1. Introduction
This Privacy Policy describes how Konvu, Inc. ("Konvu," "we," "us," or "our") collects, uses, shares, and protects personal information when you:
- Visit our website at konvu.com (the "Site")
- Use Konvu's AI-powered vulnerability management platform (the "Service")
- Communicate with us through email, support channels, or events
For enterprise customers: If you have entered into a Master Subscription Agreement ("MSA") with Konvu, the Data Processing Agreement ("DPA") attached to the MSA governs our processing of personal data on your behalf as a data processor. In the event of any conflict between this Privacy Policy and the DPA, the DPA prevails with respect to the processing of Customer Data (as defined in the MSA).
If you have questions, please contact us at privacy@konvu.com.
2. Who We Are
Konvu, Inc. is a Delaware corporation with its registered office at:
1111B South Governors Avenue, STE 7673 Dover, Delaware 19904 United States
Konvu operates through its affiliate, Konvu SAS, incorporated in France. For the purposes of EU and UK data protection law, Konvu, Inc. is the data controller for personal information collected through the Site and Service, except where we process personal data on behalf of enterprise customers under a DPA (in which case the customer is the data controller).
Data Protection Officer: You can reach our Data Protection Officer at privacy@konvu.com or by post at the address above.
3. Information We Collect
3.1 Information You Provide
When you create an account, contact us, or subscribe to the Service, we may collect:
- Account data: your name, email address, and role within your organization (e.g., admin, member)
- Contact and inquiry data: your name, email address, job title, and company name when you submit a form, request a demo, or email us
- Payment data: billing address and payment method details, processed through our payment provider — we do not store full credit card numbers. Payment data is retained for the duration of your account and as required for tax and accounting purposes
3.2 Information Collected Through the Service
When your organization uses the Service, the following categories of personal data may be processed. These categories align with Annex I of our DPA:
- Vulnerability and scanner data: CVE identifiers, severity scores, affected package names and versions, and file paths ingested from customer-connected vulnerability scanners
- Code evidence data: minimal source code snippets retained as vulnerability evidence (configurable by the customer; full source code is retrieved temporarily and not persisted)
- Usage and analytics data: IP addresses, browser type, device identifiers, session identifiers, page views, feature interactions, and audit logs
- Communication data: email addresses and delivery metadata associated with transactional notifications and product alerts sent by the Service
- Incidental personal data: any personal data that may be present within code snippets, file paths, or other data provided to the Service
3.3 Information Collected Automatically on the Site
When you visit the Site, we automatically collect:
- Log data: IP address, browser type, operating system, referring URL, pages visited, and timestamps
- Device data: device type, screen resolution, and language preferences
- Analytics data: page interactions and navigation patterns, collected through cookies and similar technologies (see Section 7)
We do not collect precise geolocation data (such as GPS coordinates).
4. How We Use Your Information
We use personal information for the following purposes:
- Providing the Service: to operate, maintain, and deliver the vulnerability management platform, including AI-powered analysis
- Account management: to create and manage your account, authenticate your identity, and communicate with you about your account
- Customer support: to respond to your inquiries and resolve issues
- Service communications: to send transactional emails, product alerts, security notifications, and service updates
- Analytics and improvement: to understand how the Site and Service are used and to improve functionality, performance, and user experience
- Marketing: to send you information about Konvu's products and services where you have consented or where we have a legitimate interest to do so — you can opt out at any time
- Advertising: to measure the effectiveness of our marketing campaigns and serve relevant advertisements on third-party platforms (e.g., Google, LinkedIn) based on your visit to our Site, using cookies and similar technologies managed through our cookie consent banner. You can opt out through the cookie consent banner or the "Consent Preferences" link in the footer. For more information, see Section 7.
- Security: to detect, prevent, and respond to fraud, abuse, security incidents, and technical issues
- Legal compliance: to comply with applicable laws, regulations, and legal processes
We do not build our own behavioral profiles of individual users for the purpose of selling advertising, and we do not sell personal information.
