Privacy Policy

Last updated: April 14, 2026

Table of Contents

  1. 1. Information We Collect
  2. 2. How We Use Your Information
  3. 3. Credential and Target Data
  4. 4. Data Storage and Security
  5. 5. Data Sharing
  6. 6. Data Retention
  7. 7. Your Rights
  8. 8. Cookies and Tracking Technologies
  9. 9. Children's Privacy
  10. 10. International Users
  11. 11. California Residents (CCPA)
  12. 12. European Residents (GDPR)
  13. 13. Changes to This Policy
  14. 14. Contact Information

Prober ("Company," "we," "us," or "our") operates the Prober security intelligence platform available at prober.app, including Prober Penetration and Prober Scope (collectively, the "Service"). This Privacy Policy describes how we collect, use, store, share, and protect your personal information when you use our Service. It also describes your rights regarding your personal information and how you can exercise those rights.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the collection and use of your information as described in this Privacy Policy. If you do not agree with our policies and practices, do not use the Service. This Privacy Policy is incorporated into and subject to our Terms of Service.

1. Information We Collect

1.1 Account Information. When you create an account, we collect information you provide directly, including your name, email address, company or organization name (if applicable), and a password. Passwords are cryptographically hashed using bcrypt and are never stored in plaintext. If you sign up through a third-party authentication provider, we receive your name and email address from that provider.

1.2 Payment Information. When you purchase testing engagements or credits, payment transactions are processed by our third-party payment processor, Stripe, Inc. ("Stripe"). Prober does not receive, process, or store complete credit card numbers, CVV codes, or other full payment card data on its servers. We receive and retain a limited set of billing information from Stripe, including the last four digits of your card number, card brand, expiration date, billing address, and transaction history, solely for record-keeping and customer support purposes.

1.3 Test Configuration Data. When you configure and initiate a testing engagement, we collect the target information you provide, including domain names, IP addresses, URLs, port ranges, and scan settings. For authenticated testing, we collect the credentials you provide (usernames, passwords, API keys, or session tokens). The handling of credential data is described in detail in Section 3.

1.4 Test Results and Reports. We collect and store the output of testing engagements, including vulnerability findings, severity ratings, evidence data, remediation recommendations, and AI-generated analysis. These results are stored in association with your account.

1.5 Usage Data. We automatically collect information about how you interact with the Service, including the pages and features you access, the actions you take (such as initiating scans, viewing reports, and configuring settings), the date and time of your visits, and the duration of your sessions. This data helps us understand how the Service is used and identify areas for improvement.

1.6 Log Data. Our servers automatically record certain information when you access the Service, including your Internet Protocol (IP) address, browser type and version, operating system, referring URL, pages visited, and the date and time of each request. Log data is used for security monitoring, debugging, and service improvement.

1.7 Communications. If you contact us for support, provide feedback, or otherwise communicate with us, we collect the content of those communications along with any associated metadata (such as timestamps and email addresses).

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Providing and Operating the Service. We use your account information, test configuration data, and credentials to provision your account, execute the testing engagements you request, generate vulnerability reports, and deliver results to you. This is the primary purpose for which we collect and process your data.

2.2 Processing Payments. We use billing information to process your purchases, issue receipts, manage credits and balances, and handle refund requests. Payment card processing is performed by Stripe in accordance with PCI DSS standards.

2.3 Service Communications. We use your email address to send transactional notifications directly related to the Service, including scan completion notifications, scan status updates, account security alerts, payment receipts, and responses to your support inquiries. These communications are essential to the operation of the Service and cannot be opted out of while your account remains active.

2.4 Security and Fraud Prevention. We use log data, IP addresses, usage patterns, and account activity to detect and prevent unauthorized access, fraud, abuse, and other malicious activity. This includes monitoring for unauthorized testing, account compromise, and violations of our Terms of Service.

2.5 Service Improvement. We use aggregated and anonymized usage data to analyze how the Service is used, identify performance issues, and improve features, functionality, and user experience. We may use anonymized, aggregated vulnerability statistics (that do not identify you, your organization, or your target systems) to improve our testing methodologies.

2.6 Legal Compliance. We may process your information as necessary to comply with applicable laws, regulations, legal processes, or governmental requests.

