Privacy Policy

Effective date: March 21, 2026

1. Who We Are

RiskScore is a CVE vulnerability intelligence API operated from 612 South 4th Street, Philadelphia, PA 19147, United States. This Privacy Policy explains how we collect, use, store, and share information when you use our website (riskscore.dev), dashboard (dashboard.riskscore.dev), or API (api.riskscore.dev). Questions? Email [email protected].

2. What Data We Collect

Account data

  • Email address — required to create an account and send transactional emails.
  • Password — stored as a bcrypt hash only. We never store or transmit your plaintext password.
  • Stripe customer ID & subscription ID — stored to manage billing. We do not store card numbers; those are held by Stripe.
  • Marketing opt-out preference — whether you have unsubscribed from non-transactional emails.

API key data

  • Key hash (SHA-256) — we store a one-way hash of your API key for authentication. The raw key is shown to you once at creation and not stored.
  • Key prefix — the first 8 characters, used for identification in logs and dashboard display.
  • Last used timestamp — when the key was last used to make an API request.

Usage & log data

  • API request counts — tracked per key per day and per minute for rate limiting.
  • IP addresses — captured in application and access logs for abuse prevention and security purposes.
  • Request metadata — endpoint called, HTTP status code, timestamp. We do not log full request/response bodies.

What we do not collect

We do not use tracking cookies, analytics pixels, or third-party advertising scripts. We do not collect your name, phone number, or physical address. We do not fingerprint your browser.

3. Why We Collect It

Account management

Email and hashed password are used to authenticate you and deliver your API key and billing notifications. Legal basis: contract performance.

Rate limiting

API request counts are used to enforce per-plan rate limits and ensure fair use of shared infrastructure. Legal basis: contract performance + legitimate interest.

Abuse prevention & security

IP addresses and log metadata are retained to detect and block abusive activity, unauthorized access attempts, and API misuse. Legal basis: legitimate interest.

Billing

Stripe customer and subscription IDs are used to manage your paid plan, process payments, and handle upgrades or cancellations. Legal basis: contract performance.

4. Data Retention

  • Account data — retained until you request deletion. See Section 6 for how to request this.
  • Application logs (including IP addresses) — retained for 30 days, then purged.
  • API usage counters (Redis) — rolling windows, not persisted beyond the rate-limit window.
  • Billing records — retained as required by Stripe and applicable tax/accounting law (typically 7 years).

5. Third Parties

We share data with the following third-party processors only to the extent necessary to provide the Service:

StripePayment processing. Receives your email and handles all card data. Stripe is PCI DSS compliant. We never see or store raw card details. Stripe Privacy Policy.
ResendTransactional and marketing email delivery. Receives your email address and message content. Resend Privacy Policy.

We do not sell, rent, or trade your personal data to any third party. We do not use advertising networks. We do not share data with data brokers.

6. Your Rights

Depending on your location, you may have rights including access, rectification, erasure, restriction, and portability of your personal data. EU/EEA residents have rights under the General Data Protection Regulation (GDPR); California residents have rights under CCPA.

To exercise any of these rights — including requesting deletion of your account and associated data — email [email protected] with the subject line “Data Request — [your email address]”. We will respond within 30 days.

Unsubscribe from marketing emails: Every marketing email we send includes a one-click unsubscribe link. You can also unsubscribe at any time by emailing us. Transactional emails (password resets, billing receipts) are not affected by marketing opt-out.

7. Security

All data is transmitted over TLS (HTTPS). Passwords are hashed with bcrypt before storage. API keys are stored as SHA-256 hashes; the raw key is never persisted after initial delivery. Our API is served exclusively over HTTPS enforced by our TLS termination layer. We follow industry-standard practices for access control, dependency management, and secret handling.

8. GDPR Basis Summary

Processing activityLegal basis
Account creation & authenticationContract performance (Art. 6(1)(b))
API key issuance & billingContract performance (Art. 6(1)(b))
Rate limiting & abuse preventionLegitimate interest (Art. 6(1)(f))
Log retention for securityLegitimate interest (Art. 6(1)(f))
Marketing emailsLegitimate interest (Art. 6(1)(f)) — opt-out available at any time
Transactional emailsContract performance (Art. 6(1)(b))

9. International Transfers

RiskScore is operated in the United States. If you are located in the EU/EEA or another jurisdiction with data transfer restrictions, please be aware that your data will be processed in the United States. By using the Service, you acknowledge this transfer. We rely on Stripe and Resend, both of which maintain appropriate transfer mechanisms under applicable law.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on our website. The effective date at the top of this page will always reflect the most recent revision.

11. Contact

For privacy questions, data requests, or concerns, contact us at [email protected]. We aim to respond within 5 business days, and within 30 days for formal data subject requests.

Terms of Service← Back to RiskScore