Privacy Policy
Last updated: July 14, 2026
Vulkro is built around a simple promise: your source code and your scan results never leave your machine. This policy explains exactly what data we receive, what we never receive, and how we handle the narrow set of information we do collect (almost entirely for billing and support).
This policy applies to use of the Vulkro binary, the Vulkro web UI
(vulkro serve), the website at vulkro.com,
and our content delivery network at
dist.vulkro.com.
What Vulkro never collects
The Vulkro binary, when running on your machine, does not transmit any of the following to us:
- Your source code
- Scan results, finding details, or rule-pack matches
- Endpoint inventory or API surface
- Names of files, modules, packages, or contributors
- Environment variables or secrets discovered during scans
- Crash reports or feature-use analytics
- Any hardware fingerprint or identifier beyond the random
installation identifier described below and what is explicitly
stored locally in
~/.vulkro/
Vulkro never calls a cloud LLM API, never uploads scan output to a SaaS dashboard, and never sends a "diagnostic" of any kind home. This is not a configuration toggle; it is how the product is built.
The one piece of usage data the binary does transmit is the account entitlement refresh described in the next section. It contains exactly six fields: product, installation identifier (a random ID, not a hardware fingerprint), version, operating system, timestamp, and a count of scans run. It never contains anything from the list above.
Network calls the binary does make
Vulkro makes the following outbound HTTPS calls in normal operation:
| Call | When | What flows |
|---|---|---|
GET dist.vulkro.com/install.sh | During install | The installer script |
GET dist.vulkro.com/releases/v*/vulkro-... | During install | The platform-specific binary |
POST api.vulkro.com/v1/downloads | Once, at the end of install | The anonymous install-completion ping: only product, operating system, and version. See below. |
GET dist.vulkro.com/cve/manifest.json | On vulkro update | Signed CVE manifest |
GET dist.vulkro.com/cve/.../cves.vkbundle | On vulkro update | Signed CVE bundle |
| Account sign-in | On vulkro login | A sign-in exchange with the Vulkro license service that returns a signed lease; never code, paths, or findings |
| Entitlement refresh | About once a day while signed in | The six usage fields listed above; never code, paths, or findings |
All of them can be disabled. To run fully offline, set
VULKRO_OFFLINE=1, use a license file in place of the online
sign-in (it satisfies the account requirement with no network
access), pass --no-cve-update during install, and deliver CVE
bundles via USB, mirror, or internal package feed.
These calls hit our CDN over HTTPS. We do see standard request metadata (IP address, user agent, timestamp, requested object). We do not log these requests in a personally-identifying way, do not correlate them across requests, and do not use them for analytics.
The anonymous install-completion ping
At the very end of a successful install, the install script sends a single, anonymous, best-effort ping so we can count installs, the same way Homebrew counts installs with its own analytics. This is install-count telemetry from the installer script, and it is distinct from the scanner binary, which never transmits your code (see the promise at the top of this policy).
The ping is one HTTPS POST to https://api.vulkro.com/v1/downloads
carrying exactly three fields:
- product (which installer ran: for example
vulkro,vulkro-sf, orvulkro-live) - operating system (the platform build that was installed, for
example
mac-arm64orlinux-x64) - version (the release tag that was installed)
That is the whole payload. It is not the six-field entitlement heartbeat described above, and unlike the heartbeat it carries no installation identifier, no scan count, and no timestamp of your choosing. Specifically, the install ping:
- Carries no source code, no scan results, no file or package paths, and no PII of any kind.
- Fires once, at install time only. It is not a recurring beacon and the installed binary never repeats it.
- Involves no IP retention: we do not store the source IP of the ping and do not use it to identify or profile you.
To disable it entirely, set VULKRO_NO_ANALYTICS=1 (any value works)
or VULKRO_OFFLINE before running the installer, or override the
endpoint with VULKRO_ANALYTICS_URL. The install script prints one
line telling you the metric was sent and how to opt out. Opting out
skips the ping completely; nothing is sent.
What we do collect, and why
We collect the minimum needed to bill you and support you:
When you purchase a license
Our payment processor receives your name, billing address, email, and payment instrument. Our processor is Paddle.com Inc. (or its local subsidiary), acting as our merchant of record. Paddle handles PCI-DSS-compliant payment processing, tax remittance in your jurisdiction, and invoicing.
What we receive from Paddle is limited to: your email address, the
plan you purchased, the order total, and the timestamp. We use this
to issue your .lic license file and to send you renewal
notifications.
When we issue your license
When the payment webhook fires, we sign and email you a .lic file
containing:
- Your name (cosmetic, shown in
vulkro activateoutput) - Your machine ID (provided by you at checkout)
- The product tier and expiry date
- An Ed25519 signature over the above payload
The signing key is stored in our infrastructure (Cloudflare R2,
encrypted at rest). It never leaves the issuing system. You receive
only the signed .lic.
When you email us
If you write to support@, billing@, hello@, or contact@, we
receive your email, the content of your message, and any attachments.
We use this to respond to you and to keep a record of the
correspondence. Inboxes are accessible only to Vulkro staff.
When you visit our website
The website at vulkro.com is served by Cloudflare Pages. Cloudflare
processes standard request metadata (IP, user agent) for security
and abuse prevention. For traffic measurement we use Cloudflare Web
Analytics, which is cookieless and first-party: it counts aggregate
page views only. It sets no cookies, does not fingerprint you, and
does not build a cross-site profile of you. There are no third-party
trackers on this site: no Google Analytics, no Plausible, no Mixpanel,
no Segment, no Facebook pixel, no LinkedIn pixel, and no ad network.
Data we store
| Data | Where stored | Retention |
|---|---|---|
| Customer email, name, machine ID, license expiry | Cloudflare D1 (encrypted at rest) | For the active Pro license + 6 years (Indian tax record requirement). Free-tier installs that never purchase generate no records here. |
| Payment records | Paddle.com | Per Paddle's retention policy. None for Free-tier users. |
| Email correspondence | Email provider inbox | Indefinitely unless you request deletion |
Issued .lic files | Cloudflare R2 (private bucket) | For the active Pro license. None for Free-tier users. |
| Signing keys (private) | Cloudflare R2 (private bucket) | Until rotated |
Your rights
Depending on where you live, you may have rights under GDPR, the UK GDPR, the CCPA, India's DPDP Act, or similar laws:
- Access: ask what data we have about you
- Rectification: correct inaccurate data
- Erasure: request deletion (subject to legal record-keeping)
- Portability: receive your data in a portable format
- Objection: object to specific processing
To exercise any of these, email hello@vulkro.com. We respond
within 30 days.
Children's privacy
Vulkro is a B2B developer tool. It is not directed at children under 16, and we do not knowingly collect data from children.
Subprocessors
We use a small number of third-party services to operate Vulkro:
| Service | Purpose | Region |
|---|---|---|
| Cloudflare (Pages, R2, D1, Workers) | Website hosting, binary distribution, database, license issuance | Global |
| Paddle.com Inc. | Payment processing, tax remittance, invoicing | Global |
| Resend (or comparable) | Transactional email for license delivery | EU / US |
| Email provider | Customer support inbox | Provider's region |
We do not share customer data with any party other than these subprocessors, and only to the extent each one needs the data to perform its function.
Changes to this policy
We may update this policy from time to time. Material changes will be announced on our website at least 30 days before they take effect.
Contact
Privacy questions, data-rights requests, or anything else:
hello@vulkro.com.