2.7 What We Do Not Do. We do not sell, rent, or trade your personal information to third parties. We do not use your scan results, vulnerability findings, or target data to train AI models or for any purpose other than providing the Service to you. We do not share vulnerability findings with anyone other than you. We are not a bug bounty platform. We do not build advertising profiles or serve targeted advertisements.

3. Credential and Target Data

Given the sensitive nature of credentials and target information provided for penetration testing, this section describes our handling practices in detail.

3.1 Encryption at Rest. All credentials provided for authenticated testing are encrypted at rest using AES-256 encryption. Credentials are stored in encrypted form in our database and are decrypted only within the isolated, ephemeral testing container during the active execution of your testing engagement.

3.2 Purpose Limitation. Credentials are used solely and exclusively for the purpose of conducting the security testing engagement you have authorized. Prober will not use credentials to access your systems for any other purpose, nor will credentials be used beyond the scope of the specific testing engagement for which they were provided.

3.3 Deletion Timeline. Credentials are permanently deleted from all Prober systems within thirty (30) days of the completion of the testing engagement for which they were provided. The ephemeral Docker container in which credentials are actively used is destroyed immediately upon scan completion, and no credential data persists within the container infrastructure.

3.4 No Third-Party Sharing. Credentials are never shared with, disclosed to, or accessible by any third party. Credentials are not transmitted to any external service other than the target system you have authorized for testing. Prober personnel do not have access to decrypted credentials under normal operating conditions.

3.5 Target Information. Information about your target systems (domains, IP addresses, URLs) is treated as confidential. Target information is used only to conduct authorized testing and is not shared with third parties. Target information is subject to the data retention policies described in Section 6.

3.6 Test Evidence. During testing, our tools may capture evidence of vulnerabilities, which can include HTTP request and response data, screenshots, error messages, and other technical artifacts from your target systems. This evidence is included in your vulnerability reports and is treated with the same confidentiality as your test results.

4. Data Storage and Security

4.1 Cloud Infrastructure. The Service is hosted on Google Cloud Platform ("GCP"). Our application infrastructure, including testing workers, runs on Google Cloud Run within isolated containerized environments. Google Cloud Platform maintains extensive security certifications including SOC 1/2/3, ISO 27001, and FedRAMP.

4.2 Database Security. Application data, including account information, scan configurations, and metadata, is stored in MongoDB Atlas, a managed database service that provides encryption at rest (AES-256), encryption in transit (TLS), automated backups, and role-based access controls. MongoDB Atlas maintains SOC 2 Type II and ISO 27001 certifications.

4.3 Report Storage. Completed vulnerability reports and scan results are stored in Google Cloud Storage with encryption at rest enabled. Access to stored reports is restricted through Identity and Access Management (IAM) policies and is limited to authenticated requests from your account.

4.4 Encryption in Transit. All data transmitted between your browser and the Service is encrypted using Transport Layer Security (TLS 1.2 or higher). All internal communications between Service components are similarly encrypted.

4.5 Access Controls. Access to production systems and data is restricted to authorized Prober personnel on a need-to-know basis. Administrative access requires multi-factor authentication. All access to production systems is logged and auditable.

4.6 Isolated Testing Environments. Each testing engagement executes within an isolated Docker container that is provisioned for the duration of the scan and destroyed upon completion. Testing containers do not share state, network namespaces, or file systems with other engagements. This architecture ensures that data from one engagement cannot be accessed by another.

4.7 Security Limitations. While we implement industry-standard security measures to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify you and applicable regulatory authorities as required by law.

5. Data Sharing

5.1 We Do Not Sell Your Data. Prober does not sell, rent, lease, or trade your personal information, test results, vulnerability findings, or any other data to third parties for any purpose, including marketing or advertising.

5.2 Service Providers. We share limited data with third-party service providers who assist us in operating the Service. These providers are contractually obligated to use your data only for the purposes of providing their services to us and to maintain appropriate security measures. Our current service providers include:

  • Stripe, Inc. -- Payment processing. Stripe receives your payment card information, billing address, and transaction amounts. Stripe's handling of your data is governed by the Stripe Privacy Policy.
  • Google Cloud Platform -- Cloud infrastructure, compute, and storage. Data processed within GCP is subject to Google's data processing terms.
  • MongoDB Atlas -- Managed database hosting. Data stored in MongoDB Atlas is subject to MongoDB's data processing agreement.

