Privacy Policy
Effective: April 11, 2026
This Privacy Policy explains how cvebase.io (we, us) collects, uses, and protects personal data when you use our website, API, and MCP server. It is designed to comply with the EU General Data Protection Regulation 2016/679 (GDPR) and the Czech Act No. 110/2019 Coll. on personal data processing.
1. Data controller
The controller of your personal data is:
No Data Protection Officer has been appointed as the processing we carry out does not meet the thresholds that make a DPO mandatory under GDPR Article 37.
2. What personal data we collect
Account data
When you sign in via GitHub or Google, we receive your email address, display name, and profile picture URL from the identity provider. We also record which provider you used and the timestamp of account creation. This data is stored in our users table.
Billing data
If you subscribe to a paid plan we receive from Stripe a customer ID, subscription ID, plan tier, subscription status, trial end date, and period boundaries. We do not storefull payment card numbers, CVVs, or bank account details — Stripe holds these and they never pass through our servers. See Stripe's own privacy policy at stripe.com/privacy.
Usage data
Each search or API call is logged with: the query, which sources were matched, the top results returned, response latency, HTTP status, the rate-limit tier the request was counted against, and (for signed-in users) your account email. These logs support service reliability, rate-limit enforcement, and improvements to the ranking model.
Click events
Your interactions with search results — which result you expanded, which CVE pages you visited after a search — are logged to improve ranking quality for future searches. These events are correlated to your account email while you are signed in, and to a rotating session identifier when you are not.
Bookmarks and alerts
CVEs and search queries you bookmark, along with any alerts you enable on them, are stored against your account so we can display them in your dashboard and send you digest emails when applicable.
API keys
If you create API keys, we store a hash of each key, the prefix (first few characters — for display only), the human-readable name you give it, creation and last-used timestamps, and per-key daily request counters.
Rate-limit counters
We store short-lived rate-limit counters in Redis keyed by your IP address (for anonymous traffic), your email (for signed-in traffic), or your API key ID. These counters use a rolling 24-hour sliding window and expire automatically.
Technical data
Our hosting provider's edge (Cloudflare) and our own servers log standard request metadata — IP address, user agent, referrer, timestamp — for security monitoring and abuse prevention. These logs are typically retained for up to 30 days.
3. Why we process it (legal basis)
Under GDPR Article 6, every processing activity needs a legal basis. The table below maps what we do to the basis we rely on:
| Processing | Legal basis |
|---|---|
| Creating and operating your account | Performance of a contract (Art. 6(1)(b)) |
| Billing and subscription management | Performance of a contract (Art. 6(1)(b)) |
| Rate-limit enforcement, abuse prevention, fraud detection | Legitimate interests (Art. 6(1)(f)) |
| Improving search ranking and product quality | Legitimate interests (Art. 6(1)(f)) |
| Sending daily CVE alert emails on your bookmarks | Performance of a contract (Art. 6(1)(b)) — you enabled the alerts yourself |
| Keeping tax and accounting records for paid subscriptions | Legal obligation (Art. 6(1)(c)) — Czech Act No. 563/1991 Coll. requires ten-year retention |
4. How long we keep it
- Account data — for as long as your account exists. Upon deletion request we remove personally identifying fields within 30 days (the delay allows us to reverse accidental deletions).
- Billing records — ten (10) years, as required by Czech Act No. 563/1991 Coll. on accounting. This supersedes any other deletion request for the specific records needed for tax compliance.
- Search and click logs — up to six (6) months in raw form, after which we aggregate them into anonymous statistics that cannot be tied back to you.
- Rate-limit counters — automatically expire after 24 hours from the last request.
- Edge access logs (Cloudflare, our own servers) — up to 30 days.
- Bookmarks and alerts — until you delete them or your account.
- API keys — kept in hashed form until you explicitly revoke them; the revocation timestamp is retained indefinitely for audit purposes.
5. Who we share it with (subprocessors)
We do not sell your personal data. We share it only with the following service providers (subprocessors) that help us run the Service:
| Provider | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Hosting (servers, databases, Qdrant index) | Germany |
| Cloudflare, Inc. | DNS, CDN, DDoS protection at the edge | EU / US (SCC) |
| Stripe Payments Europe, Ltd. | Payment processing and billing | Ireland |
| Resend, Inc. | Transactional and digest email delivery | US (SCC) |
| Google LLC | OAuth sign-in (only when you choose Google) | US (SCC) |
| GitHub, Inc. (Microsoft) | OAuth sign-in (only when you choose GitHub) | US (SCC) |
Transfers of personal data outside the European Economic Area are carried out under the European Commission's Standard Contractual Clauses (SCC) or equivalent safeguards adopted by each provider.
6. Your rights
Under GDPR you have the right to:
- Access the personal data we hold about you (Art. 15)
- Rectification of inaccurate or incomplete data (Art. 16)
- Erasure("right to be forgotten") — subject to our retention obligations for billing records (Art. 17)
- Restriction of processing in specific circumstances (Art. 18)
- Data portability — receive your data in a structured, commonly used format (Art. 20)
- Object to processing based on legitimate interests (Art. 21)
- Withdraw any consent you have given at any time, without affecting the lawfulness of processing before the withdrawal
- Lodge a complaint with a supervisory authority. In the Czech Republic that is the Office for Personal Data Protection (ÚOOÚ).
To exercise any of these rights, write to [email protected]. We will respond within one month of receiving your request, as required by Article 12.
7. Cookies
We use only strictly necessary cookies — specifically the session cookie that keeps you signed in via NextAuth. We do not set any analytics, advertising, or tracking cookies, and we do not share cookie data with advertising networks. Because our cookie use is limited to what is necessary for the Service to function, no cookie consent banner is legally required.
8. Security
We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS 1.3), hashed API keys (SHA-256), least-privilege access to infrastructure, and isolation of payment data via Stripe. No system is perfectly secure — if you become aware of a potential vulnerability in the Service, please report it responsibly to [email protected].
9. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.
10. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email or by a prominent notice on the Service at least 30 days before they take effect.