5. Legal Bases for Processing (EEA, UK, and Switzerland)
If you are located in the European Economic Area, United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR:
| Processing activity | Legal basis |
|---|---|
| Providing the Service under the MSA | Performance of a contract |
| Account creation and management | Performance of a contract |
| Responding to demo requests and inquiries | Taking steps prior to entering a contract |
| Website analytics (Google Analytics, PostHog) | Consent (managed via cookie consent banner) |
| Security and fraud prevention (Cloudflare) | Legitimate interest (ensuring security) |
| Customer support | Legitimate interest (resolving issues) |
| Marketing communications | Consent (opt-in; withdrawable at any time) |
| Advertising cookies (Google Ads, LinkedIn, YouTube) | Consent (managed via cookie consent banner) |
| Website analytics (Customer.io) | Consent (managed via cookie consent banner) |
| Sales and outreach tools (Apollo.io) | Consent (managed via cookie consent banner) |
| Legal and regulatory compliance | Legal obligation |
Where consent is required for the placement of cookies under the ePrivacy Directive, our consent management platform (Termly) blocks non-essential cookies until you have made a choice. The legal bases above apply to our processing of the personal data collected through those technologies once consent has been given.
You may withdraw consent at any time by contacting privacy@konvu.com, using the unsubscribe link in any email, or adjusting your preferences through the cookie consent banner or the "Consent Preferences" link in the footer.
For enterprise customers, our processing of Customer Data as a data processor is governed by the DPA and is based on the customer's instructions and applicable legal basis.
6. AI-Powered Processing
The Service uses artificial intelligence, including third-party large language model ("LLM") providers, to analyze vulnerabilities and generate prioritization recommendations.
How it works: When the Service performs AI-powered analysis, Customer Data is submitted to the LLM provider for inference. The data is processed ephemerally — it is not retained by the LLM provider beyond the duration of the inference request.
No training on your data: Konvu does not use Customer Data to train, fine-tune, or improve any machine learning model, whether Konvu's own models or any third-party LLM. This commitment is contractually enforced through our agreements with LLM providers and reflected in our MSA (Section 9) and DPA (Section 4).
Where source code is involved: when the Service accesses customer source code, it is temporarily processed in an isolated environment and deleted upon completion of analysis. Only analytical outputs (Service Outputs) are retained — not the source code itself.
Our current LLM provider is OpenAI. Changes to LLM providers are governed by the sub-processor notification process described in the DPA and disclosed on our Trust Center.
7. Cookies and Analytics
7.1 Website Analytics and Tracking
We use the following analytics and tracking services on the Site:
- Google Tag Manager (GTM): to manage and deploy third-party scripts on the Site. GTM itself does not collect personal data, but it loads the services described below. For more information, see Google's Privacy Policy.
- Google Analytics: to understand how visitors interact with the Site, including page views, traffic sources, and engagement metrics. Google Analytics sets cookies on your device (e.g.,
_ga,_ga_#). You can opt out at tools.google.com/dlpage/gaoptout. For more information, see Google's Privacy Policy. - Customer.io: to track page views and visitor interactions on the Site for marketing analytics. Customer.io sets cookies and local storage entries (e.g.,
ajs_anonymous_id,ajs_user_id) via its analytics library. For more information, see Customer.io's Privacy Policy. - Google Ads: to measure the effectiveness of advertising campaigns and track conversions. Google Ads may set cookies on your device (e.g.,
_gcl_au). For more information, see Google Ads' Privacy Policy. - LinkedIn: to measure advertising effectiveness and enable social networking features. LinkedIn sets cookies (e.g.,
bcookie,lidc,UserMatchHistory) for ad analytics and user tracking. For more information, see LinkedIn's Privacy Policy. - YouTube: to deliver embedded video content on the Site. YouTube sets cookies (e.g.,
VISITOR_INFO1_LIVE,YSC) that may be used by Google to display targeted advertising. For more information, see YouTube's Privacy Policy. - Apollo.io: to support sales and marketing outreach. Apollo.io sets cookies and local storage entries (e.g.,
apolloAnonId) and communicates with its event tracking domain. For more information, see Apollo.io's Privacy Policy. - PostHog: to track visitor interactions on the Site and product usage within the Service. PostHog processes IP addresses, device identifiers, session data, and feature usage events. For more information, see PostHog's Privacy Policy.
