Vigil
Start free

Privacy Policy

Last updated: April 2026

Controller:ClawNet (trading as Vigil), incorporated in England & Wales
Contact: privacy@vigil.junocode.com

1. Overview

This Privacy Policy explains how ClawNet, trading as Vigil (“we”, “us”, “our”), collects, uses, stores, and shares personal data when you use the Vigil vulnerability alerting service (“Service”). It also explains your rights under applicable privacy laws.

Vigil is a B2B service used by businesses and professional teams. We process a limited set of personal data necessary to operate subscriber accounts and deliver alerts.

If you have questions about this policy or wish to exercise your privacy rights, contact us at privacy@vigil.junocode.com.

2. What Data We Collect

2.1 Account Data

When you register for Vigil, we collect:

  • Email address — used as your account identifier, for login, and for alert delivery.
  • Password — stored as a salted cryptographic hash. We never store your password in plain text. Password hashing is managed by Supabase (our database and authentication provider).

2.2 Billing Data

When you subscribe to a paid plan:

  • Billing email address — used for payment receipts and subscription communications.
  • Payment method reference — we store only the last four digits of your card number and the card type (e.g., Visa ending 4242), as provided by Stripe. Full card details are collected and held exclusively by Stripe under their own PCI DSS compliance programme. We do not receive, process, or store full card numbers.

2.3 Product Data

To personalise your alert feed, we collect:

  • Selected technology stack— the tools, frameworks, and software packages you nominate for monitoring (e.g., “Next.js”, “PostgreSQL”, “Python”).
  • Alert preferences — severity thresholds, notification frequency, and channel preferences you configure.

This data is used solely to filter and deliver relevant vulnerability alerts to you.

2.4 Usage and Authentication Data

We collect the following operational data to maintain service security and integrity:

  • Authentication events — records of login, logout, and failed login attempts, including timestamp, IP address, and user agent string.
  • IP address — logged at authentication events and service interactions.
  • User agent string — browser or client type, recorded alongside authentication events.

Retention: Authentication and usage logs are retained for 90 days, after which they are deleted or anonymised.

2.5 Cookies and Local Storage

Authentication cookie: We use a session cookie (prefixed sb-) set by Supabase to maintain your logged-in session. This cookie is essential for the Service to function. It is a session cookie that expires on browser close or session timeout, depending on your settings.

Local storage:We store your theme preference (dark or light mode) in your browser's localStorage. This data is stored locally on your device and is never transmitted to our servers. It is not a cookie.

We do not use advertising cookies, third-party tracking cookies, or behavioural analytics cookies. For full details, see our Cookies Policy.

2.6 Data We Do Not Collect

  • We do not collect your name unless you choose to provide it.
  • We do not collect the contents of your systems or infrastructure.
  • We do not perform active scanning of your environment.
  • We do not collect sensitive personal data (health, biometric, financial, or similar categories).
  • We do not knowingly collect data from users under 16 years of age.

3. Why We Process Your Data and Our Lawful Bases

3.1 EU and UK GDPR Lawful Bases

Processing ActivityData InvolvedLawful Basis
Creating and managing your accountEmail, password hashPerformance of contract (GDPR Art. 6(1)(b))
Delivering vulnerability alertsEmail, stack preferences, alert preferencesPerformance of contract (GDPR Art. 6(1)(b))
Processing subscription paymentsBilling email, Stripe payment referencePerformance of contract (GDPR Art. 6(1)(b))
Maintaining authentication logs and service securityIP address, user agent, auth eventsLegitimate interests (GDPR Art. 6(1)(f)) — detecting fraud, preventing unauthorised access, maintaining service integrity
Sending service communications (receipts, security notices, policy updates)Email addressPerformance of contract / Legitimate interests (GDPR Art. 6(1)(b)/(f))
Marketing communications (if and when introduced)Email addressConsent (GDPR Art. 6(1)(a)) — we will seek your explicit opt-in before sending marketing emails

We have assessed that our legitimate interest in maintaining service security and integrity is not overridden by your interests or fundamental rights, given: (a) the limited nature of the data (IP address, user agent); (b) the security purpose; and (c) the 90-day retention limit.

3.2 Brazil LGPD Lawful Bases

For users in Brazil, our lawful bases under the Lei Geral de Proteção de Dados (LGPD — Lei nº 13.709/2018) are:

  • Execution of a contract (LGPD Art. 7(V)) — for account creation, alert delivery, and billing.
  • Legitimate interest (LGPD Art. 7(IX)) — for authentication logging and service security.
  • Consent (LGPD Art. 7(I)) — for any marketing communications, where required.

