Privacy Policy

Last Updated: January 27, 2026

Welcome to PentestO ("we," "our," or "us"). This Privacy Policy explains how we collect, use, disclose, and protect information when you use our comprehensive security testing platform at pentesto.com.au (the "Service"). We are committed to protecting your privacy and handling your data with transparency and security.

1. Information We Collect

1.1 Account Information

When you create an account with PentestO, we collect:

Name and email address
Company or organization name
Account credentials (passwords are encrypted and stored securely)
Contact information and billing details
User preferences and settings

1.2 Target Information

When you use our security testing tools, we collect and process:

Target URLs and domains you submit for security scanning
IP addresses of systems being tested
Authentication credentials you provide for authorized testing (JWT tokens, session cookies, API keys)
API endpoints and specifications (Swagger/OpenAPI files) you upload
HTTP requests and responses captured during security assessments
Web application structure discovered through endpoint enumeration

1.3 Security Scan Results

Our platform generates and stores comprehensive security testing data including:

Vulnerability findings from EnumBox, VulnBox, ExploitBox, WebBox, AuthBox, APIBox, and LogicBox
Technical details of identified security issues (missing HSTS headers, server banner disclosure, authentication weaknesses, missing password complexity requirements, XSS vulnerabilities, etc.)
Severity ratings and risk assessments
Remediation recommendations
Scan history and progress tracking
JSON-formatted reports and logs

1.4 Technical and Usage Information

We automatically collect:

IP addresses and browser information
Service usage patterns and feature utilization
Tool performance metrics (scan duration, success rates)
System logs and error reports
Celery task execution data
API request logs

2. How We Use Your Information

2.1 Service Delivery

We use your information to:

Execute security testing across our seven specialized tools (EnumBox, VulnBox, LogicBox, ExploitBox, WebBox, AuthBox, APIBox)
Generate comprehensive vulnerability reports and security assessments
Maintain scan history and enable result retrieval
Provide real-time progress tracking for long-running scans
Aggregate findings across multiple security domains
Process background tasks through our Celery worker infrastructure

2.2 Platform Improvement

We analyze anonymized data to:

Improve scanning accuracy and reduce false positives
Optimize timeout controls and rate limiting
Enhance tool performance (e.g., preventing infinite scanning issues)
Update vulnerability detection signatures
Develop new security testing capabilities

2.3 Security and Compliance

We process information to:

Protect our Service with ModSecurity WAF (Web Application Firewall)
Monitor for unauthorized access or abuse
Comply with legal obligations and respond to lawful requests
Investigate security incidents affecting the platform

2.4 Communication

We may use your contact information to:

Send scan completion notifications
Provide service updates and security alerts
Respond to support requests
Share important platform changes or maintenance schedules

3. Data Storage and Security

3.1 Storage Infrastructure

Your data is stored securely using:

Django application backend with secure database storage
Docker containers providing isolated execution environments
Persistent storage for scan results and historical data
Encrypted connections via Let's Encrypt SSL/TLS certificates

3.2 Security Measures

We implement industry-standard security controls:

ModSecurity 3.0.10 WAF protecting against common web attacks
Nginx reverse proxy with security hardening
Gunicorn application server with systemd service management
Supervisor process control for Celery workers
Password hashing using industry-standard algorithms
API authentication to prevent unauthorized access
Rate limiting to prevent abuse and ensure system stability
Regular security updates and patch management

3.3 Data Retention

We retain your data as follows:

Scan results: Stored indefinitely unless you request deletion
Account information: Retained while your account is active
System logs: Retained for 90 days for troubleshooting and security monitoring
Backup data: Maintained according to our disaster recovery procedures

Important: Security scan results may contain sensitive information about your systems and vulnerabilities. We recommend reviewing and managing your stored scan data regularly and deleting results that are no longer needed.

4. Data Sharing and Disclosure

4.1 We Do Not Sell Your Data

PentestO does not sell, rent, or trade your personal information or security scan results to third parties for marketing purposes.

4.2 Service Providers

We may share limited data with trusted service providers who assist with:

Hosting infrastructure and server management
Payment processing (billing information only)
Email delivery services
Analytics and monitoring tools

These providers are contractually obligated to protect your data and use it only for specified purposes.

4.3 Third-Party Security Tools

Our platform integrates the following open-source security testing tools:

Nuclei - vulnerability scanning
Katana - endpoint discovery
dalfox - XSS detection

These tools process target URLs and web content locally within our infrastructure. No data is transmitted to external parties when using these tools.

4.4 Legal Requirements

We may disclose information when required to:

Comply with legal obligations, court orders, or government requests
Enforce our Terms of Service
Protect the rights, property, or safety of PentestO, our users, or the public
Investigate potential Terms of Service violations or security incidents

5. Your Rights and Choices

5.1 Access and Portability

You have the right to:

Access your account information and scan results
Export your security testing data in JSON format
Request a copy of the personal information we hold about you

5.2 Correction and Deletion

You can:

Update your account information through your profile settings
Delete individual scan results from your dashboard
Request complete account deletion by contacting our support team

Upon account deletion, we will remove your personal information and scan results within 30 days, except where retention is required by law.

5.3 Communication Preferences

You can manage email notification preferences in your account settings or unsubscribe from marketing communications using the link provided in our emails.

6. Authorized Security Testing

Critical Requirement: You are solely responsible for ensuring you have proper authorization to conduct security testing on any target systems you submit to PentestO. Unauthorized security testing may be illegal in your jurisdiction.

By using our Service, you represent and warrant that:

You own or have explicit written permission to test all target systems
Your use complies with all applicable laws and regulations
You will not use our Service to test systems without authorization
You understand that unauthorized access to computer systems may be a criminal offense

7. Cookies and Tracking Technologies

We use cookies and similar technologies to:

Maintain your session and keep you logged in
Store user preferences and settings
Analyze service usage and performance
Improve user experience

You can control cookies through your browser settings, but disabling certain cookies may limit Service functionality.

8. Children's Privacy

PentestO is intended for use by security professionals and organizations. Our Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will take steps to delete such information.

9. International Data Transfers

PentestO operates from Australia. If you access our Service from outside Australia, your information may be transferred to, stored, and processed in Australia where our servers are located. By using our Service, you consent to this transfer and processing.

10. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

Posting the updated policy on our website with a new "Last Updated" date
Sending an email notification to your registered email address
Displaying a prominent notice on our platform

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

11. Data Breach Notification

In the event of a data breach that affects your personal information or security scan results, we will:

Notify affected users within 72 hours of discovering the breach
Provide details about what information was affected
Describe the steps we are taking to address the breach
Recommend actions you can take to protect yourself
Comply with all applicable data breach notification laws

12. Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these external sites. We encourage you to review the privacy policies of any third-party services you access.

13. Business Transfers

If PentestO is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

PentestO Privacy Team
Email: privacy@pentesto.com.au
Support: support@pentesto.com.au
Website: pentesto.com.au

We will respond to your inquiry within 30 days.