Privacy Policy

This Privacy Policy explains how True Hacking ("we", "us", "our") collects, uses, shares, and protects information about you when you use the True Hacking platform at https://truehacking.ai (the "Service").

True Hacking is the data controller responsible for your personal data under Lei Geral de Proteção de Dados Pessoais (LGPD, Lei 13.709/2018) and applicable international privacy laws.

For privacy-related inquiries, including exercising your data subject rights, contact our Data Protection Officer at support@truehacking.ai.

We collect information in three categories:

• Email address (used as your login identifier)
• Password (stored only as a bcrypt hash; we never see the plaintext)
• Optional full name and organization name you supply at registration
• OAuth profile data (name, email, profile photo URL) if you sign in via Google or GitHub
• Two-factor authentication secrets if you enable 2FA

• Scan targets (domains, IPs, URLs) you add to engagements
• Engagement metadata (names, descriptions, client labels)
• Manual review notes, severity adjustments, proof-of-concept text you write into findings
• Domain ownership verification proofs (DNS TXT records or HTTP files containing tokens we issue)

• Scan execution data: tool outputs, normalized evidence rows, correlated findings, AI enrichment results
• Audit logs: authentication events, administrative actions, data access (retained per the platform-level setting, default 365 days)
• Session metadata: IP address, user agent, login timestamps
• Refresh-token records (revoked sessions are kept for audit purposes)

Under LGPD, every category of processing requires a legal basis. We rely on the following:

• Performance of contract (Art. 7, V) — to operate the Service: authenticate you, execute scans you request, store results, deliver reports.
• Consent (Art. 7, I) — for OAuth sign-in via third-party providers and any future marketing communications. You can withdraw consent at any time.
• Legitimate interest (Art. 7, IX) — to maintain security audit logs, detect abuse, enforce platform-level rate limits and quotas, debug production incidents.
• Legal obligation (Art. 7, II) — to comply with tax, civil, and criminal record-keeping requirements when applicable.

We do not sell your data. We share it only with service providers strictly necessary to operate the platform:

• Resend (transactional email provider, US) — to deliver password-reset and security notification emails. We send only your email address and the message body.
• Hosting infrastructure — our application servers and database run on infrastructure provided by hosting partners who have signed appropriate data-processing agreements.
• Future payment processor — when paid plans launch we will integrate a payment provider; this Policy will be updated to identify them and you will be notified before any billing data is collected.

We will disclose data to law enforcement only when compelled by a valid court order or equivalent legal process, and we will notify you unless prohibited by law from doing so.

Some of our service providers (notably Resend) operate from outside Brazil. Where personal data is transferred internationally, we rely on the safeguards permitted under LGPD Art. 33, including standard contractual clauses and adequate-protection assessments of the receiving jurisdictions.

• Account data — for as long as your account is active. Deleted within 30 days of account deletion, except where legal-obligation retention applies.
• Engagement data (scan results, findings, evidence) — retained as long as the engagement exists. Deleted when you delete the engagement or your account.
• Audit logs — retained for the period configured at the platform level (default 365 days), then automatically purged by a daily cron job.
• Tool output files on disk — purged after 30 days by default to prevent unbounded disk consumption.
• Revoked refresh tokens — kept indefinitely for audit purposes, anonymized of session metadata after 90 days.

As the data subject, you have the following rights regarding your personal data (LGPD Art. 18):

• Confirmation of the existence of processing
• Access to your data
• Correction of incomplete, inaccurate, or outdated data
• Anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in non-compliance with LGPD
• Data portability to another service provider
• Deletion of personal data processed with your consent (subject to the retention periods above)
• Information about public and private entities with which we have shared your data
• Information about the option to refuse consent and the consequences of refusal
• Revocation of consent

Most of these you can exercise directly inside the Service:

• Access your data: visible throughout the dashboard and via the user profile
• Delete your account (and all associated personal data): Profile → Delete Account. This wipes credentials, memberships, and personal identifiers; engagement data is also removed unless otherwise specified.
• Export your data: contact us at support@truehacking.ai and we will provide a portable JSON export within 15 days.

For any request you cannot complete in-app, contact our DPO at support@truehacking.ai. We respond to verified requests within 15 days as required by LGPD.

• All traffic is served over HTTPS with modern TLS configuration
• Passwords are stored only as bcrypt hashes (cost factor 12)
• Authentication uses short-lived JWT access tokens and rotation-on-use refresh tokens
• Two-factor authentication available and required for superuser accounts
• Server-side enforcement of all plan and quota limits (frontend disables are UX hints only)
• Per-tool subprocess memory limits prevent runaway tools from compromising other workloads
• HTTP rate limiting on authentication endpoints to mitigate credential stuffing
• Production-mode startup checks fail loud on insecure configuration (default secrets, wildcard CORS)
• Daily encrypted backups of the production database

No system is impenetrable. If we discover a breach affecting your personal data, we will notify you and the Brazilian National Data Protection Authority (ANPD) within the timeframes required by LGPD.

We use only functional cookies strictly necessary to operate the Service:

• Authentication cookies / localStorage entries holding your access and refresh tokens
• Session cookies for OAuth flows

We do not use tracking, analytics, or advertising cookies. We do not currently integrate any third-party analytics service.

The Service is not directed to children under 18. We do not knowingly collect personal data from minors. If you become aware that a child has provided us personal data, contact us and we will remove it.

We may update this Policy to reflect changes in the Service, our practices, or legal requirements. The effective date at the top of this page reflects the most recent revision. For material changes we will notify registered users by email at least 15 days before the new version takes effect.

For any privacy-related questions, requests, or complaints, contact our Data Protection Officer at support@truehacking.ai.

You also have the right to lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.