4. How We Use Your Data

We use personal data only for the following purposes:

  1. Providing the Service — delivering vulnerability alerts tailored to your selected technology stack.
  2. Account management — authenticating you, managing your subscription, and processing payments.
  3. Service communications — sending invoices, security notices, and material policy updates.
  4. Security and integrity — detecting and preventing unauthorised access, abuse, and fraud.
  5. Legal compliance — complying with our legal obligations (including financial record-keeping).

We do not use your personal data for advertising, profiling for marketing purposes, or behavioural analytics. We do not sell your personal data.

5. How We Share Your Data

We do not sell or share your personal data with third parties for their own marketing purposes.

We share your data with the following categories of third parties only as necessary to provide the Service:

5.1 Sub-Processors (Service Providers)

We use the following sub-processors to operate the Service. Each is contractually required to process personal data only on our instructions and to maintain appropriate security measures.

ProviderPurposeData ProcessedLocation
Supabase Inc.User accounts, authentication, stack selections, alert data storageEmail, password hash, stack preferences, auth logsUS-East (AWS us-east-1)
Resend Inc.Transactional email delivery (alerts, receipts)Email address, alert contentUnited States
Stripe Inc.Subscription billing and payment processingBilling email, payment method tokenUnited States
Railway Corp.Application hosting (Vigil backend)All transient request dataUS-West (GCP us-west2)
Cloudflare Inc.DNS resolution, edge caching, DDoS protectionIP address, user agent (edge logs)Global edge network

For full details, including transfer mechanisms, see our Sub-processors page and Section 6 of this policy.

Stripe's independent controller role:Stripe processes certain data (fraud detection, PCI compliance) as an independent data controller under Stripe's own privacy policy and terms. We do not control how Stripe uses data for these purposes.

5.2 Legal and Regulatory Disclosure

We may disclose personal data if required to do so by law, regulation, court order, or lawful request from public authorities. Where permitted, we will notify you of such a request before complying.

5.3 Business Transfer

In the event of a merger, acquisition, or sale of all or substantially all of our assets, personal data may be transferred as part of that transaction. We will provide notice before your personal data becomes subject to a different privacy policy.

6. International Transfers

Vigil is operated by a UK entity. Our sub-processors are based primarily in the United States. This means your personal data may be transferred outside the UK and the European Economic Area (EEA).

We ensure that all such transfers comply with applicable data protection law through the following safeguards:

6.1 Transfer Mechanisms

When we transfer personal data outside the UK or EEA, we rely on:

  1. EU Standard Contractual Clauses (EU SCCs) — Commission Implementing Decision 2021/914, Module 2 (Controller to Processor), incorporated into our agreements with each US-based sub-processor.
  2. UK International Data Transfer Addendum (UK Addendum, Version B1.0) to the EU SCCs — covering UK → third-country transfers, as issued by the ICO.
  3. EU-US Data Privacy Framework (DPF) — where our sub-processor is DPF-certified (Stripe, Cloudflare, Railway, Resend are certified). The DPF is an adequacy mechanism adopted by the European Commission in July 2023.
  4. UK Extension to the DPF — for UK → US transfers where the sub-processor holds UK Extension certification.

SCCs and DPF certification serve as complementary transfer mechanisms. We maintain SCC fallback arrangements with all US sub-processors in the event the DPF is invalidated.

6.2 Per-Processor Transfer Details

ProcessorTransfer MechanismRegion
SupabaseEU SCCs 2021/914 (Module 2) + UK IDTAUS-East (AWS us-east-1)
ResendEU SCCs 2021/914 (Modules 1, 2, 3) + UK Addendum + EU-US DPF + UK ExtensionUnited States
StripeEU SCCs 2021/914 (Modules 1, 2) + UK Addendum (Version B1.0) + EU-US DPF + Swiss-US DPFUnited States
RailwayEU-US DPF (primary) + UK-US DPF Extension + EU SCCs (supplementary) + UK IDTAUS-West (GCP us-west2)
CloudflareEU SCCs 2021/914 (Modules 2, 3) + UK Addendum (Version B1.0) + EU-US DPFGlobal edge; R2 origin US

Copies of applicable SCCs and sub-processor DPAs are available on request at privacy@vigil.junocode.com.

7. Data Retention

Data CategoryRetention Period
Account data (email, password hash)Duration of account + 30 days post-deletion (to allow deletion propagation)
Billing email and Stripe reference7 years from transaction date (legal obligation — financial records)
Stack preferences and alert preferencesDuration of account; deleted on account deletion
Authentication logs (IP, user agent, events)90 days, then deleted or anonymised
Alert delivery records (non-PII)Permanent — alert records reference vulnerability IDs, not personal data
Support correspondence2 years from closure of the support case

Billing records are retained for 7 years in compliance with applicable accounting and tax legislation (UK Companies Act 2006 / HMRC requirements). This retention obligation applies even after account deletion.

