Privacy Policy
Last updated: 20 February 2026
IMPORTANT: This service is operated by a 17-year-old individual in the UK. By using this service, you acknowledge this is a personal project and accept all risks. For users under 18, parental consent is required.

The operator of Zeroday.report ("we," "our," or "us") is an individual based in the United Kingdom and is the data controller for personal data processed through this Service. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our vulnerability management platform and services (the "Service").

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Information We Collect

Account Information

  • Email address
  • Name (if provided)
  • Profile information
  • Authentication data (password hashes, session tokens)

Organisation Information

  • Organisation name and settings
  • Team member information

Vulnerability Reports

  • Submitted vulnerability details
  • Communication between researchers and organisations
  • Report status and history

Vulnerability reports may contain sensitive technical information. We treat this data with appropriate technical and organisational safeguards. We do not access or review report contents except as necessary to operate the Service or where required by law.

Usage Data

We automatically collect: IP address (which may be hashed or anonymised), browser type, device information, access times, and pages viewed.

Cookies

We use essential cookies for authentication and core functionality. We also use analytics tools (Vercel Analytics, Sentry) to understand how users interact with the Service. These tools may set their own cookies. You may disable non-essential cookies in your browser settings, though this may affect Service functionality.

2. Legal Basis for Processing (UK GDPR)

We rely on the following legal bases to process your personal data:

  • Contract performance — to provide the Service you have signed up for
  • Legitimate interests — to improve the Service, detect fraud, and maintain security (where these interests are not overridden by your rights)
  • Legal obligation — to comply with applicable laws
  • Consent — where you have explicitly provided it (e.g. for non-essential cookies or marketing communications)

3. How We Use Information

We use your information to:

  • Provide and maintain the Service
  • Process transactions and manage accounts
  • Communicate with you about the Service
  • Improve and analyse usage patterns
  • Detect and prevent fraud and abuse
  • Enforce our Terms of Service
  • Comply with legal obligations

4. Data Sharing

We do not sell your personal data. We share data only with the following trusted third-party service providers, each of whom processes data on our behalf under appropriate data processing agreements:

  • Convex — Database and real-time features
  • Better-Auth — Authentication
  • Autumn — Payment processing
  • Resend — Email delivery
  • Sentry — Error tracking
  • Vercel — Hosting and analytics

We may also disclose your data where required by law, court order, or to protect the rights and safety of ourselves or others.

5. International Transfers

Some of our third-party service providers are based outside the UK. Where we transfer personal data internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or an adequacy decision, as required by UK GDPR Chapter V.

6. Data Retention

When you delete your account, your personal data is deleted promptly and permanently.

We do not retain personal data beyond what is necessary for the purposes for which it was collected, or as required by law. Vulnerability reports and organisation data are deleted in accordance with the organisation's settings when the account or organisation is deleted. Some anonymised or aggregated data may be retained for analytical purposes.

7. Data Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit and at rest, access controls, and regular security assessments. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

8. Your Rights (UK GDPR)

Under UK GDPR, you have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate or incomplete data
  • Erasure — request deletion of your personal data (you may also delete your account directly)
  • Restriction — request that we restrict processing in certain circumstances
  • Portability — receive your data in a structured, machine-readable format where technically feasible
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing

To exercise these rights, delete your account through your account settings or contact us at support@zeroday.report. We will respond within one calendar month. If you are unsatisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

9. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. Users aged 13–17 must have parental or guardian consent, as described in our Terms of Service. If you believe a child under 13 has provided us with personal data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice on the Service at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

11. Contact

If you have questions about this Privacy Policy or wish to exercise your data protection rights, contact us at support@zeroday.report