Privacy Policy

Effective Date: May 22, 2018|Revised Date: Jun 23, 2024

1. WHO WE ARE

   References to “we”, “our” or “us” in this privacy and cookies policy (“Privacy Policy”) mean Probely – Soluções de Cibersegurança, S.A., a private limited liability company incorporated in Portugal, with registered offices at Rua Alfredo Allen 455, 4200-135 Porto, under registration and tax number PT514413735.

   For the purposes of data protection laws, Probely can be considered both as the "Data Controller" or the Data Processor, for different purposes, with respect to the personal information collected through our websites located at https://probely.com/ and https://securityheaders.com/ ("Site", “Sites”). Where Probely is considered as the "Data Processor", the means and purposes of the processing are defined through specific "Data Processing Agreements".

2. SCOPE

   We collect certain information through our Site, including through the products and services provided on the Site. This Privacy Policy lays out our policies and procedures surrounding the collection and handling of any such data that identifies an individual user, or that could be used to contact or locate him or her personally.

   This Privacy Policy applies only to our Site and to the products and services provided through our Site. It does not apply to any third-party site or service linked to our Site or recommended or referred by our Site, through our products or services, or by our staff. And it does not apply to any other website, product, or service operated by us, or to any of our offline activities.

3. DEFINITIONS

   “Anonymization” means the processing of Personal Data in such a way as to ensure that the Data Subject is no longer identified or identifiable. To determine whether a Data Subject is identifiable, account should be taken of all the means reasonably likely to be used either by the Controller or by any other person to identify the said person.

   “Controller” means the legal entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

   “Data Preservation” means the preservation, collection, refinement, and production of Records triggered by an internal or external investigation.

   “Electronic Record” means e-mails, chat messages, text messages, or voice mail.

   “European Data Protection Law” means the EU General Data Protection Regulation 2016/679 (“GDPR”), and its national implementing legislations and data protection privacy laws applicable in the countries of the European Economic Area (“EEA”).

   “CCPA” means the California Consumer Privacy Act.

   “Investigation” means an internal process designed to gather information in order to determine whether wrongdoing occurred and, if so, the persons or entities responsible.

   “Legal Hold Notification” means a notification on Data Preservation in a legal proceeding.

   “Personal Data” means any information relating to an identified or identifiable (“Personally Identifiable Information” or “PII”) natural person (“Data Subject”) (“You”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

   “Processor” means the legal entity that processes Personal Data on behalf of and under the instructions of the Controller.

   “Record” refers to any document, information, file, or record that includes Personal Data and that is created, received, stored, or otherwise processed by Personnel by any means in the context of their employment or other contractual relationship with the Company regardless of the manner in which it has been created, received, stored, or otherwise processed.

   “Retention Period” means the period of time for which Personal Data has to be or can be stored, considering legal requirements including privacy aspects as well as the Company’s economic and business needs.

   “Sensitive Personal Data” or “Sensitive Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs; trade-union membership; genetic data, biometric data processed solely to identify a human being; health-related data; data concerning a person’s sex life or sexual orientation.

4. THE PERSONAL DATA WE COLLECT

   We automatically collect the following PII from users that visit our Site:

   • IP address
   • web browser type and version
   • operating system
   • a list of URLs starting with a referring site, your activity on Our Site, and the site you exit to

   When setting up an individual account on the Site, it is mandatory to provide, and we will record, the following PII:

   • name
   • email address
   • title

   In addition, when you become a paying customer, we will consequently record the following personal data, regarding the billing information:

   • Name
   • VAT number
   • Address
   • Zipcode
   • City
   • Country

   In addition to the above, we collect and process, on an anonymous basis, data related to the use of our Site, such as the pages visited, the time spent on each page, etc.

   In order to provide the service to our customers, our product also collects the following information:

   • Target URL and settings (including testing credentials if provided)
   • Vulnerability details including Requests/Responses for each vulnerability found
   • Product logs, including the URLs tested and full requests (temporarily, up to 60 days)

5. OUR USE OF PERSONAL DATA

   All personal data is stored securely in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) and the California Consumer Privacy Act (CCPA).