- Adobe Analytics: third-party scripts on the Site (including LinkedIn and Apollo.io) may set cookies classified by our consent management platform as Adobe Analytics (e.g.,
s7) for gathering data about site usage and user behavior. For more information, see Adobe's Privacy Policy. - Cloudflare: to provide bot protection and security for the Site. Cloudflare sets cookies (e.g.,
__cf_bm) on end-user devices to distinguish human visitors from bots. For more information, see Cloudflare's Privacy Policy.
7.2 Consent Management
We use Termly as our consent management platform. Termly displays the cookie consent banner on the Site, records your consent preferences, and blocks non-essential cookies until you have made a choice. Termly sets cookies and local storage entries (e.g., TERMLY_API_CACHE) to store your consent state. For more information, see Termly's Privacy Policy.
7.3 Your Cookie Choices
You can manage cookies through your browser settings, through the cookie consent banner on our Site, or by clicking the "Consent Preferences" link in the footer. Disabling cookies may affect the functionality of certain features. For detailed information about the specific cookies we use, see our Cookie Policy.
8. Who We Share Your Information With
We share personal information only as described below. We do not sell personal information.
8.1 Service Providers and Sub-processors
We use the following third-party providers to operate the Site and Service. For enterprise customers, the sub-processor list is maintained on our Trust Center and governed by the DPA (Section 6).
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, compute, storage, and database services | United States |
| OpenAI | LLM inference for AI-powered vulnerability analysis (ephemeral; no data retention) | United States |
| Customer.io | Transactional email delivery and website analytics | United States |
| PostHog | Website and product analytics | United States |
| Salesforce | Customer relationship management | United States |
| Help Scout | Customer support ticketing and communications | United States |
| Konvu SAS | Engineering, support, and operational services (Konvu affiliate) | France |
| Google Analytics | Website analytics (Site only) | United States |
| Google Ads | Advertising conversion measurement | United States |
| Advertising analytics and social networking | United States | |
| YouTube (Google) | Embedded video content | United States |
| Apollo.io | Sales and marketing outreach | United States |
| Cloudflare | Bot protection and security | United States |
| Termly | Cookie consent management | United States |
| Formspree | Form submission processing (Site only) | United States |
8.2 Other Disclosures
We may also disclose personal information:
- Legal requirements: to comply with applicable law, regulation, legal process, or government request
- Protection of rights: to enforce our agreements, protect our rights, privacy, safety, or property, and that of our users or the public
- Business transfers: in connection with a merger, acquisition, reorganization, or sale of assets, in which case the successor entity will be bound by this Privacy Policy
9. International Data Transfers
Konvu is based in the United States, and our primary infrastructure is hosted in the US. If you are located outside the United States, your personal information will be transferred to and processed in the United States.
For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to the United States, we rely on the following safeguards:
- EU Standard Contractual Clauses (SCCs): Module 2 (Controller to Processor) as approved by European Commission Implementing Decision (EU) 2021/914, incorporated into our DPA
- UK International Data Transfer Addendum (IDTA): as issued by the UK Information Commissioner's Office, appended to the SCCs where applicable
- Swiss Federal Act on Data Protection (FADP): references to GDPR in the SCCs are interpreted to include the FADP as applicable
Our DPA, available to enterprise customers upon request or through execution of the MSA, contains the full text of applicable transfer mechanisms. The competent supervisory authority for purposes of the SCCs is the Commission Nationale de l'Informatique et des Libertés (CNIL, France), anchored to our affiliate Konvu SAS.
Third-party cookie providers: Certain third-party services used on the Site (including Google, LinkedIn, YouTube, and Apollo.io) may transfer personal data to the United States or other countries outside the EEA. These providers rely on their own transfer mechanisms, including the EU-U.S. Data Privacy Framework, Standard Contractual Clauses, or other approved safeguards. For details, refer to each provider's privacy policy as linked in Section 7.
