Vornin
Start Free
Privacy

Privacy Policy

Updated · 2026.05.17 · Revision 1.0

1. Information we collect

We collect information you provide when creating an account (email address, display name), scan targets you configure, and vulnerability data discovered during scans. We also collect usage data such as login times, IP addresses, and feature usage for security and analytics purposes.

2. How we use your information

We use your information to:

  • Provide and maintain the vulnerability management service
  • Send scan results, alerts, and notifications you've configured
  • Improve our scanning engines and platform features
  • Ensure platform security and prevent abuse

3. Data storage & security

All data is stored in encrypted PostgreSQL databases. Sensitive fields (API tokens, credentials) are encrypted at rest using AES-256-GCM. All connections use TLS 1.2+. We maintain immutable audit logs of all access and modifications.

4. Multi-tenancy & isolation

Each customer's data is isolated at the database level using row-level tenant filtering. No customer can access another customer's scan results, vulnerability data, or configuration.

5. Data retention

Data is retained according to your tenant's configured retention policy. You can configure automatic deletion of scan results and resolved vulnerabilities after a specified number of days. When no retention policy is set, data is retained indefinitely.

6. Your rights (GDPR)

You have the right to:

  • Access — Export all your data at any time via the platform
  • Rectification — Update your profile information
  • Erasure — Request complete account and data deletion
  • Portability — Export data in machine-readable JSON format

7. Cookies

7a. Inside the authenticated application (app.vornin.com)

Strictly-necessary cookies only — authentication, session continuity, and CSRF protection. No tracking, no advertising, no analytics that identify individual users.

7b. On the public marketing site (vornin.com)

The marketing site uses the following third-party services, all listed on /sub-processors:

  • Cookiebot (Cybot A/S, DK) — Consent management platform. Stores an anonymous consent identifier in browser local storage to remember your choices on this site. Setting required to comply with ePrivacy / TTDSG.
  • Plausible (Plausible Insights OÜ, EE) — Cookieless, privacy-friendly site analytics. No persistent identifiers, no cross-site tracking, no IP addresses retained. Page views and referrers only.
  • Cloudflare Turnstile (Cloudflare, US, SCCs) — Bot-detection challenge on the contact form. Sets a short-lived challenge cookie scoped to the contact submission.
  • Google Fonts (Google LLC, US, SCCs) — Web font hosting. May briefly log IP for delivery; no persistent cookies set. We are evaluating self-hosting to eliminate this transfer.

Full per-cookie details (purpose, retention, type) are published via the Cookie Declaration accessible from the consent banner.

8. Data Protection contact

Vornin has not formally appointed a Data Protection Officer (we fall below the GDPR threshold for mandatory appointment — no systematic monitoring of data subjects on a large scale, and core activities do not consist of large-scale processing of special categories of data). However, all data-protection matters go to a single accountable person:

  • Mathias Gatz — Founder and Data Protection contact
  • Email: privacy@vornin.com
  • Postal: Denmark (full address available on written request)

For general privacy-related inquiries and data-subject requests: privacy@vornin.com.

You also have the right to lodge a complaint with the Danish Data Protection Authority (Datatilsynet).