5.3 Legal Disclosure. We may disclose your information if we believe in good faith that disclosure is necessary to: comply with a legal obligation, court order, subpoena, or other legal process; protect and defend the rights, property, or safety of Prober, our users, or the public; detect, prevent, or address fraud, security issues, or technical problems; or enforce our Terms of Service.

5.4 Business Transfers. In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of the transaction. We will provide notice to you (via email or prominent notice on the Service) of any such transfer and any choices you may have regarding your data.

5.5 With Your Consent. We may share your information with third parties when you have given us explicit consent to do so for a specific purpose.

5.6 Aggregated Data. We may share anonymized, aggregated data that does not identify any individual user or their target systems. For example, we may publish aggregate statistics about vulnerability types encountered across our platform. This data cannot be used to identify you or your systems.

6. Data Retention

6.1 Test Results. Vulnerability reports, scan results, and associated evidence data are retained for ninety (90) days from the date of scan completion. After this period, test results are automatically and permanently deleted from our systems. You should download and archive your reports within this retention window.

6.2 Credentials. Credentials provided for authenticated testing are permanently deleted within thirty (30) days of engagement completion, as described in Section 3.3.

6.3 Account Data and Deactivation. Your account information (name, email, profile data) is retained for as long as your account remains active. When you deactivate your account, we disable login access immediately but retain your account data and test records for legal, security, and audit purposes. Due to the sensitive nature of penetration testing services — including the need to defend against legal disputes over testing authorization, investigate abuse, and comply with tax and regulatory obligations — we do not permanently delete account records upon deactivation.

6.4 Billing Records. Transaction records, invoices, and billing history are retained for up to seven (7) years as required for tax, accounting, and legal compliance purposes.

6.5 Log Data. Server logs, access logs, and security audit logs are retained for up to twelve (12) months for security monitoring, incident investigation, and debugging purposes.

6.6 Data Access and Deactivation. You may deactivate your account at any time through your account settings or by contacting us at privacy@prober.app. Upon deactivation, login access is disabled immediately. We retain account data and test records for up to seven (7) years, or longer if required by law, to address potential legal disputes regarding testing authorization, respond to security incidents, and meet financial/regulatory record-keeping requirements. You retain the right to request a copy of your data or to correct inaccuracies. Credentials provided for authenticated testing continue to be deleted within 30 days of engagement completion regardless of account status.

7. Your Rights

Depending on your location and applicable law, you may have the following rights with respect to your personal information:

7.1 Right of Access. You have the right to request a copy of the personal information we hold about you. We will provide this information in a commonly used, machine-readable format within thirty (30) days of your request.

7.2 Right to Account Deactivation. You have the right to request that your account be deactivated, which disables login access and prevents further use of the Service. As disclosed in Section 6.3, account data and test records are retained for legal, security, and regulatory purposes. If you believe data retention is not permitted for your specific situation under applicable law (e.g., GDPR Article 17(3) exceptions do not apply), you may submit a formal request to privacy@prober.app for individual review.

7.3 Right to Correction. You have the right to request correction of inaccurate or incomplete personal information. You can update much of your account information directly through the Service interface.

7.4 Right to Data Export. You have the right to export your test results and vulnerability reports in machine-readable format (JSON). Reports can be downloaded directly from the Service interface during the retention period.

7.5 Right to Opt Out of Marketing. If we send you marketing communications (which we currently do not), you have the right to opt out at any time by clicking the unsubscribe link in the communication or by contacting us. Note that you cannot opt out of transactional service communications (such as scan completion notifications and security alerts) while your account is active.

7.6 Exercising Your Rights. To exercise any of these rights, contact us at privacy@prober.app. We may need to verify your identity before processing your request. We will respond to all verified requests within thirty (30) days. If we need additional time, we will notify you of the extension and the reason for it.