   We use your PII to personalize your experience on our site, to create your account, to communicate with you about products and services we provide, to provide you with news, and for billing. We also use that information to the extent necessary to enforce our Site’s Terms of Use and to prevent imminent harm to persons or property.

   We are the owners of the anonymous data related to the use of our Site and may use such anonymous data for statistical or commercial purposes.

   Under the applicable data protection laws, we will ensure that your personal data is processed lawfully, fairly, and transparently, without adversely affecting your rights. We will only process your personal data if at least one of the following basis applies:

   • when necessary to perform the Terms and Conditions or to provide you with the services;
   • where you have consented to the processing, which you may revoke at any time;
   • when necessary for us to comply with a legal obligation, a court order, or to exercise and defend legal claims;
   • when necessary to protect your vital interests, or those of others, such as in the case of an emergency;
   • where you have made the information manifestly public;
   • where necessary in the public interest; and
   • where necessary for the purposes of our, your, or a third party’s legitimate interests.

6. THE COOKIES WE COLLECT AND THE USE WE GIVE THEM

   A cookie is a small amount of data, which often includes a unique identifier that is sent to your computer or mobile phone (referred to here as a “Device”) browser from a website’s computer. It’s stored on your Device’s storage. Each website can send its own cookies to your browser if your browser’s preferences allow it, but to protect your privacy your browser only permits a website to access the cookies it has already sent to you, not the cookies sent to you by other sites. Cookies give us usage data, like how often you visit, where you go on the Site, and what you do.

   We use cookies so that our Site can remember you and provide you with the information you’re most likely to need, and also to compile statistical anonymous information. Please note we collect certain information from all users, including web visitors who simply peruse our Site.

   We may also use third-party cookies (for example, Google AdSense and DoubleClick) and Web beacons on our Site to deliver advertising displayed to you on third-party sites. We may also use cookie information to know when you return to our Site after visiting these third-party sites. Additionally, we may also use analytics services (such as Google Analytics, Optimizely, New Relic, and others) to help analyze how users use the Site. It is possible to opt out of the use of cookies for advertising targeting purposes by visiting https://tools.google.com/dlpage/gaoptout/.

   Similarly to cookies, we may also use “web beacons”. Web beacons are used as a mechanism to help us track your visits to our site and whether or not you open our emails. The pages of our Site and the emails we send you may contain web beacons. In addition, we may use several third-party services that embed web beacons on our site for similar tracking purposes. These third-party services are used to provide additional features to users, such as the ability to share content on our site with your social network.

   In the table below, you can find the cookies and web beacons that we currently install on your browser or Device, its purpose and max lifespan:

   • cfduid Used by Cloudflare (CDN) to identify trusted web traffic (1 yr)
   • _ga Used by Google Analytics to distinguish users (2 yrs)
   • _gid Used by Google Analytics to distinguish users (1 day)
   • _gat Used by Google Analytics to throttle request rate (1 min)
   • _gcl* Used by Google Adsense (3 mo)
   • NID; DV; 1P_JAR Used by Google to store preferences (6 mon)
   • CONSENT; ck Stores the user’s cookie consent (1 yr)
   • intercom-* Used by Intercom to track user’s actions and for customer support (270 days)
   • tkn_expires_p; tkn_p; p_plus_ttl_production; p_plus_auth_production Used by Probely app for identifying user sessions
   • _stripe* Used by Stripe to provide fraud prevention
   • rp Used by Probely for identifying where you first visited us from (8 mon)
   • nQ** Used by Albacross to track user visits (1 yr)
   • _ut Used to track a visitor’s source (from advertising) (1 yr)
   • _hs; hs-; hubspot*; messagesUtk Used by Hubspot to track user’s actions and for customer support, marketing, and sales (13 months)

   Please be aware that users have the opportunity to set their Devices to accept all cookies, to notify them when a cookie is issued, or not to receive cookies at any time. Each browser is different, so check the “Help” menu of your browser to learn how to change your cookie preferences. To learn more about cookies, what they do, and how to manage the information they collect about you and your usage of the Site, please consult informative sites such as https://www.allaboutcookies.org.

