Privacy Policy

Last updated: 2025-09-02

Introduction. This Privacy Policy explains how Vulindex ("we", "us", "our") collects, uses, and protects information when you subscribe to and use our CVE bulletin service and when you visit our website. We are committed to handling personal information responsibly and transparently, in line with applicable data protection laws.

Scope. This Policy applies to our website, email bulletins, and related operations that we control. It does not cover third‑party services that we do not control. Where we rely on service providers, we require them to protect your information appropriately.

Data Controller & Contact. Vulindex acts as the data controller for the processing described here. If you have any questions, or to exercise your rights, contact us at support@vulindex.com.

Information We Collect. When you subscribe, we collect your email address and your selected timezone so we can deliver the daily digest at the correct local time. During email delivery we also receive technical delivery and engagement signals from our email provider (for example: message identifiers, event timestamps, whether an email was opened or a link was clicked, and similar diagnostic data). Our systems may also process limited technical metadata made available by the provider, such as user‑agent or IP information associated with an event, where provided.

Purposes of Processing. We use this information to provide and operate the service, deliver emails at 16:00 in your local time, monitor reliability and deliverability, reduce noise and improve relevance, troubleshoot issues, protect against abuse, and comply with legal obligations. We do not use your information for advertising or cross‑site tracking.

Legal Bases. We process your information based on your request to receive the service (performance of a contract), our legitimate interests in operating a reliable, secure, and relevant bulletin (for example, monitoring delivery and engagement to keep the service working), and, where required, your consent (for example, when you sign up).

Processing & Service Providers. We send emails through our email service provider Resend. Delivery and engagement events (such as open, click, bounce, or complaint) are transmitted to us through signed webhooks and are recorded for reliability and operations. We verify webhook signatures using industry‑standard methods. Data is stored in a secure database that we control. We do not sell personal data.

International Transfers. Because some providers may operate globally, your information may be processed in countries other than your own. Where transfers occur, we rely on appropriate safeguards permitted under applicable law.

Data Retention. We keep subscription data for as long as your subscription remains active. If you unsubscribe, we aim to remove or anonymize your personal information within 30 days, unless retention is required by law or necessary to resolve disputes, maintain security, or enforce our terms.

Security. We use reasonable technical and organizational measures to protect information, including TLS for data in transit, access controls, and secure credential handling. While no system is perfectly secure, we work to prevent unauthorized access, disclosure, alteration, or destruction.

Cookies & Similar Technologies. Our website uses essential functionality, and the subscription form may integrate Google reCAPTCHA to prevent abuse; reCAPTCHA is governed by Google’s policies. We do not use cookies for advertising or cross‑site tracking.

Your Choices & Rights. You can unsubscribe at any time using the link in each email. Depending on your location, you may have rights to request access to, correction of, deletion of, or portability of your information, and to object to or restrict certain processing. To exercise these rights, contact us at the email above. We may need to verify your identity before responding.

Children. Our service is intended for use by professionals and is not directed to children. We do not knowingly collect information from children.

Changes to This Policy. We may update this Policy from time to time. The “Last updated” date reflects the latest version. Material changes will be communicated through the website or by email where appropriate.

How to Contact Us. If you have questions about this Policy or our practices, please email support@vulindex.com. We typically respond within 24 hours.

Definitions. In this Policy, “delivery and engagement signals” refers to technical events provided by our email processor that describe message handling (for example, delivered, bounced, complained) and high‑level interaction (for example, opened, clicked). These signals are diagnostic in nature and help us operate a reliable service.

Data Minimisation & Detailed Retention. We aim to collect only what is necessary for the service. Subscriber contact data is kept while your subscription is active; after you unsubscribe we target removal or anonymisation within 30 days. Operational delivery/engagement logs that support reliability and anti‑abuse measures are typically kept for a limited period (for example, up to 180 days) and then deleted or aggregated. Server security logs may persist longer where required for integrity, fraud prevention, or legal obligations.

Access Requests Workflow. To exercise your rights, contact us at the address above with enough information to identify you. We may request proof of control of the mailbox (for example, replying from the subscribed address) or additional verification where appropriate. We strive to respond without undue delay and, where required by law, within one month. Certain requests may be limited where disclosure would adversely affect the rights of others or our security obligations.

Incident Response. We maintain operational monitoring and aim to act promptly on credible security events. If a personal‑data incident were to occur, we would investigate, take remedial steps, and, where legally required, notify the relevant authorities and affected individuals.

Regional Disclosures. For individuals in the EEA/UK, you may contact your local supervisory authority if you believe our processing violates applicable law. For California residents, we do not sell personal information and we do not share it for cross‑context behavioral advertising. You may exercise your rights using the contact details above.

Automated Decision‑Making. We do not engage in automated decision‑making that produces legal or similarly significant effects about you. Delivery and engagement signals are used for reliability, abuse prevention, and content relevance, not for advertising profiles.

Policy Archive. We may keep previous versions of this Policy. If you need a copy of a prior version, contact us and we will provide it where available.