Privacy Policy

Last updated: March 21, 2026

Recon0x is a service operated by Meetalent ("we", "us", "our"). We are committed to protecting your privacy. This policy explains what personal data we collect, why we collect it, and how we handle it in compliance with the EU General Data Protection Regulation (GDPR/RGPD).

1. Data We Collect

We collect the following categories of personal data:

  • Account information. When you sign up via Clerk (our authentication provider), we receive your name, email address, and profile picture. We do not store your password.
  • Scan targets. Domain names and URLs you submit for quick scans or full penetration tests.
  • Credentials for authenticated testing. If you provide login credentials to enable authenticated penetration testing, these are encrypted with AES-256-GCM (including IV and authentication tag) before storage. Credentials are automatically purged after 2 hours of inactivity. They are never stored in plain text and never shared with third parties.
  • Scan results and findings. Vulnerability data, severity scores, evidence, and remediation recommendations generated by our scanning engine.
  • Payment information. Payment is processed entirely by Stripe. We do not store your credit card number. We receive transaction metadata such as payment status, amount, and invoice references.
  • Usage and analytics data. Page views, feature usage, and performance metrics collected via Vercel Analytics and our custom tracking events. This data is aggregated and does not include sensitive personal information.

2. How We Use Your Data

  • Perform security scans and penetration tests on the domains you submit, and generate detailed reports with findings and remediation guidance.
  • Process payments for purchased penetration tests via Stripe.
  • Send transactional emails such as payment confirmations, scan completion notifications, and account-related communications.
  • Improve our service by analyzing usage patterns, optimizing scan accuracy, and reducing false positives.
  • Comply with legal obligations including tax and accounting requirements.

3. Legal Basis for Processing

Under the GDPR, we process your data on the following legal grounds:

  • Contract performance. Processing your data is necessary to deliver the penetration testing service you purchased.
  • Legitimate interest. We have a legitimate interest in analyzing usage data to improve our service quality and security, provided this does not override your rights.
  • Consent. Where required, we obtain your explicit consent before processing (for example, when you provide testing credentials). You may withdraw consent at any time.

4. Third-Party Services

We rely on the following third-party providers to operate our service. Each processes data only as necessary for its stated purpose:

  • Clerk (authentication): manages user accounts, session tokens, and OAuth sign-in.
  • Stripe (payments): processes credit card transactions and manages billing.
  • Neon (database): hosts our PostgreSQL database in the EU (West region).
  • Scaleway (compute and storage): provides the infrastructure for running penetration tests and storing reports. Servers are located in Paris, France.
  • Resend (email): sends transactional emails such as payment confirmations and scan notifications.
  • Vercel (hosting and analytics): hosts our web application and provides performance analytics.

5. Credential Security

When you provide login credentials for authenticated penetration testing, we apply strict security measures:

  • Credentials are encrypted using AES-256-GCM with a unique initialization vector and authentication tag.
  • They are never stored in plain text at any point during their lifecycle.
  • Credentials are automatically purged after 2 hours of inactivity, regardless of scan status.
  • They are never shared with third parties, logged, or included in reports.

6. Data Retention

  • Account data: retained while your account is active. Deleted within 30 days of account closure upon request.
  • Scan results and reports: retained for 12 months from the date of the scan, then automatically deleted.
  • Testing credentials: maximum 2 hours, then automatically purged.
  • Payment records: retained as required by French tax and accounting law (currently 10 years for invoices).

7. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access: request a copy of all personal data we hold about you.
  • Right to rectification: request correction of inaccurate or incomplete data.
  • Right to erasure: request deletion of your personal data, subject to legal retention obligations.
  • Right to data portability: receive your data in a structured, machine-readable format.
  • Right to object: object to processing based on legitimate interest.
  • Right to restrict processing: request that we limit how we use your data.
  • Right to withdraw consent: withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at contact@recon0x.com. We will respond within 30 days.

8. Cookies

We use the following types of cookies:

  • Essential cookies (Clerk): session management and authentication. These are strictly necessary for the service to function and cannot be disabled.
  • Analytics cookies (Vercel): anonymous usage statistics to help us improve the service. These do not track you across other websites.

We do not use any third-party advertising cookies.

9. Contact

For any questions about this privacy policy or your personal data, please contact us at contact@recon0x.com.

If you believe your data protection rights have not been addressed, you have the right to lodge a complaint with the French data protection authority (CNIL) at www.cnil.fr.