10. Data Retention
We retain personal information only as long as necessary for the purposes described in this Privacy Policy:
- Account data: retained for the duration of your account and deleted or anonymized within thirty (30) days of a deletion request following account termination, unless retention is required by law
- Service data (Customer Data): retained for the duration of the Subscription Term. Upon termination, deleted or returned within thirty (30) days of the customer's written request, as specified in the MSA (Section 5.4) and DPA (Section 10)
- Backup copies: deleted no later than ninety (90) days following termination, in the ordinary course of backup rotation
- Website analytics data: retained in accordance with the respective analytics provider's retention settings (Google Analytics: 14 months; other providers: see their respective privacy policies)
- Cookie and advertising data: retained for the duration set by each cookie, as described in our Cookie Policy, or until you withdraw consent via the cookie consent banner
- Marketing and inquiry data: retained until you unsubscribe or request deletion, and in any case no longer than twenty-four (24) months after your last interaction with us
When retention is no longer necessary, we delete or anonymize personal information. Data retained for legal or compliance purposes is isolated from active processing and remains subject to the security and confidentiality obligations of this Privacy Policy.
11. Data Security
We maintain administrative, technical, and organizational security measures designed to protect personal information against unauthorized access, disclosure, alteration, or destruction. Our security program is described in our Trust Center and includes measures such as encryption in transit and at rest, access controls, and regular security assessments.
No method of transmission or storage is completely secure. While we strive to protect your personal information, we cannot guarantee absolute security.
For details about our security practices and certifications, visit our Trust Center or contact us at privacy@konvu.com.
12. Your Privacy Rights (EEA, UK, and Switzerland)
If you are located in the EEA, UK, or Switzerland, you have the following rights under applicable data protection law:
- Access: request a copy of the personal information we hold about you
- Rectification: request correction of inaccurate or incomplete personal information
- Erasure: request deletion of your personal information where it is no longer necessary for the purposes for which it was collected
- Restriction: request that we restrict the processing of your personal information in certain circumstances
- Portability: receive your personal information in a structured, commonly used, machine-readable format
- Objection: object to processing based on legitimate interests, including for direct marketing purposes
- Withdraw consent: where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of prior processing
- Automated decision-making: not be subject to decisions based solely on automated processing that produce legal or similarly significant effects — if such processing occurs, we will inform you, explain the key factors, and provide a way to request human review
To exercise any of these rights, submit a Data Subject Access Request or contact us at privacy@konvu.com. We will respond within thirty (30) days, or within the timeframe required by applicable law.
If you believe we are processing your personal information unlawfully, you have the right to lodge a complaint with the supervisory authority in your member state of habitual residence, place of work, or place of alleged infringement.
13. US State Privacy Rights
This section applies to residents of states with comprehensive privacy laws, including California (CCPA/CPRA), Colorado, Connecticut, Virginia, and other states with applicable privacy legislation.
