Privacy Policy

1. Introduction

RustLabs Security ("RustLabs," "we," "us," or "our") operates the website security.rustlabs.ai and provides security auditing, scanning, and monitoring services to its customers. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or engage our services.

By accessing our website or using our services, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this privacy policy, please do not access our website or use our services.

2. Information We Collect

2.1 Information You Provide Directly

When you contact us through our website, sign up for our services, or communicate with us by email, we may collect the following personal information:

• Full name
• Email address
• Company name and title
• Website or application URL
• Messages and inquiries you send via our contact form
• Billing and payment information (processed through third-party payment processors; we do not store your full credit card number)

2.2 Information We Access During Security Scans

When you engage our security services, our AI security agents access your infrastructure to perform vulnerability scanning and monitoring. This may include access to:

• Source code repositories and application code
• API endpoints and configuration files
• Database schemas, connection strings, and access patterns
• Authentication and authorization configurations (e.g., Supabase RLS policies, OAuth settings)
• Environment variables and secrets (solely for the purpose of identifying exposure)
• Server logs, traffic patterns, and network configurations
• Third-party integration configurations (e.g., Stripe, payment processor settings)

We only access what you explicitly authorize. Before any engagement begins, we will define the scope of access in writing. We will not access systems, repositories, or data outside the agreed-upon scope.

2.3 Automatically Collected Information

When you visit our website, we may automatically collect certain information about your device and usage, including:

• IP address
• Browser type and version
• Operating system
• Referring website
• Pages visited and time spent on those pages
• Date and time of visits

This information is collected through standard web analytics tools and is used solely to understand how visitors use our website so we can improve it.

3. How We Use Your Information

We use the information we collect for the following purposes:

• To respond to your inquiries and provide customer support
• To deliver, maintain, and improve our security scanning and monitoring services
• To generate security audit reports and vulnerability findings
• To process payments and manage your account
• To communicate with you about your account, service updates, and security alerts
• To comply with legal obligations
• To detect, prevent, and address technical issues or fraudulent activity
• To analyze website usage and improve our website and services

4. How We Handle Data During Security Engagements

As a security company, we take the handling of your data extremely seriously. When we perform security scans and monitoring on your infrastructure:

• Minimal access. We follow the principle of least privilege. Our agents access only the systems and data necessary to perform the agreed-upon security assessment.
• No persistent storage of sensitive data. We do not retain copies of your source code, database contents, secrets, environment variables, or other sensitive data after a scan completes. Scan results are delivered to you in the form of findings and recommendations, and any temporary copies are purged in accordance with our data retention schedule.
• Encrypted transit. All data accessed during security engagements is transmitted over encrypted channels (TLS 1.2+).
• Access controls. Only authorized RustLabs personnel involved in your engagement have access to your infrastructure or scan results. All personnel are bound by confidentiality obligations.
• Audit findings delivery. The output of our security scans consists of vulnerability reports, risk assessments, and remediation recommendations. We do not export or store your actual application data as part of these reports.

5. Third-Party Services

We use third-party services to operate our business. These services may have access to certain information on our behalf:

• Cloud hosting providers. We use third-party cloud infrastructure providers to host our website and applications. These providers may process data on our servers as part of delivering the service.
• Email service providers. We use third-party email services to send communications, including inquiry responses, security alerts, and account-related emails.
• Payment processors. We use third-party payment processors to handle billing. We do not store your full credit card or bank account information on our systems.
• Analytics providers. We may use analytics services to understand website traffic and usage patterns.

Each third-party service provider is required to maintain the confidentiality and security of your data. We do not sell, trade, or rent your personal information to third parties.

6. Data Retention

We retain your personal and engagement data only for as long as necessary:

• Contact information. Name, email, company, and inquiry details are retained for up to 3 years from your last interaction with us, unless you request earlier deletion.
• Security scan data. Temporary data accessed during security scans (source code, configuration files, environment variables, database snapshots) is purged within 30 days of scan completion or upon termination of the engagement, whichever is sooner. We retain only the final audit report and findings summary.
• Audit reports and findings. Security audit reports are retained for the duration of your active subscription plus 1 year after termination, to support any follow-up questions or disputes.
• Billing records. Payment and billing records are retained for 7 years as required by applicable tax and accounting regulations.
• Website analytics. Automatically collected website usage data is retained for up to 2 years, after which it is anonymized or deleted.

When data is no longer needed, we securely delete or anonymize it. If you would like to request deletion of your personal data at any time, contact us at security@rustlabs.ai.

7. Data Security

We implement appropriate technical and organizational security measures to protect your personal information and the data we access during security engagements, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls and multi-factor authentication for internal systems
• Regular security assessments of our own infrastructure
• Employee training on data handling and confidentiality obligations
• Incident response procedures for data breaches

While we strive to use commercially acceptable means to protect your information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• The right to access the personal data we hold about you
• The right to request correction of inaccurate or incomplete data
• The right to request deletion of your personal data
• The right to restrict or object to the processing of your data
• The right to data portability
• The right to withdraw consent at any time (where processing is based on consent)

To exercise any of these rights, contact us at security@rustlabs.ai. We will respond to all legitimate requests within 30 days.

9. Cookies and Tracking Technologies

Our website may use cookies and similar tracking technologies to enhance your browsing experience. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, some portions of our website may not function properly.

We use cookies primarily for analytics and website functionality. We do not use cookies for advertising or cross-site tracking purposes.

10. Children's Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18 without verification of parental consent, we will take steps to remove that information from our servers.

11. International Data Transfers

Your information may be transferred to and maintained on servers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ. Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date at the top. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: