TopVuln

Daily Top 3 High-Risk Vulnerabilities

Privacy Policy

Categories of Data We Collect

We collect the following categories of personal information:

  • Contact information — your email address (for subscribers and for some features below).
  • Payment identifiers — Stripe customer ID, Stripe subscription ID, PayPal subscription ID, PayPal payer ID, and similar identifiers (only when you choose a paid plan). Card numbers and full payment credentials are processed by Stripe or PayPal; we do not store them.
  • Subscription and account records — status (e.g. pending, active, trialing, canceled, unsubscribed), trial and billing period dates, tokens for confirmation and unsubscribe links, and flags needed to run the service (e.g. whether a free trial was used).
  • Referral and invite data — if you use an invite link, we may store invite tokens and records linking inviter and invitee (including the invited party’s email) to operate referral rewards.
  • Feedback and support — when you use our Feedback form, we store the email address you provide and the message content you submit.
  • Subscription status self-service — if you use “My subscription” to email yourself a status summary, we store your email and timestamps of those requests to enforce per-email rate limits.
  • Operational logs — we may store records of digest emails sent (e.g. date and internal subscriber reference) to avoid duplicate sends and for basic operations.
  • Technical abuse prevention — for public forms that send email or trigger sensitive actions, we may apply short-lived, in-memory rate limits based on network address (IP). We do not use this for profiling or advertising; it is not stored in our database as a long-term profile.

We do not collect names, phone numbers, or physical mailing addresses as part of the core service. We do not knowingly collect personal data from children under 16 for this service.

Purpose of Processing

We use your information for the following purposes:

  • Providing the service — sending the daily Top 3 vulnerability digest, subscription confirmations, billing-related messages, and subscription status summaries you request.
  • Payments — linking your account to Stripe or PayPal for subscriptions you choose.
  • Referral program — attributing signups and applying any bonus or reward rules you agreed to.
  • Support and feedback — reading and responding to messages you send via the Feedback form.
  • Security and abuse prevention — rate limiting, fraud prevention, and protecting the service and users.
  • Legal and compliance — where required, retaining records for tax, accounting, or dispute resolution.

Legal Bases (including GDPR)

Depending on your location and the activity, we rely on one or more of the following:

  • Consent (Art. 6(1)(a) GDPR) — where we ask you to agree to this Privacy Policy and Terms before subscribing or using certain features (e.g. marketing-style digest emails where consent is required).
  • Performance of a contract (Art. 6(1)(b) GDPR) — processing necessary to provide the subscription you signed up for, including paid plans and emails essential to that service.
  • Legitimate interests (Art. 6(1)(f) GDPR) — where applicable, for example security, abuse prevention, minimal operational logging, and improving reliability of email delivery—balanced against your rights.
  • Legal obligation (Art. 6(1)(c) GDPR) — where we must retain or disclose information to comply with law.

You may withdraw consent where processing is based on consent; withdrawal does not affect lawfulness of processing before withdrawal. Some processing may continue where another legal basis applies.

Data Retention and Deletion

Email-only subscribers who unsubscribe: If you only used the free email digest (no active Stripe or PayPal subscription on file), we may delete your subscriber record after up to approximately one year following unsubscribe, as part of our automated cleanup process. During that period we retain limited subscriber data to honor your unsubscribe, to operate legitimate abuse prevention (including preventing the same email address from repeatedly obtaining a free digest period after unsubscribe), and for related operational needs. The exact timing may depend on when automated jobs run.

Paid subscribers and former paid subscribers: If you had or have a paid subscription, we may retain certain identifiers and transaction-related records for longer periods as needed for billing, tax, accounting, fraud prevention, and legal disputes, consistent with applicable law and Stripe/PayPal requirements. Not all such records are deleted on the same one-year cleanup schedule as free email-only unsubscribes.

Feedback messages: We retain feedback you submit for as long as needed to review and respond to your inquiry and for a reasonable period afterward for follow-up and quality purposes, unless a longer period is required by law.

Subscription status self-service logs: We retain records of status-email requests to enforce monthly limits; these are typically relevant only for the current and recent billing periods.

AI processing: Our daily digest content may be generated using external AI services processing public vulnerability information (e.g. CVE identifiers and descriptions from public sources). We do not send your email address to those models for content generation.