13.1 Your Rights
Depending on your state of residence, you may have the right to:
- Know what personal information we collect, use, and disclose
- Access and obtain a copy of your personal information
- Correct inaccuracies in your personal information
- Delete your personal information
- Opt out of the sale or sharing of your personal information
- Limit the use of sensitive personal information (we do not collect sensitive personal information as defined under the CCPA/CPRA)
- Not be discriminated against for exercising your rights
13.2 How We Handle Your Data
In the preceding twelve (12) months:
- Categories collected: identifiers (names, email addresses, IP addresses, cookie identifiers, device identifiers), professional information (job titles, company names), internet and network activity (browsing data, page interactions, feature usage, referral URLs), and geolocation data (IP-derived, not precise GPS)
- Categories of sources: directly from you (account creation, form submissions, emails), automatically through cookies and similar technologies when you visit the Site, from third-party advertising partners (Google, LinkedIn) who provide aggregated campaign performance data, and from sales tools (Apollo.io) that provide publicly available professional information
- Sensitive personal information: we do not knowingly collect sensitive personal information as defined under the CCPA/CPRA (e.g., Social Security numbers, financial account credentials, precise geolocation, racial or ethnic origin, health data, or biometric information)
- Sold: none — we do not sell personal information
- Shared for cross-context behavioral advertising: we share online identifiers and internet activity data with Google Ads and LinkedIn through advertising cookies for the purpose of measuring advertising effectiveness and serving relevant ads. You can opt out of this sharing by clicking the "Consent Preferences" or "Your Privacy Choices" link in the footer of our Site, or by emailing privacy@konvu.com
- Disclosed for a business purpose: personal information is disclosed to the service providers listed in Section 8.1, solely for the purposes described in this Privacy Policy
The following table maps each category of personal information to its business purpose and the categories of third parties that receive it:
| Category of PI | Business purpose | Third parties receiving |
|---|---|---|
| Identifiers (name, email address) | Account management, customer support, marketing, sales | Customer.io, Formspree, Salesforce, Help Scout, Apollo.io |
| Online identifiers (IP address, cookie IDs, device identifiers) | Website analytics, advertising, security | Google Analytics, Google Ads, LinkedIn, YouTube, Apollo.io, Customer.io, PostHog, Cloudflare, Termly |
| Professional information (job title, company) | Sales, marketing, customer support | Salesforce, Apollo.io, Customer.io, Formspree, Help Scout |
| Internet and network activity (browsing, page views, referral URLs) | Website analytics, advertising, Service improvement | Google Analytics, Google Ads, LinkedIn, YouTube, Customer.io, PostHog |
| Geolocation data (IP-derived, not precise) | Website analytics, security | Google Analytics, Cloudflare, PostHog |
| Payment data | Billing, account management | Payment provider (we do not store full card numbers) |
Customer Data processed on behalf of enterprise customers under a DPA is excluded from this table. In those cases, Konvu acts as a service provider (see Section 13.3), and the customer is responsible for their own CCPA disclosures.
13.3 CPRA Service Provider Commitment
Konvu processes personal information as a "service provider" (as defined under the CCPA/CPRA) on behalf of enterprise customers. We certify that we understand and will comply with the restrictions applicable to service providers, and will not sell, share, or use personal information for purposes other than performing the services specified in the MSA, except as permitted by the CCPA/CPRA.
13.4 Right to Opt Out of Sale and Sharing
We do not sell personal information. We do share personal information with third-party advertising services (Google Ads, LinkedIn) through cookies, as described in Section 7. To opt out of this sharing:
- Click the "Consent Preferences" or "Your Privacy Choices" link in the footer of our Site
- Email us at privacy@konvu.com
We honor Global Privacy Control (GPC) signals. If your browser or device sends a GPC signal, we treat it as a valid opt-out of sharing for that browser or device.
We will process opt-out requests within fifteen (15) business days. We will not discriminate against you for exercising this right.
13.5 Exercising Your Rights
To exercise your rights, submit a Data Subject Access Request or contact us at privacy@konvu.com. We will verify your identity before processing your request and respond within forty-five (45) calendar days. If we need additional time, we will notify you of an extension of up to forty-five (45) additional calendar days.
You may designate an authorized agent to submit a request on your behalf, provided the agent submits proof of authorization.
If we decline your request, you may appeal by emailing privacy@konvu.com. We will respond in writing with our reasons within sixty (60) days. If the appeal is denied, you may contact your state attorney general.
14. Children's Privacy
The Site and Service are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child under 18, please contact us at privacy@konvu.com and we will take steps to delete it promptly.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will indicate the date of the most recent update at the top of this page. For material changes, we will provide prominent notice on the Site or notify you by email.
We encourage you to review this Privacy Policy periodically.
16. Contact Us
If you have questions about this Privacy Policy, want to exercise your privacy rights, or wish to make a complaint, please contact us:
Data Protection Officer Konvu, Inc. 1111B South Governors Avenue, STE 7673 Dover, Delaware 19904 United States
Email: privacy@konvu.com
For enterprise customers seeking a copy of our DPA or information about our security practices, please visit our Trust Center or contact privacy@konvu.com.