Privacy Policy
Last updated: May 19, 2026
Vulkro is built around a simple promise: your source code and your scan results never leave your machine. This policy explains exactly what data we receive, what we never receive, and how we handle the narrow set of information we do collect (almost entirely for billing and support).
This policy applies to use of the Vulkro binary, the Vulkro web UI
(vulkro serve), the website at vulkro.com,
and our content delivery network at
dist.vulkro.com.
What Vulkro never collects
The Vulkro binary, when running on your machine, does not transmit any of the following to us:
- Your source code
- Scan results, finding details, or rule-pack matches
- Endpoint inventory or API surface
- Names of files, modules, packages, or contributors
- Environment variables or secrets discovered during scans
- Telemetry, crash reports, usage metrics, or feature-use pings
- Anything resembling a user identifier or hardware fingerprint other
than what is explicitly stored locally in
~/.vulkro/
Vulkro never calls a cloud LLM API, never uploads scan output to a SaaS dashboard, and never sends a "diagnostic" of any kind home. This is not a configuration toggle; it is how the product is built.
Network calls the binary does make
Vulkro makes exactly two outbound HTTPS calls in normal operation, both to our CDN:
| Call | When | What flows |
|---|---|---|
GET dist.vulkro.com/install.sh | During install | The installer script |
GET dist.vulkro.com/releases/v*/vulkro-... | During install | The platform-specific binary |
GET dist.vulkro.com/cve/manifest.json | On vulkro update | Signed CVE manifest |
GET dist.vulkro.com/cve/.../cves.vkbundle | On vulkro update | Signed CVE bundle |
Both can be disabled. To run fully offline, set
VULKRO_OFFLINE=1 or pass --no-cve-update during install, and
deliver CVE bundles via USB, mirror, or internal package feed.
These calls hit our CDN over HTTPS. We do see standard request metadata (IP address, user agent, timestamp, requested object). We do not log these requests in a personally-identifying way, do not correlate them across requests, and do not use them for analytics.
What we do collect, and why
We collect the minimum needed to bill you and support you:
When you purchase a license
Our payment processor receives your name, billing address, email, and payment instrument. Our processor is Paddle.com Inc. (or its local subsidiary), acting as our merchant of record. Paddle handles PCI-DSS-compliant payment processing, tax remittance in your jurisdiction, and invoicing.
What we receive from Paddle is limited to: your email address, the
plan you purchased, the order total, and the timestamp. We use this
to issue your .lic license file and to send you renewal
notifications.
When we issue your license
When the payment webhook fires, we sign and email you a .lic file
containing:
- Your name (cosmetic, shown in
vulkro activateoutput) - Your machine ID (provided by you at checkout)
- The product tier and expiry date
- An Ed25519 signature over the above payload
The signing key is stored in our infrastructure (Cloudflare R2,
encrypted at rest). It never leaves the issuing system. You receive
only the signed .lic.
When you email us
If you write to support@, billing@, hello@, or contact@, we
receive your email, the content of your message, and any attachments.
We use this to respond to you and to keep a record of the
correspondence. Inboxes are accessible only to Vulkro staff.
When you visit our website
The website at vulkro.com is served by Cloudflare Pages. Cloudflare
processes standard request metadata (IP, user agent) for security
and abuse prevention. We do not run analytics, do not place tracking
cookies, and do not embed third-party trackers. There is no
Google Analytics, no Plausible, no Mixpanel, no Segment, no
Facebook pixel, no LinkedIn pixel, and no ad network on this site.
Data we store
| Data | Where stored | Retention |
|---|---|---|
| Customer email, name, machine ID, license expiry | Cloudflare D1 (encrypted at rest) | For the active subscription + 6 years (Indian tax record requirement) |
| Payment records | Paddle.com | Per Paddle's retention policy |
| Email correspondence | Email provider inbox | Indefinitely unless you request deletion |
Issued .lic files | Cloudflare R2 (private bucket) | For the active subscription |
| Signing keys (private) | Cloudflare R2 (private bucket) | Until rotated |
Your rights
Depending on where you live, you may have rights under GDPR, the UK GDPR, the CCPA, India's DPDP Act, or similar laws:
- Access: ask what data we have about you
- Rectification: correct inaccurate data
- Erasure: request deletion (subject to legal record-keeping)
- Portability: receive your data in a portable format
- Objection: object to specific processing
To exercise any of these, email [email protected]. We respond
within 30 days.
Children's privacy
Vulkro is a B2B developer tool. It is not directed at children under 16, and we do not knowingly collect data from children.
Subprocessors
We use a small number of third-party services to operate Vulkro:
| Service | Purpose | Region |
|---|---|---|
| Cloudflare (Pages, R2, D1, Workers) | Website hosting, binary distribution, database, license issuance | Global |
| Paddle.com Inc. | Payment processing, tax remittance, invoicing | Global |
| Resend (or comparable) | Transactional email for license delivery | EU / US |
| Email provider | Customer support inbox | Provider's region |
We do not share customer data with any party other than these subprocessors, and only to the extent each one needs the data to perform its function.
Changes to this policy
We may update this policy from time to time. Material changes will be announced on our website at least 30 days before they take effect.
Contact
Privacy questions, data-rights requests, or anything else:
[email protected].