Legal

Privacy Policy.

This policy explains what AttackEdge collects about you, why, where it lives, who touches it, and what you can ask us to do with it. We have written it to be readable. It covers customers in Australia, the United Kingdom, the European Union, and elsewhere.

Last updated: 2026-04-21

1. Who we are

AttackEdge is operated by ArmoniaLabs (sole trader, registered business name "ArmoniaLabs"), ABN 81 392 893 669, registered at [TBC: your registered business address]. In this policy, "we" and "us" mean ArmoniaLabs.

We are committed to the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). Where you are in the United Kingdom or the European Economic Area, we also apply the principles of UK GDPR and EU GDPR where relevant. If the Privacy Act small-business exemption would otherwise apply to us, we opt out of it: we voluntarily comply with the APPs regardless.

2. What we collect

  • Account information: your name, email address, and the organisation you represent.
  • Targets you submit: the domains, subdomains, IP addresses, and hosts you ask us to scan. We also store ownership-verification artefacts (DNS TXT records, verification files).
  • Scan results: findings our tools produce about your external attack surface, including identifiers for services, software versions, and potential vulnerabilities.
  • Report data: the written report we produce, including any notes added during a human review.
  • Billing information: handled by Stripe on our behalf. We see invoice metadata, transaction identifiers, and your billing email. We do not see or store your full card number.
  • Communications: email you send us, and email we send you.
  • Product telemetry: basic server logs (IP address, user-agent, timestamp, endpoint) retained for security and debugging.

3. Why we collect it

We collect and use your information to provide and operate the service: to authenticate you, verify ownership of scan targets, run scans, generate and deliver reports, bill you, respond to support requests, and secure our own systems.

Under UK and EU GDPR, our legal bases are: (a) performance of a contract with you, (b) our legitimate interests in operating and improving the service and securing our systems, and (c) your consent where we ask for it (for example, marketing email). You can withdraw consent at any time without affecting processing that happened before you withdrew.

4. Where it is stored

Customer data (accounts, targets, scan results, reports) is stored in Supabase-hosted infrastructure in Sydney, Australia (AWS ap-southeast-2). Backups are held in the same region. We do not move storage outside Australia. Some vendors that process data on our behalf are incorporated in other countries. Section 6 lists them.

5. Who handles it

Inside our organisation, access to production data is least-privilege and logged. At this stage of the business the founder is the primary person with access. As we grow, access expands only to background-checked operators on a need-to-know basis.

We use third-party subprocessors to deliver the service. Each one handles a specific slice of data needed for its function. The current list:

Supabase

Purpose: Database, authentication, storage. Data hosted in Sydney, Australia (AWS ap-southeast-2). Vendor incorporated in the United States.

Stripe

Purpose: Payment processing. Processor incorporated in the United States. Card data handled by Stripe under PCI DSS, never by us.

Resend

Purpose: Transactional email delivery. Incorporated in the United States.

Anthropic

Purpose: AI analysis of scan findings (Claude API). Incorporated in the United States. Prompts and completions are processed under vendor API terms that disable training on customer data.

6. Cross-border transfers

Several of our subprocessors are incorporated in the United States. Where your data is disclosed to them (for example, transactional email metadata to Resend, scan findings to Anthropic for AI analysis), that disclosure is a cross-border data transfer.

For customers in the EU and UK, we rely on the UK International Data Transfer Agreement or the European Commission's Standard Contractual Clauses with each relevant subprocessor. We will provide copies of the executed transfer instruments on written request to privacy@attackedge.io.

For customers in Australia, we take reasonable steps under APP 8 to ensure overseas recipients handle your information consistently with the APPs.

7. Your rights

You have the right to:

  • Access the personal information we hold about you.
  • Ask us to correct information that is inaccurate or out of date.
  • Ask us to delete your personal information, subject to legal retention obligations.
  • Ask us to transfer your personal information to you or to another service (data portability), where technically feasible.
  • Object to processing based on our legitimate interests.
  • Withdraw consent for processing based on consent.
  • Lodge a complaint with a privacy regulator.

To exercise any of these rights, email privacy@attackedge.io. We respond within 30 days.

8. Retention

Account information and scan history are retained for the life of your account. After account closure, we delete personal information within 90 days, except where we are required to retain it for legal, accounting, or dispute-resolution reasons (in which case the minimum retention period applicable applies).

Server logs are retained for up to 12 months. Billing records are retained for seven years to comply with Australian taxation requirements.

9. Security

Data in transit is encrypted with TLS 1.2 or higher. Data at rest is encrypted by the storage provider (AES-256). Production secrets are held in environment-scoped vaults and never committed to source control. We follow the principle of least privilege for operator access and keep audit logs of administrative actions.

If a security incident exposes any customer data, we will notify affected customers in line with the Notifiable Data Breaches scheme under the Privacy Act 1988, and the equivalent obligations in the UK GDPR and EU GDPR, typically within 72 hours of confirming a reportable incident.

10. Cookies and local storage

Our website uses a small number of strictly necessary cookies and local-storage keys to remember your theme preference and maintain your signed-in session. We do not use advertising or cross-site tracking cookies at this time. If we introduce analytics, we will update this policy and, where required, ask for your consent.

11. Children

AttackEdge is a business tool. It is not directed to children and we do not knowingly collect information from anyone under 16. If you believe we hold information about a child, contact privacy@attackedge.io and we will delete it.

12. Complaints

If you are unhappy with how we have handled your personal information, email privacy@attackedge.io first. We will acknowledge within five business days and respond substantively within 30 days.

If you are not satisfied with our response, you can complain to:

  • Australia: Office of the Australian Information Commissioner (OAIC), oaic.gov.au.
  • United Kingdom: Information Commissioner's Office (ICO), ico.org.uk.
  • European Economic Area: your national data-protection authority.

13. Changes to this policy

We update this policy when the service or the law changes. Material changes are notified by email or through the product before they take effect. The current version is always on this page, with the "last updated" date at the top.

14. Contact

Privacy questions and rights requests: privacy@attackedge.io. Postal correspondence: ArmoniaLabs, [TBC: your registered business address].