HunterLabs Solutions, Inc. ("HunterLabs," "we," "our," or "us") operates HunterVault, a breach intelligence platform. This Privacy Policy explains how we collect, use, store, and protect information about you when you use HunterVault. By accessing or using HunterVault, you agree to the practices described in this policy.
For questions or concerns, contact us at contact@hunterlabs.solutions.
1. Information We Collect
We collect information you provide directly and information generated by your use of the platform:
Account Information
- Email address — used for authentication, notifications, and account management
- Display name — optional, used for personalisation within the platform
- Notification email — a separate address you may designate for breach alerts
Monitored Assets
- Email addresses, domain names, usernames, phone numbers, IP addresses, and other identifiers you submit for monitoring
- These assets are queried against external breach intelligence sources solely on your behalf
Activity & Security Data
- Login history: IP address, browser user-agent, and timestamp of each authentication attempt
- Query logs: search terms, search types, and timestamps (can be disabled in account settings)
- Password search queries are always logged in full (plaintext) regardless of your logging setting, as required for security audit purposes
- Session tokens used to enforce single-session security
- In-app notifications generated by breach detection events
Technical Data
- IP address of requests for rate-limiting and abuse prevention
- Subscription status and feature flags associated with your account
- API key (a unique random token) for Enterprise/Custom API access — treat your API key like a password
- Remember-me preference — if enabled, a persistent authentication token is stored in your browser for up to 2 weeks to keep you signed in across browser restarts
2. How We Use Your Information
- Authentication: We use your email address to deliver one-time access codes (OTP) for passwordless login.
- Breach Monitoring: Your monitored assets are queried against third-party breach intelligence APIs to detect exposure. Results are stored and associated with your account.
- Alerts & Digests: We send breach notification emails to your registered or notification email address.
- Security: Login history and session tokens are used to detect unauthorised access and enforce single-session policies.
- Platform Operation: Subscription data, feature flags, and query logs allow us to enforce plan limits and service usage.
- Audit Compliance: Admin actions are logged for accountability and are not shared outside HunterLabs.
We do not sell, rent, or trade your personal data to third parties for marketing purposes.
3. Third-Party Intelligence Services
When you perform a query or when the monitoring system scans your assets, your monitored values are transmitted to one or more proprietary breach intelligence networks that HunterLabs Solutions, Inc. has contracted with under confidentiality agreements. The specific providers are not disclosed publicly.
In all cases we:
- Transmit only the minimum information necessary (the search term and type) to fulfil the query
- Do not share your account identity, name, or other personal data with these intelligence networks
- Limit which networks are queried based on your subscription plan
For questions about our intelligence partnerships, contact contact@hunterlabs.solutions.
4. Data Storage & Security
HunterVault stores data in a PostgreSQL database. We implement the following security measures:
- Passwordless authentication via time-limited one-time codes (OTP, 10-minute expiry)
- Anti-phishing phrase system to help you verify the authenticity of HunterVault emails
- Account lockout after 5 consecutive failed OTP attempts (30-minute lockout)
- Single-session enforcement — a server-side session token is validated on every request; signing in elsewhere immediately invalidates your prior session
- Automatic session expiry after 15 minutes of browser inactivity (for sessions without the "Remember me" option); a warning modal is shown 2 minutes before expiry
- Session fixation prevention — the pre-authentication session is cleared and rebuilt on every successful login
- Encrypted transport (HTTPS) in production environments
- Rate limiting on all authentication and data-access endpoints
- CSRF protection on all state-changing requests
- Input sanitisation to prevent injection attacks
- Non-root containerised application deployment via Docker
- SSRF prevention on user-submitted URLs (origin verification rejects private, loopback, and reserved IP ranges)
No system is perfectly secure. In the event of a data breach affecting your account, we will notify you at your registered email address as promptly as practicable.
5. Data Retention
- Breach results are retained for the duration of your active account. Results associated with a monitored asset are deleted when that asset is removed from monitoring or when a plan downgrade removes it.
- Query logs can be disabled at any time in your account settings. Existing logs are retained for up to 90 days after disabling, then automatically purged. Password query logs are retained regardless of your logging setting.
- Login history is retained for 12 months.
- Monitoring scan jobs — the last 500 monitoring job records are retained; older records are pruned automatically.
- In-app notifications — the most recent 100 notifications per user are retained; older notifications are pruned automatically.
- Remember-me cookie — if you enable the "Remember me" option, a persistent browser cookie is stored for up to 2 weeks. It is invalidated when you sign out or when your session is terminated by an administrator.
- OTP codes are cleared from the database immediately after use or upon expiry (10 minutes).
- Account data is deleted within 30 days of account deletion by an administrator.
6. Your Rights
Depending on your jurisdiction, you may have rights including:
- Access to personal data we hold about you
- Correction of inaccurate data
- Deletion of your account and associated data
- Restriction or objection to certain processing
- Data portability
To exercise any of these rights, contact contact@hunterlabs.solutions. We will respond within 30 days.
7. Cookies & Local Storage
HunterVault uses:
- Session cookie (
session): Stores your authenticated session state. Attributes: HttpOnly, SameSite=Lax, Secure (in production). Expires when the browser session ends (or after 15 minutes of inactivity on the server side).
- Remember-me cookie (
remember_token): Set only when you tick "Remember me for 2 weeks" on the sign-in page. Persists your authentication across browser restarts for up to 14 days. Attributes: HttpOnly, SameSite=Lax, Secure (in production). Cleared on explicit sign-out or admin-initiated session termination. Do not enable this on shared or public devices.
- hCaptcha cookies: Set by the hCaptcha widget on the sign-in page to verify you are human. Governed by hCaptcha's Privacy Policy.
- Browser localStorage: Stores UI preferences (e.g. sidebar state). Contains no personal data and is never transmitted to our servers.
We do not use advertising cookies, analytics cookies, or third-party tracking scripts beyond hCaptcha on the sign-in page.
8. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page indicates when the most recent changes were made. Continued use of HunterVault after changes are posted constitutes your acceptance of the revised policy.
9. Contact
HunterLabs Solutions, Inc.
Email: contact@hunterlabs.solutions