8. Account Deletion and Data Erasure

You can delete your Vigil account at any time from the Settings page in your account dashboard.

On account deletion:

  1. Supabase: Your email address, password hash, stack preferences, and alert preferences are hard-deleted from our primary database within 30 days.
  2. Resend: Your email address is removed from our Resend mailing lists within 30 days.
  3. Stripe: Your Stripe customer record (billing email, payment method token) is deleted within 30 days. Note: Stripe retains transaction records for its own legal compliance purposes under Stripe's privacy policy.
  4. Authentication logs: Your authentication records are anonymised (IP address and user agent are removed; timestamps and event types are retained in anonymised aggregate form for security analytics).
  5. Billing records: Retained for 7 years as described in Section 7 (legal obligation).
  6. Backups: Database backups containing deleted personal data are purged within 30 days, in line with our backup rotation schedule.

We will confirm completion of deletion within 30 days of your request. If deletion of specific records is technically constrained by legal retention obligations, we will explain what is retained and why.

9. Your Rights

9.1 EU and UK GDPR Rights

If you are located in the EEA or the UK, you have the following rights:

  • Right of access (Art. 15) — request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17) — request deletion of your personal data (“right to be forgotten”), subject to legal retention obligations.
  • Right to restriction (Art. 18) — request that we limit processing of your data in certain circumstances.
  • Right to data portability (Art. 20) — receive your personal data in a structured, commonly-used, machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interests.
  • Right to withdraw consent — where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
  • Right to lodge a complaint — you may complain to your local supervisory authority. UK users: the Information Commissioner's Office (ICO), at ico.org.uk. EU users: your national data protection authority.

To exercise any of these rights, email privacy@vigil.junocode.com. We will respond within 30 days. There is no fee for exercising your rights.

9.2 California — CCPA/CPRA Rights

California residents have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

  • Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you.
  • Right to delete — request deletion of your personal information, subject to legal exceptions.
  • Right to correct — request correction of inaccurate personal information.
  • Right to opt out of sale or sharing — we do not sell or share personal information as defined under CCPA (including for cross-context behavioural advertising). No opt-out mechanism is required, but you may contact us to confirm.

Response timeline: We will respond to CCPA rights requests within 45 days, extendable by an additional 45 days (90 days total) where we notify you of the extension and the reason.

To exercise your rights, contact: privacy@vigil.junocode.com

Note: Vigil is a B2B service. CCPA rights are held by individual California consumers. At our current scale, we may not meet the revenue or volume thresholds that trigger mandatory CCPA compliance, but we honour these rights regardless.

9.3 Australian Users — Privacy Act 1988 (APPs 12 and 13)

Under the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles:

  • APP 12 — Access: You may request access to personal information we hold about you. We will respond within 30 days. We may charge a reasonable fee for access requests that involve significant retrieval costs.
  • APP 13 — Correction: You may request correction of personal information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading. We will correct the information within a reasonable period or, if we refuse, provide written reasons.

To exercise these rights: privacy@vigil.junocode.com

If you are not satisfied with our response to a complaint or request, you may complain to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

9.4 Brazilian Users — LGPD Rights (Art. 18)

Under the Lei Geral de Proteção de Dados (LGPD), Brazilian data subjects have the right to:

  • Confirm whether we process your personal data.
  • Access your personal data.
  • Correct incomplete, inaccurate, or out-of-date data.
  • Anonymise, block, or delete unnecessary or excessive data.
  • Request portability of your data.
  • Obtain information about entities with which we share your data.
  • Revoke your consent at any time (where processing is consent-based).
  • Lodge a complaint with the ANPD (Autoridade Nacional de Proteção de Dados).

To exercise any LGPD right: privacy@vigil.junocode.com

9.5 Canadian Users — PIPEDA and Quebec Law 25

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to access your personal information and to challenge its accuracy.

Quebec residents:Vigil complies with Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25). Quebec residents have additional rights, including data portability (as of September 2024). We have conducted Privacy Impact Assessments (PIAs) for the transfer of personal information outside Quebec (to our UK, EU, and US-based sub-processors). You may request a summary of our PIA by contacting privacy@vigil.junocode.com.

In the event of a privacy breach posing a real risk of significant harm, we will notify the Office of the Privacy Commissioner of Canada (OPC) and affected individuals as required.

9.6 Japanese Users — APPI

Under Japan's Act on Protection of Personal Information (APPI), as amended in 2022:

Before transferring your personal information to overseas recipients, we will ensure that appropriate safeguards are in place. Our overseas sub-processors maintain data protection standards consistent with APPI requirements. To exercise your rights under APPI, or to request information about our overseas transfer safeguards, contact: privacy@vigil.junocode.com.

