Privacy policy

Kevora Privacy Policy

This policy explains how Kevora uses data to operate CVE monitoring, watchlists, enrichment, alerts, account access, API access, billing configuration, and product security.

Last updated: April 29, 2026

Draft Status

This is an early-stage SaaS privacy policy for pre-production readiness. It is intended to match the current product state, but final legal review is recommended before production launch.

Who We Are

Kevora by Pulsebotics is operated by Pulsebotics. For privacy, security, or data protection questions, contact security@pulsebotics.io.

Data We Collect

  • Account data such as email address, organization name, role, verification state, and login timestamps.
  • Authentication and session data, including protected password hashes, CSRF/session state, idle-session metadata, and optional remember-me state.
  • Workspace data such as plan/tier information, watchlist entries, monitored products, CPE metadata, alert preferences, digest cadence, and usage counters.
  • API key metadata such as key name, prefix, status, timestamps, and protected hashes. Raw API keys are shown only at creation time and are not stored in plain text.
  • Security and application logs, including audit events and technical metadata such as IP address, user agent, route, timestamp, and request context where captured by the app or infrastructure.
  • Billing metadata if billing is configured, such as Stripe customer and subscription identifiers. Kevora does not store payment card numbers.

How We Use Data

  • Provide authenticated access to Kevora workspaces, dashboards, watchlists, alerts, and API features.
  • Authenticate users, protect accounts, enforce idle session timeout, and prevent unauthorized access.
  • Match vulnerability intelligence to organization watchlists and deliver configured alerts.
  • Maintain watchlists, alert preferences, plan/tier limits, API-key access, rate limits, and tenant isolation.
  • Improve reliability and security by diagnosing errors, investigating abuse, and maintaining audit records.
  • Process billing actions through Stripe if Stripe is configured for the deployment.
  • Comply with legal, security, and operational obligations.

Cookies And Storage

Kevora currently uses only essential first-party cookies: tp_session for session, security, CSRF, and flash-message state, and optional tp_remember when a user chooses remember-me login. Kevora does not currently use analytics, advertising, behavioral tracking, or cross-site tracking cookies. See the Cookie Notice for the current cookie inventory.

Sharing And Service Providers

Kevora does not sell personal data. Data may be processed by infrastructure, database, cache, queue, email, Slack, webhook, billing, logging, and security providers as needed to provide and protect the service. Public and authenticated pages may load static assets from CDN and font providers; those providers may receive normal browser request metadata. Kevora may also disclose data when required for legal, abuse-prevention, or security reasons.

Retention

Kevora keeps account, workspace, watchlist, alert, API-key metadata, billing metadata, and audit/security data while needed to provide the service, maintain security, comply with obligations, resolve disputes, and keep operational records. Exact retention periods may vary by data type and operational need. Authenticated users can use the dashboard Data & Privacy page for basic workspace data export and deletion controls.

Security

Kevora uses reasonable safeguards for its current stage, including tenant-scoped data access, hashed passwords, hashed API keys, CSRF protection, secure production cookie settings, rate limiting, audit logging, production configuration validation, and a server-enforced inactivity timeout for authenticated sessions. No online service can guarantee absolute security.

Your Choices And Rights

  • You can update watchlists, alert channels, API keys, and billing actions from the authenticated dashboard where available.
  • You can download a basic JSON export and delete a workspace from the authenticated Data & Privacy page where available.
  • You can request access, correction, deletion, export, restriction, objection, or portability help by contacting Pulsebotics.
  • Depending on where you live, you may have additional rights such as objection, restriction, portability, or complaint to a data protection authority.
  • You can block cookies in your browser, but login, dashboard access, CSRF-protected forms, and remember-me behavior may stop working.

C3 export/delete basics are implemented for authenticated workspace data. Requests involving legal exceptions, provider-side records, or data not available through self-service should be sent to security@pulsebotics.io.

International Use

Kevora may be accessed from different countries. Data may be processed in locations where Pulsebotics or its service providers operate. Region-specific rights and transfer requirements should be reviewed before production launch.

Changes And Contact

Kevora may update this Privacy Policy as the product changes. Material changes should be reflected here before launch or before the related feature is used in production. Contact security@pulsebotics.io with privacy or security questions.