ZoxrimZoxrim

Privacy Policy

Last updated: January 1, 2025

1. Introduction

Zoxrim, operated by FloodHacking LLC ("we," "us," or "our"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our cybersecurity platform, including our web application, API, and browser extensions (collectively, the "Service").

We built Zoxrim with privacy as a first principle. Security tools inherently handle sensitive data, and we take that responsibility seriously. We collect only what is necessary to deliver our service, we never sell your personal data, and we give you meaningful control over what you share with us.

By accessing or using the Service, you agree to this Privacy Policy. If you do not agree, please discontinue use immediately and contact us to request deletion of any data we may hold about you.

2. Information We Collect

We collect information in the following categories:

  • Account information: Your email address, hashed password, and optional display name when you register. We do not collect your real name, phone number, or physical address unless you voluntarily provide them for billing purposes.
  • Scan data: When you submit a URL, email, or file for analysis, we store a one-way cryptographic hash (SHA-256) of the input — not the raw value itself. This lets us detect repeat submissions and build threat intelligence without storing your actual URLs or email content beyond the analysis window.
  • Device and technical information: IP address (truncated to /24 subnet after 24 hours), browser type, operating system, referring URL, and session identifiers. We use this data to detect abuse and improve service reliability.
  • Usage analytics: Anonymous, aggregated data about which features you use, scan volumes, and performance metrics. This data cannot be linked back to your individual account without additional information we do not retain.
  • Payment information: We do not store your credit card numbers or bank details. All payment data is handled directly by Stripe, Inc. We receive only a tokenized customer identifier and subscription status from Stripe.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing security analysis: Running threat detection algorithms, cross-referencing against threat intelligence feeds, and returning scan results to you in real time.
  • Improving our machine learning models: Aggregated, anonymized scan hashes help us train and refine our detection models. Individual user data is never used to train third-party AI services without your explicit consent.
  • Sending security alerts: If we detect a new threat that matches assets you are monitoring, we will notify you by email. You can opt out of non-critical alerts in your account settings.
  • Processing payments: We pass billing events to Stripe to manage your subscription, issue invoices, and process refunds.
  • Customer support and communications: Responding to your support tickets, sending product announcements (opt-in only), and sending transactional emails such as password resets.
  • Legal compliance and fraud prevention: Detecting and preventing abuse, complying with applicable law, and enforcing our Terms of Service.

4. Data Retention

We retain your data only as long as necessary for the purposes described in this policy:

  • Account data: Retained while your account is active, plus 30 days after closure to allow for reactivation. After that, all personal identifiers are permanently deleted.
  • Scan logs (Free tier): Scan hashes and results are retained for 90 days, then automatically purged.
  • Scan logs (Pro tier): Retained for 12 months to support historical threat analysis and compliance reporting. You can manually delete scan history at any time from your dashboard.
  • Email content submitted for analysis: The raw email body and headers are deleted immediately after the analysis completes. Only the resulting threat hash and classification are retained.
  • Server and access logs: Retained for 14 days for security monitoring, then automatically deleted.

5. Third-Party Services

We work with trusted third-party providers to deliver our Service. Each provider has access only to the data necessary for their specific function:

  • Stripe, Inc. — Payment processing. Stripe may collect your card details, billing address, and fraud-prevention signals. Their use of your data is governed by the Stripe Privacy Policy.
  • MongoDB Atlas (MongoDB, Inc.) — Primary database infrastructure. All data is encrypted at rest with AES-256.
  • Amazon Web Services (AWS) — Cloud infrastructure including compute, storage, and CDN. Data is processed primarily in the US-East region.
  • OpenAI, LLC — AI-powered threat analysis. We send anonymized threat indicators and context to OpenAI's API for classification. We have configured our account with OpenAI to disable training on our API submissions, and we do not send personally identifiable information in AI prompts.
  • Google Safe Browsing — We query Google's Safe Browsing API with hashed URL prefixes (not full URLs) to cross-reference known malicious domains.

6. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Ask us to correct inaccurate or incomplete data.
  • Deletion: Request permanent deletion of your account and associated data.
  • Portability: Export your data in a machine-readable JSON format via Settings → Export Data.
  • Opt-out: Unsubscribe from marketing communications at any time via the link in any email or via Settings → Notifications.

Users in the European Economic Area and California have additional rights under GDPR and CCPA respectively, detailed in our GDPR Rights page. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

7. Security

We implement industry-standard technical and organizational measures to protect your data:

  • Encryption at rest: All database data is encrypted using AES-256.
  • Encryption in transit: All connections to our API and web application are protected by TLS 1.3.
  • Access control: Employee access to production data is role-based, logged, and reviewed quarterly.
  • Security audits: We conduct penetration tests at least once per year and remediate critical findings within 30 days.

No system is completely secure. In the event of a data breach affecting your personal data, we will notify you and applicable supervisory authorities within 72 hours, as required by law.

8. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a user is under 16, we will immediately suspend their account and permanently delete all associated data. If you believe a child has provided us with personal information, please contact us at [email protected].

9. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes — those that significantly affect your rights or our data practices — we will notify you by email at least 30 days before the changes take effect. The updated policy will be posted on this page with a revised "Last updated" date. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

10. Contact Us

For privacy-related questions, data requests, or concerns, please reach out to our Privacy team:

  • Email: [email protected]
  • Response time: Within 30 days
  • Company: FloodHacking LLC, registered in Delaware, USA