10. International Transfers — Additional Information for Specific Jurisdictions

10.1 Australian Users — APP 1.4(f)

We may disclose personal information to overseas recipients in the following countries:

  • United Kingdom — where Vigil (ClawNet) is established.
  • United States — where our sub-processors Supabase, Resend, Stripe, and Railway are headquartered and process data.
  • Global edge locations — Cloudflare operates a global edge network; data may be cached at edge nodes worldwide.

Before disclosing personal information to overseas recipients, we take reasonable contractual steps to require them to handle that information consistently with the Australian Privacy Principles. Under APP 8, if an overseas recipient handles personal information in breach of the APPs, we may be held accountable. We accept that accountability.

10.2 Security and Vulnerability Data Disclaimer

Vigil aggregates publicly available vulnerability intelligence from sources including CISA's Known Exploited Vulnerabilities catalogue, GitHub Security Advisories, and vendor security RSS feeds. This information constitutes security intelligence, not personal data.

Vigil does not confirm or imply that any user's systems have been breached based on alert delivery. Alert receipt does not trigger GDPR Article 33 or equivalent breach notification obligations — those obligations arise only upon confirmed compromise of personal data. A Vigil alert notifies you of a disclosed vulnerability; it does not mean your systems have been exploited.

11. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or destruction. These include:

  • Encrypted communications (TLS for all data in transit).
  • Encrypted database storage at rest (Supabase on AWS with AES-256 encryption).
  • Authentication logging and anomaly detection.
  • Access controls and role-based permissions.
  • Regular review of sub-processor security standards.

No system is completely secure. If you believe your account has been compromised, contact privacy@vigil.junocode.com immediately.

12. Data Breach Notification

In the event of a personal data breach, we will:

  • EU/UK GDPR: Notify the relevant supervisory authority (ICO for UK; relevant national DPA for EU) within 72 hours of becoming aware of a breach likely to result in risk to individuals' rights and freedoms (GDPR Art. 33). We will notify affected individuals where the breach is likely to result in high risk (GDPR Art. 34).
  • Australia (NDB scheme): Complete an assessment within 30 days of becoming aware of grounds to suspect a notifiable data breach. If the breach is assessed as likely to cause serious harm, we will notify the OAIC and affected individuals as soon as practicable.
  • Brazil (LGPD): Notify the ANPD and affected individuals promptly (within 72 hours where serious risk is present).
  • Canada (PIPEDA): Notify the OPC and affected individuals “as soon as feasible” in the event of a breach posing a real risk of significant harm.
  • Japan (APPI): Notify the PPC and affected individuals without delay in the event of a qualifying breach.

We maintain an internal breach register in compliance with GDPR Art. 33(5).

13. Children

The Service is designed for professional and business use. We do not knowingly collect personal data from:

  • Children under 16 years of age (EU/UK GDPR threshold).
  • Minors under 18 years of age (applicable in some jurisdictions).

If we become aware that we have inadvertently collected personal data from a child below the applicable age threshold, we will delete it promptly. If you believe a child has registered an account, contact privacy@vigil.junocode.com.

14. EU and UK Representatives

We are in the process of appointing an EU Representative as required by GDPR Article 27 for non-EU controllers offering services to EU data subjects. We are also in the process of appointing a UK Representative as required by UK GDPR Article 27.

In the interim, contact privacy@vigil.junocode.com for all data protection queries. We respond to all queries regardless of jurisdiction.

Once representatives are appointed, their details will be published in an update to this policy. EU users may also contact their national supervisory authority directly at any time.

15. Data Protection Officer (DPO)

For LGPD purposes (Brazil): LGPD requires all covered organisations to appoint a Data Protection Officer (Encarregado). We are in the process of designating a DPO. In the interim, all data protection and privacy queries should be directed to privacy@vigil.junocode.com.

For GDPR purposes, Vigil at its current scale does not meet the threshold for mandatory DPO appointment under GDPR Art. 37. We have designated a privacy contact for all data protection queries.

16. Data Subject Access Requests (DSARs)

To submit a data subject access request or exercise any other privacy right:

  1. Email privacy@vigil.junocode.com with the subject line “Privacy Request”.
  2. Describe the right you wish to exercise and provide sufficient information to verify your identity.
  3. We will respond within 30 days (EU/UK GDPR standard). Responses are free of charge.

We may ask for additional information to verify your identity before processing a request.

17. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email and by posting a notice on our website. We will update the “Last updated” date at the top of this page. Continued use of the Service after the effective date of a material change constitutes acceptance of the updated policy.

18. Contact

For all privacy-related queries, rights requests, and complaints:

Email: privacy@vigil.junocode.com
Controller:ClawNet (trading as Vigil), England & Wales