Until you clear it or uninstall the app | --- ## 7. Your Rights You have the following rights at any time, free of charge: ### 7.1 Delete Your Account **Settings → Account → Delete Account**. This permanently removes: - Your phone authentication record - All saved CVEs associated with your account - Your daily usage counter - All cloud data linked to your user ID Deletion is immediate and irreversible. ### 7.2 Sign Out **Settings → Account → Sign Out**. Clears your saved CVEs from this device (they remain in the cloud and return on next sign-in). ### 7.3 Disable Notifications **Settings → Critical CVE Alerts → Toggle off**. Stops all push notifications from VulnEye. ### 7.4 Access Your Data Email us to request a copy of your data: **xhlaxz@gmail.com** ### 7.5 Withdraw Consent You can use the app without signing in. Sign-in is optional and controls cloud features only. --- ## 8. Children's Privacy VulnEye is **not directed at children under 13**. We do not knowingly collect personal information from anyone under 13. If you believe a child has provided us with personal information, please contact us and we will delete it. --- ## 9. International Data Transfers Firebase servers may be located outside Saudi Arabia. By using the app, you consent to your data being processed in the United States and other jurisdictions where Google operates Firebase, in compliance with applicable data protection laws. --- ## 10. Lawful Basis (PDPL / GDPR) We process your data on the following lawful bases: - **Consent** — when you sign in or enable notifications - **Legitimate interest** — to provide the requested security research functionality - **Contract** — to deliver the features you've signed up for --- ## 11. Security Research Disclaimer VulnEye is intended for **authorized security research and defensive purposes only**. The information shown — including AI-generated analysis and references to public Proof-of-Concept (PoC) materials — comes from public sources (NVD, vendor advisories, security researchers' published reports). Users are responsible for following responsible disclosure practices and applicable laws in their jurisdiction. --- ## 12. Changes to This Policy We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. Significant changes will be communicated through the app. --- ## 13. Contact For any privacy-related questions or requests: 📧 **Email**: xhlaxz@gmail.com 🌍 **Built with ❤️ from Saudi Arabia 🇸🇦** --- © 2026 VulnEye. All rights reserved.