   Please be aware that blocking all or some cookies may affect the functionality of our Site. Kindly consult the chart above for the relevance of the cookies we use.

   When accessing our Site, you will be alerted that we use cookies and that by continuing to use the Site we assume that that means you consent to the installation and use of cookies. Should you not agree, please block cookies on your browser or cease to use the Site.

7. PROTECTION OF PERSONAL DATA

   As owners of a security product, we take PII security very seriously. The following list is a non-exhaustive list of security controls we implemented to protect our infrastructure, our product, and your PII:

   • We only allow communications to our servers, that host our product and site, through a secure channel (HTTPS) using TLS. HTTPS allows for the authentication of the visited website and the protection of the privacy and integrity of the exchanged data.
   • All of our infrastructure is hosted in a top-tier cloud provider, where security has been scrutinized. We use managed services supplied by the cloud provider to the highest possible extent. We also use their security features and controls, to segregate and monitor our service networks, for audit logs, and for security event management. The frontend, backend, and database servers use private and segregated networks controlled by security groups.
   • We also follow the best security practices, including (but not limited to):
     • Principle of the least privilege (to access our systems and data),
     • Encryption of sensitive data at rest,
     • Server hardening and security updates,
     • Requiring 2-factor authentication to access our systems,
     • Central logging
     • Secure Software Development Life cycle, including periodic security assessments (manual and using Probely)

   Not withstanding the security measures that We take, it is important to remember that the transmission of data via the internet may not be completely secure and that you are advised to take suitable precautions when transmitting to Us data via the internet.

8. THIRD-PARTY ACCESS TO YOUR PII

   We give or may give in the future certain independent contractors access to PII (“Data Processors”). No Data Processor will be retained without first entering into contracts in which they agree to protect PII using procedures reasonably similar to ours and will only process PII in accordance with our instructions.

   We may also disclose PII to local resellers who have access to the contact information of accounts in their assigned territories, subject to confidentiality agreements and data protection standards.

   Additionally, we may disclose PII to attorneys and investors bound to confidentiality restrictions and to law enforcement authorities, courts, and public regulators, whenever such is required by applicable legislation. Finally, we may share PII in connection with a transaction of all or substantially all of our assets.

   To provide the services, we rely on different data subprocessors, which process different categories of data. Processors never store data outside of the scope of their specific purpose. These subprocessors are listed below, with a description of the service and the location where data is hosted. This list may be updated by Probely from time to time:

   • Amazon Web Services, Inc.

     • Hosting and storage
     • EU, USA

   • Chargebee, Inc.

     • Subscription Management, Billing and Invoicing
     • EU, USA

   • Intercom, Inc.

     • Customer Support, Marketing and CRM
     • USA

   • Hubspot, Inc.

     • CRM, Marketing
     • EU, USA

   • Stripe, Inc.

     • Payment processing
     • USA

   • Sentry, Inc.

     • Error monitoring platform
     • USA

   • Cloudflare, Inc.

     • Content Delivery Network / Website security
     • Data centers located all around the world. Traffic will be automatically routed to the nearest data center.

   • Google

     • Analytics, Tag Manager, Workspace
     • USA

   • Invoicexpress

     • Invoicing
     • EU

   • Chartmogul

     • Subscription Analytics
     • EU

   • Oracle Netsuite

     • ERP
     • EU, USA

9. EXERCISE YOUR RIGHTS

   Before your account can be activated, you will be required to confirm that you have read and agreed to the Site’s Terms of Service and taken knowledge of this Privacy Policy.

   You have a number of rights in relation to your information that we process. While some of these rights apply generally, certain rights apply only in certain limited cases. We describe these rights below.

