Privacy policy
Last updated July 8, 2026
Vulnly (“we”, “us”) is based in Greece. This page explains what we process when you use the site, why, and what rights you have. It is not legal advice.
Data controller
- Registered address: Greece
- Data Protection Officer (DPO): Not appointed, as not required under Article 37 GDPR
No accounts, no tracking beyond what’s described here
There is no sign-up and no user database. Your search history and cookie choice are stored only in your browser’s localStorage and never sent to us — that data never leaves your device unless you use the AI advisor (see below).
What we process
- Search queries — the ecosystem, package name, and version you look up, sent to OSV.dev and deps.dev to compute a verdict. We don’t log these ourselves beyond standard, short-lived server request logs.
- IP address — used transiently for per-IP rate limiting and to issue AI-unlock tokens; also present in Vercel’s own request logs. IP addresses are personal data under GDPR even though we have no accounts.
- Analytics data (only if you accept the “Analytics” cookie category) — anonymized search terms, page views, and feature usage via Google Analytics 4.
- Advertising identifiers (only if you accept the “Advertising” category and choose the rewarded-ad unlock) — set by Google Ad Manager while the ad is shown.
- AI advisor context (only when you use it) — see “AI advisor data processing” below.
Legal bases
We rely on the following legal bases under Article 6(1) of Regulation (EU) 2016/679 (GDPR):
| Processing activity | Legal basis |
|---|---|
| Executing your vulnerability lookup query (transmission to OSV.dev / deps.dev) | Performance of a contract / pre-contractual measures at your request — Art. 6(1)(b) |
| Rate limiting, abuse prevention, security logs | Legitimate interests in maintaining a secure, available, non-abused service — Art. 6(1)(f) |
| AI Advisor processing | Performance of a contract at your request — Art. 6(1)(b) |
| Analytics cookies | Your consent — Art. 6(1)(a) and Art. 4(5) of Law 3471/2006 |
| Advertising / rewarded-ad cookies | Your consent — Art. 6(1)(a) and Art. 4(5) of Law 3471/2006 |
Legitimate interests balancing: for rate-limiting and security logging, we have assessed that our interest in preventing abuse and ensuring service availability is not overridden by your interests, since the processing is limited to your IP address, is short-lived, and does not enable your identification beyond the abuse-prevention purpose.
Who we share data with
- OSV.dev / deps.dev (Open Source Security Foundation / Google) — receive your search query to answer it. See OSV.dev’s docs.
- Vercel (hosting, request logs) — privacy policy.
- Google (Analytics 4, and Ad Manager if you unlock via ad) — privacy policy.
- LLM provider (only if you use the AI advisor) — this deployment is configured to use one of: Anthropic, OpenAI, Google, a self-hosted or third-party OpenAI-compatible endpoint configured by the operator. See Anthropic, OpenAI, or Google’s privacy policy depending on which is configured.
AI advisor data processing
When you activate the AI Advisor, the following data is transmitted to the configured LLM provider:
- the queried package name, ecosystem, and version;
- vulnerability identifiers and summaries relevant to your current result.
We do not transmit your IP address, browser identifiers, or any account data (there is no account).
The configured LLM provider is one of: Anthropic, OpenAI, Google, or a self-hosted / OpenAI-compatible endpoint. Where technically supported, we have enabled zero-retention and no-training settings, meaning that your inputs are not stored by the LLM provider beyond the time strictly needed to generate a response, and are not used to train the provider’s models. You can verify the currently configured LLM provider by contacting us.
International transfers
Some of our service providers are established in or process data in the United States or other third countries:
| Provider | Country | Transfer safeguard |
|---|---|---|
| Google (Analytics, Ad Manager) | USA | EU–US Data Privacy Framework (DPF) certification |
| Vercel (hosting) | USA | Standard Contractual Clauses (SCCs) + DPF, where applicable |
| Anthropic / OpenAI / Google (LLM) | USA | DPF certification and/or SCCs, depending on provider |
Your rights
Under the GDPR, you have the right to:
- Access (Art. 15): obtain confirmation and a copy of your personal data;
- Rectification (Art. 16): correct inaccurate or incomplete data;
- Erasure / right to be forgotten (Art. 17);
- Restriction of processing (Art. 18);
- Data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format;
- Object (Art. 21): object to processing based on our legitimate interests;
- Withdraw consent (Art. 7(3)): at any time, without affecting the lawfulness of processing prior to withdrawal — withdraw cookie consent via our cookie banner or your browser settings;
- Not be subject to automated decision-making (Art. 22): our vulnerability verdicts are automated but do not produce legal effects concerning you or similarly significantly affect you, as they concern software packages and not the data subject personally.
Since we do not maintain user accounts, most requests will concern log data or analytics data. To exercise your rights, contact us. We will respond within one month of receipt (extendable by two further months for complex requests, per Art. 12(3) GDPR).
Right to lodge a complaint
You have the right to lodge a complaint with the competent supervisory authority. In Greece, this is the:
Hellenic Data Protection Authority (HDPA)
Address: Kifisias Avenue 1–3, 11523 Athens, Greece
Telephone: +30 210 6475600
Email: contact@dpa.gr
Website: https://www.dpa.gr/en
You may also lodge a complaint with the supervisory authority of your EU country of residence or workplace.
Cookies and consent
In accordance with Article 4(5) of Greek Law 3471/2006 and the guidelines of the Hellenic Data Protection Authority: strictly necessary cookies are used without your consent, as they are essential to provide the Service (e.g. session, security, rate-limit tokens); analytics and advertising cookies are set only after you provide explicit, granular consent via our cookie banner; you may accept, reject, or customize your preferences with equal ease at any time via the “Cookie settings” link in the footer; and no non-essential cookies or scripts are loaded before you provide consent. Full details, including every storage key we use, are in our cookie policy.
Personal data breaches
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Hellenic Data Protection Authority (HDPA) within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to your rights, we will communicate it to you without undue delay, in accordance with Article 34 GDPR, using the contact channels available (e.g. a notice on the Service).
Retention
| Category | Retention |
|---|---|
| Google Analytics 4 event data | 2 months |
| Vercel request logs (incl. IP) | Per Vercel’s applicable log-retention policy for our hosting plan (typically a short, rolling window) |
| Rewarded-ad unlock tokens | 30 minutes |
| AI Advisor inputs at the LLM provider | Zero-retention where technically supported; otherwise per provider’s policy |
| Search history and cookie preferences | Stored solely in your browser’s local storage; cleared any time via “Clear history” or browser site-data settings |
Minors
The Service is not directed at children under the age of 15. In accordance with Article 21 of Greek Law 4624/2019, minors under this age may only use the Service with the consent of a holder of parental responsibility. We do not knowingly collect personal data from children under this age.
See also our cookie policy and terms of service.