8. Cookies and Tracking Technologies

8.1 Essential Cookies. We use essential session cookies that are strictly necessary for the operation of the Service. These cookies are used to maintain your authentication state, preserve your session across page navigations, and ensure the security of your interactions with the Service. These cookies are first-party cookies set by prober.app and cannot be disabled without preventing use of the Service.

8.2 No Third-Party Tracking. We do not use third-party tracking cookies, advertising cookies, or social media tracking pixels. We do not participate in cross-site tracking or ad networks. We do not use Google Analytics or similar third-party analytics platforms that track users across websites.

8.3 Browser Controls. Most web browsers allow you to manage cookie preferences through browser settings. You can typically configure your browser to block cookies or to alert you when a cookie is being set. Please note that blocking essential cookies will prevent you from logging into and using the Service.

8.4 Do Not Track. The Service does not currently respond to "Do Not Track" signals transmitted by web browsers, as there is no universally accepted standard for how to respond to such signals. However, since we do not engage in cross-site tracking, the practical effect is the same regardless of your Do Not Track setting.

9. Children's Privacy

The Service is not intended for individuals under the age of eighteen (18). We do not knowingly collect, use, or disclose personal information from anyone under the age of 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information as quickly as possible. If you believe that we have inadvertently collected personal information from a child under 18, please contact us immediately at privacy@prober.app.

10. International Users

10.1 Data Processing Location. Prober is based in the United States. If you access the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States and potentially in other jurisdictions where our service providers operate. The data protection laws of these jurisdictions may differ from those of your country of residence.

10.2 Consent to Transfer. By using the Service, you consent to the transfer of your information to the United States and other jurisdictions as described in this Privacy Policy. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, please refer to Section 12 for information about the legal bases for processing and your additional rights.

10.3 Transfer Safeguards. Where we transfer personal data across international borders, we implement appropriate safeguards as required by applicable law, which may include Standard Contractual Clauses approved by the European Commission or other legally recognized transfer mechanisms.

11. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purpose for collection, and the categories of third parties with whom it is shared.
  • Right to Delete: You have the right to request that we delete the personal information we have collected from you, subject to certain exceptions.
  • Right to Opt Out of Sale: We do not sell your personal information. As such, there is no need to opt out, but you retain this right should our practices change.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. We will not deny you the Service, charge you different prices, provide a different level of service, or suggest that you will receive a different level of service for exercising your rights.
  • Right to Correct: You have the right to request that we correct inaccurate personal information that we maintain about you.

To exercise any of these rights, contact us at privacy@prober.app. We will verify your identity before processing your request and will respond within forty-five (45) days.

12. European Residents (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the following additional provisions apply:

12.1 Legal Bases for Processing. We process your personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR):

  • Performance of Contract: Processing necessary to perform our contract with you, including providing the Service, executing testing engagements, and delivering reports (Article 6(1)(b)).
  • Legitimate Interests: Processing for our legitimate business interests, including security monitoring, fraud prevention, service improvement, and enforcing our Terms of Service, where such interests are not overridden by your fundamental rights and freedoms (Article 6(1)(f)).
  • Consent: Processing based on your explicit consent, where applicable (Article 6(1)(a)). You may withdraw consent at any time.
  • Legal Obligation: Processing required to comply with applicable laws and regulations (Article 6(1)(c)).

12.2 Additional Rights. In addition to the rights described in Section 7, you have the right to: restrict the processing of your personal data in certain circumstances; object to processing based on legitimate interests; lodge a complaint with your local data protection supervisory authority; and withdraw consent at any time where processing is based on consent.

12.3 Data Protection Officer. For GDPR-related inquiries, contact us at privacy@prober.app.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the "Last updated" date at the top of this page. For material changes that significantly affect how we handle your personal information, we will provide additional notice by sending an email to the address associated with your account or by displaying a prominent notice within the Service at least fifteen (15) days before the changes take effect. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Your continued use of the Service after the effective date of any revised Privacy Policy constitutes your acceptance of the revised terms.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all inquiries within five (5) business days. For formal data subject requests (access, deletion, correction), we will respond within thirty (30) days as described in Section 7.

HomeTerms of ServiceSecurity & TrustFAQ
Prober Security Suite - AI-Powered Security Intelligence | Prober