   1. Access and Porting: You can access much of your information by logging into your profile. If you require access to additional information, or you do not have a profile, please contact us. Where legally required, we will provide your information in an easily accessible format and assist in transferring some of this information to third parties. You can access and change any PII we store by contacting us directly at the following e-mail address: privacy@probely.com. The access and correction of your PII are free of charge. You acknowledge, however, that all PII you provide must be accurate and updated.
   2. Rectify, Restrict, Delete: You can restrict, rectify, update, and delete some of your information, in accordance with and within the limits of applicable law, by logging into your account or contacting us directly. If you don’t have an account or want us to restrict, update, or delete other information, please contact us. It is your right to also request that we notify third parties with whom we may have shared your PII and also request that they comply with your instructions.
   3. Object: Where we process your information based on the legitimate interests, or in the public interest, you can object to the processing in certain circumstances. We will generally stop processing your information unless we have compelling grounds to continue processing, such as where needed for legal reasons. Where we use your information for direct marketing, you can always object to using the unsubscribe link in such communications, changing your profile settings, or contacting us. You may oppose, at any time and free of charge, the use of your PII for direct marketing or any other form of commercial use. Should you wish to do so after receiving an e-mail or SMS from us, we will provide you with a simple option to opt out or remove yourself from our marketing directory.
   4. Withdraw consent: If we have specifically asked for your consent to use your information, you have the right to withdraw your consent at any time. For example, if we ask for your consent for direct marketing purposes, you can revoke your consent using the unsubscribe link in such communications, changing your profile settings or by contacting us. This may be done simply by sending us an email to privacy@probely.com.
   5. Complain: If you wish to raise a concern about our use of your information (and without prejudice to any other rights you may have), you have the right to do so with your local supervisory authority.

10. DATA TRANSFERS

    As a global business, we access and transfer information around the world. If you are based in the EU, this means that we access and transfer your personal information outside the EU, including in and to the United States. The privacy protections and the rights of authorities to access your personal information in some of these countries may not be the same as in your home country. We transfer your personal information in accordance with law and take steps to ensure that your information is appropriately protected.

    In particular, where we transfer information to countries that are not viewed as providing adequate protection, we generally rely on an approved mechanism known as the “standard contractual clauses” to protect the information transferred. These are template contracts published by the European Commission containing approved commitments to protect the privacy and security of the information transferred.

11. CALIFORNIA RESIDENTS AND THE CCPA

    California residents may ask us to provide them with a list of the types of personal data that we have disclosed to third parties for direct marketing purposes, and the identity of those third parties. If you would like such a list, please contact us via the contact details herein with the subject field “CCPA”. If you exercise your rights, we will not charge you different prices or provide different quality of services. We don’t sell personal data to third parties.

    Once we receive your request, we may verify it by requesting information sufficient to confirm your identity, including by asking you for additional information. If you would like to use an agent registered with the California Secretary of State to exercise your rights, we may request evidence that the agent has valid written authority to submit requests to exercise rights on your behalf.

12. WHERE WE STORE YOUR PII AND FOR HOW LONG

    Unless expressly agreed or contracted otherwise, all the PII regarding our users is stored on secure servers located within the European Union. We will inform our users should we eventually change our policy.

    Our objective is that our users have a long-lasting relationship with our Site, even if visits are not very frequent. We will store your PII, and your account will continue to be active for three years following your last interaction with our Site. Prior to closing your account, we will notify you asking whether you wish to maintain your account active.

    After a deletion request, your PII will be retained for up to 3 months as part of backup procedures.

    We may also need to retain some of your information for a longer period to comply with our legal and regulatory obligations, resolve disputes, and enforce our Terms of Service.

13. AMENDMENT OF THIS PRIVACY POLICY

    We reserve the right to revise this Privacy Policy from time to time. We will date and post the most current version of this Privacy Policy on our Site. Any changes will be effective on the date indicated at the top of the revised Privacy Policy.

    If in our sole discretion, we deem a revision to this Privacy Policy to be material, we will notify you via the Service and/or by email to the email address associated with your account. Your continued access or use of any portion of the Service constitutes your acceptance of such changes. If you object to such changes, you must cancel and stop using the Service by the effective date of such changes.

    For any clarification regarding our Privacy Policy, please feel free to contact us at privacy@probely.com.