🔒 Privacy Policy

Last updated: April 5, 2026

1. Data Controller

Pentest Mindmap, hereinafter "we", is responsible for the processing of personal data collected via the website pentestmindmap.com.

2. Data Collected

We only collect data necessary for the operation of the service:

• Email address — for registration, login, and transactional communications
• Password — stored only as a bcrypt hash (12 rounds)
• IP address — for security (fraud detection, rate limiting)
• Payment data — processed exclusively by Stripe (PCI DSS Level 1). We never store your card numbers

3. Purposes of Processing

• Managing your user account
• Providing access to the Pentest Mindmap service
• Processing payments and subscriptions
• Sending transactional emails (verification, reminders, invoices)
• Security and fraud prevention

4. Legal Basis

• Contract performance — to provide the service you subscribed to
• Legitimate interest — for security and fraud prevention
• Consent — for marketing communications (if applicable)

5. Data Retention

• Account data — retained as long as the account is active, then deleted 12 months after last login
• Security logs — retained for a maximum of 90 days
• Payment data — retained by Stripe according to their retention policy

6. Data Sharing

Your data is never sold. It is shared only with:

• Stripe — payment processing
• SMTP provider — sending transactional emails

7. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the following rights:

• Access — obtain a copy of your personal data
• Rectification — correct inaccurate data
• Erasure — request deletion of your account and data
• Portability — receive your data in a structured format
• Objection — object to the processing of your data

To exercise these rights, contact us at our contact page.

8. Cookies

We only use technical cookies necessary for the operation of the service:

• Session — maintaining your login
• CSRF — protection against CSRF attacks

No tracking or advertising cookies are used.

9. Security

We implement appropriate security measures: TLS encryption, hashed passwords (bcrypt), rate limiting, CSRF protection, CSP (Content Security Policy), and regular security audits.

10. Changes

This policy may be updated. Any significant change will be communicated by email to affected users.