Consent

Where we rely on consent, we obtain it before collecting your personal information for that purpose. When you subscribe, you must actively check the box stating “I agree to the Privacy Policy and Terms of Service” before submitting the form where that applies to the service.

You may withdraw consent where it applies (e.g. by unsubscribing or canceling your subscription). See Your Rights below.

Use and Disclosure

We use your information to operate the service as described above. We do not sell, rent, or share your personal information with third parties for their independent marketing purposes.

We do not sell your personal information. We have not sold personal information in the past 12 months and do not intend to sell it. This applies to residents of California and other U.S. states with similar rules, and we aim to honor global privacy expectations.

We implement reasonable security measures to protect your data. However, no electronic storage or transmission is 100% secure.

Cookies

We use only strictly necessary cookies (if any) that are essential for the website to function—for example, security or session management. We do not use analytics, marketing, or other non-essential cookies.

Under the ePrivacy Directive, strictly necessary cookies do not require your prior consent. If we introduce non-essential cookies in the future, we will obtain your consent before setting them.

Cross-Border Data Transfer

Our servers are located in the United States. We also use third-party service providers (e.g., Stripe, PayPal, Resend) for payment processing and email delivery, and may use AI providers for digest-related processing as described under Data Retention and Deletion. These providers may process data in the United States or other countries. When you subscribe, your personal data (e.g., email address) will be transferred to and processed in the United States and possibly other jurisdictions where our service providers operate.

We ensure appropriate safeguards for such transfers:

  • Your consent — By checking the box to agree to this Privacy Policy and subscribing, where applicable, you consent to the transfer of your data to the United States and other countries where we or our service providers operate.
  • Appropriate safeguards — We select service providers that commit to data protection standards. Where required, we seek to use EU-approved Standard Contractual Clauses or equivalent safeguards with our sub-processors. For details on each provider’s transfer mechanisms, please refer to their respective privacy policies and data processing agreements (Stripe, PayPal, Resend).

If you do not consent to this transfer, please do not subscribe. You may withdraw your consent at any time by unsubscribing.

Your Rights: Access, Deletion, and Correction

Right to deletion: You may unsubscribe from the digest via the link in each email or cancel a paid subscription through our website or your payment provider as described in our help flows. Deletion timelines depend on your account type; see Data Retention and Deletion above.

Right to know / access / correction: You may request a copy of the personal information we hold about you, or ask us to correct inaccurate data, by contacting us through our Feedback form using the email address associated with your account. We may need to verify your request. We aim to respond within a reasonable time and, where required by law (e.g. GDPR), within one month, subject to extension for complex requests.

European users: You may also have the right to object to certain processing, to restrict processing, and to data portability where applicable. You may lodge a complaint with a supervisory authority in your country.

Refunds

During the free trial: If you cancel your subscription during the free trial period offered at checkout (when your plan includes one), you will not be charged subscription fees for that trial. If you are charged in error, please submit a request through our Feedback form; we will process refunds in accordance with Stripe’s or PayPal’s applicable rules.

If your subscription was started without a paid trial (for example, you already used a free trial on our service and checkout uses a no-trial price or plan), subscription fees may apply from the first billing cycle; the “During the free trial” statement above does not apply.

When refunds generally do not apply:

  • Partial subscription periods — Fees for any subscription period that has already started or been billed are not refunded on a pro-rata basis (e.g., “unused” days in a month you already paid for).
  • After the trial — Once you enter a paid billing period after the free trial, charges for those periods are generally non-refundable except where required by applicable law.
  • Service already delivered — We do not refund fees for periods during which the service was available to you and digests were delivered or could have been delivered under your subscription.
  • Payment processor timelines — Refunds, when granted, are processed through Stripe or PayPal; timing and appearance on your statement depend on your bank or card issuer.
  • Chargebacks and disputes — If you open a payment dispute or chargeback, resolution follows Stripe’s or PayPal’s processes; we may not offer a separate refund for the same charge.
  • Invited or promotional credit — Extended access or bonus time from referrals or promotions has no cash value and is not refundable.

Nothing in this section limits any mandatory rights you may have under the laws of your country or region.

Complaints and Inquiries

If you have questions about this policy or wish to make a complaint about how we handle your personal information, you may use our Feedback form. We will review and respond to privacy-related complaints in a timely manner.

Back to home