Privacy Policy Last updated: April 14, 2026 pingtwice.com This Privacy Policy explains what personal data pingtwice collects when you use pingtwice.com, how we use it, and what rights you have. We take a minimal-collection approach: we collect only what is necessary to operate the Service. 1. Data We Collect Account data - Email address (required to create an account) - Display name (optional, set by you) - Profile avatar (optional, set by you or populated if you sign in with Google) - Account creation date and last sign-in timestamp Usage data you create - Tech stack items (software packages and versions you add to your inventory) - Watchlist entries (CVE IDs you choose to monitor) - Notification preferences and alert history - Feedback submissions (optional) Automatically collected data - IP address (used for security and abuse prevention; not stored against your account) - Standard HTTP request metadata (retained in server logs for up to 30 days) 2. Data We Do Not Collect - Passwords (we use passwordless authentication only) - Payment card details (handled entirely by the payment processor) - CVE search queries (not stored against your account) - Precise location data - Advertising identifiers or third-party tracking data 3. How We Use Your Data - To authenticate you and operate your account - To match CVEs against your tech stack and watchlist and generate alerts - To send transactional emails: sign-in links, alert digests, and account security notices - To enforce subscription plan limits - To detect and prevent abuse and security incidents - To improve the Service using aggregate, anonymized usage patterns We do not sell your data. We do not use your data for advertising. 4. Data Storage and Security Your data is stored on servers located within the European Union. All data in transit is encrypted using TLS. Database backups are encrypted and retained for up to 7 days. We implement access controls, encrypted storage, and passwordless authentication to minimize credential-based attack vectors. No system is completely secure. If you discover a security vulnerability in our Service, please report it responsibly to: support@pingtwice.com 5. Third-Party Services We use a small number of third-party services to operate the platform. Each acts as a data processor under our instruction and is bound by a data processing agreement: - Content delivery and DDoS protection: a globally distributed network that processes your IP address and request metadata to protect the Service from attacks. - Transactional email: your email address is passed to our email delivery provider solely to send emails you have requested or that are required for account security. Email content is not retained beyond delivery. - Google Sign-In (optional): if you choose to sign in with Google, Google shares your email address, name, and profile picture with us. We do not receive your Google password or access to your Google account beyond these fields. See: https://policies.google.com/privacy - Payment processing (paid plans): payment card details are handled entirely by our payment processor. We receive only a subscription status token and never see or store your card details. 6. Data Retention - Account data is retained for as long as your account is active - After account deletion, personal data is removed within 30 days - Notification history is automatically purged after 12 months - Server access logs are retained for up to 30 days - Certain data may be retained longer where required by law (e.g., billing records) 7. Your Rights If you are located in the European Economic Area (EEA), UK, or another jurisdiction with data protection laws, you have the right to: - Access: request a copy of the personal data we hold about you - Rectification: correct inaccurate data via account settings or by contacting us - Erasure: delete your account and associated personal data - Portability: request an export of your data in a machine-readable format - Objection: object to processing based on our legitimate interests - Restriction: request that we restrict processing in certain circumstances Account deletion is available directly in account settings. For other requests, email support@pingtwice.com. We will respond within 30 days. 8. Cookies and Local Storage We use browser local storage to persist your authentication session and preferences such as theme selection. We do not use advertising cookies or third-party tracking cookies. Our DDoS protection provider may set a short-lived security cookie that is required for the Service to function and cannot be disabled. 9. Children's Privacy The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it promptly. 10. Changes to This Policy We may update this Privacy Policy from time to time. For material changes affecting how we use your data, we will notify you at your registered email address at least 14 days before the changes take effect. 11. Contact For privacy questions, data requests, or concerns, email: support@pingtwice.com