PentestAI
PentestAI

Privacy Policy

Last updated: April 27, 2026

1. Introduction

PentestAI (“we”, “us”, “our”) takes privacy seriously. This Privacy Policy explains what information we collect, how we use it, and your rights with respect to it. By using the Service, you consent to the practices described here.

2. Information We Collect

Account Information

When you register, we collect your email address and a hashed version of your password. We do not store your password in plaintext. We use your email address to send account-related communications (email verification, password reset, usage warnings) and to identify your account.

Usage Data

We collect data about your use of the Service, including chat message content, AI model usage (token counts, cost), and timestamps. This data is used to enforce the per-user weekly spend cap, investigate abuse, and improve the Service.

Technical Data

Standard web server logs (IP address, browser user agent, request timestamps) are retained for security and operational purposes.

3. AI Technology and Anthropic Data Handling

This Service uses third-party AI technology, including Anthropic’s Claude API, to generate responses. Your conversations are processed via Anthropic’s API and are not used to train AI models. Anthropic retains conversation data for up to 7 days for safety purposes. We retain conversations server-side for abuse investigation and product improvement.

You can review Anthropic’s own privacy policy at anthropic.com/privacy. Anthropic’s terms apply to the processing of your conversations through their API in addition to this policy.

4. Analytics

We use privacy-friendly analytics (deferred to Phase 4); we do not use Google Analytics. When analytics are introduced, we will update this policy and use tools that do not share data with third parties or use cookies for cross-site tracking.

5. Data Retention

We retain your account data for as long as your account is active, plus a reasonable period thereafter for legal and operational purposes. You may request deletion of your account by contacting us (see Section 9). Conversation history is retained to provide the Service (history sidebar, context loading) and for abuse investigation.

6. Data Sharing

We do not sell your data. We share data only with:

  • Anthropic — your conversation content is sent to the Anthropic API to generate responses (see Section 3).
  • Infrastructure providers — hosting (Fly.io, Vercel) and database providers process data as part of running the Service.
  • Law enforcement — we may disclose data if required by valid legal process.

7. Security

We use industry-standard security practices including encrypted connections (TLS), password hashing (Argon2id), and signed session tokens. We conduct penetration testing on our own infrastructure. To report a security vulnerability, contact security@pentest-ai.example.

8. GDPR / Privacy Rights

If you are located in the European Economic Area or UK, you have rights under applicable data protection law including the right to access, correct, port, and erase your personal data, and to object to certain processing. To exercise these rights, contact us at the address in Section 9.

9. Contact

Privacy questions and data requests: privacy@pentest-ai.example. Security concerns: security@pentest-ai.example.