Skip to main content

Privacy Policy

Last updated: July 14, 2026

Vulkro is built around a simple promise: your source code and your scan results never leave your machine. This policy explains exactly what data we receive, what we never receive, and how we handle the narrow set of information we do collect (almost entirely for billing and support).

This policy applies to use of the Vulkro binary, the Vulkro web UI (vulkro serve), the website at vulkro.com, and our content delivery network at dist.vulkro.com.

What Vulkro never collects

The Vulkro binary, when running on your machine, does not transmit any of the following to us:

  • Your source code
  • Scan results, finding details, or rule-pack matches
  • Endpoint inventory or API surface
  • Names of files, modules, packages, or contributors
  • Environment variables or secrets discovered during scans
  • Crash reports or feature-use analytics
  • Any hardware fingerprint or identifier beyond the random installation identifier described below and what is explicitly stored locally in ~/.vulkro/

Vulkro never calls a cloud LLM API, never uploads scan output to a SaaS dashboard, and never sends a "diagnostic" of any kind home. This is not a configuration toggle; it is how the product is built.

The one piece of usage data the binary does transmit is the account entitlement refresh described in the next section. It contains exactly six fields: product, installation identifier (a random ID, not a hardware fingerprint), version, operating system, timestamp, and a count of scans run. It never contains anything from the list above.

Network calls the binary does make

Vulkro makes the following outbound HTTPS calls in normal operation:

CallWhenWhat flows
GET dist.vulkro.com/install.shDuring installThe installer script
GET dist.vulkro.com/releases/v*/vulkro-...During installThe platform-specific binary
POST api.vulkro.com/v1/downloadsOnce, at the end of installThe anonymous install-completion ping: only product, operating system, and version. See below.
GET dist.vulkro.com/cve/manifest.jsonOn vulkro updateSigned CVE manifest
GET dist.vulkro.com/cve/.../cves.vkbundleOn vulkro updateSigned CVE bundle
Account sign-inOn vulkro loginA sign-in exchange with the Vulkro license service that returns a signed lease; never code, paths, or findings
Entitlement refreshAbout once a day while signed inThe six usage fields listed above; never code, paths, or findings

All of them can be disabled. To run fully offline, set VULKRO_OFFLINE=1, use a license file in place of the online sign-in (it satisfies the account requirement with no network access), pass --no-cve-update during install, and deliver CVE bundles via USB, mirror, or internal package feed.

These calls hit our CDN over HTTPS. We do see standard request metadata (IP address, user agent, timestamp, requested object). We do not log these requests in a personally-identifying way, do not correlate them across requests, and do not use them for analytics.

The anonymous install-completion ping

At the very end of a successful install, the install script sends a single, anonymous, best-effort ping so we can count installs, the same way Homebrew counts installs with its own analytics. This is install-count telemetry from the installer script, and it is distinct from the scanner binary, which never transmits your code (see the promise at the top of this policy).

The ping is one HTTPS POST to https://api.vulkro.com/v1/downloads carrying exactly three fields:

  • product (which installer ran: for example vulkro, vulkro-sf, or vulkro-live)
  • operating system (the platform build that was installed, for example mac-arm64 or linux-x64)
  • version (the release tag that was installed)

That is the whole payload. It is not the six-field entitlement heartbeat described above, and unlike the heartbeat it carries no installation identifier, no scan count, and no timestamp of your choosing. Specifically, the install ping:

  • Carries no source code, no scan results, no file or package paths, and no PII of any kind.
  • Fires once, at install time only. It is not a recurring beacon and the installed binary never repeats it.
  • Involves no IP retention: we do not store the source IP of the ping and do not use it to identify or profile you.

To disable it entirely, set VULKRO_NO_ANALYTICS=1 (any value works) or VULKRO_OFFLINE before running the installer, or override the endpoint with VULKRO_ANALYTICS_URL. The install script prints one line telling you the metric was sent and how to opt out. Opting out skips the ping completely; nothing is sent.

What we do collect, and why

We collect the minimum needed to bill you and support you:

When you purchase a license

Our payment processor receives your name, billing address, email, and payment instrument. Our processor is Paddle.com Inc. (or its local subsidiary), acting as our merchant of record. Paddle handles PCI-DSS-compliant payment processing, tax remittance in your jurisdiction, and invoicing.

What we receive from Paddle is limited to: your email address, the plan you purchased, the order total, and the timestamp. We use this to issue your .lic license file and to send you renewal notifications.

When we issue your license

When the payment webhook fires, we sign and email you a .lic file containing:

  • Your name (cosmetic, shown in vulkro activate output)
  • Your machine ID (provided by you at checkout)
  • The product tier and expiry date
  • An Ed25519 signature over the above payload

The signing key is stored in our infrastructure (Cloudflare R2, encrypted at rest). It never leaves the issuing system. You receive only the signed .lic.

When you email us

If you write to support@, billing@, hello@, or contact@, we receive your email, the content of your message, and any attachments. We use this to respond to you and to keep a record of the correspondence. Inboxes are accessible only to Vulkro staff.

When you visit our website

The website at vulkro.com is served by Cloudflare Pages. Cloudflare processes standard request metadata (IP, user agent) for security and abuse prevention. For traffic measurement we use Cloudflare Web Analytics, which is cookieless and first-party: it counts aggregate page views only. It sets no cookies, does not fingerprint you, and does not build a cross-site profile of you. There are no third-party trackers on this site: no Google Analytics, no Plausible, no Mixpanel, no Segment, no Facebook pixel, no LinkedIn pixel, and no ad network.

Data we store

DataWhere storedRetention
Customer email, name, machine ID, license expiryCloudflare D1 (encrypted at rest)For the active Pro license + 6 years (Indian tax record requirement). Free-tier installs that never purchase generate no records here.
Payment recordsPaddle.comPer Paddle's retention policy. None for Free-tier users.
Email correspondenceEmail provider inboxIndefinitely unless you request deletion
Issued .lic filesCloudflare R2 (private bucket)For the active Pro license. None for Free-tier users.
Signing keys (private)Cloudflare R2 (private bucket)Until rotated

Your rights

Depending on where you live, you may have rights under GDPR, the UK GDPR, the CCPA, India's DPDP Act, or similar laws:

  • Access: ask what data we have about you
  • Rectification: correct inaccurate data
  • Erasure: request deletion (subject to legal record-keeping)
  • Portability: receive your data in a portable format
  • Objection: object to specific processing

To exercise any of these, email hello@vulkro.com. We respond within 30 days.

Children's privacy

Vulkro is a B2B developer tool. It is not directed at children under 16, and we do not knowingly collect data from children.

Subprocessors

We use a small number of third-party services to operate Vulkro:

ServicePurposeRegion
Cloudflare (Pages, R2, D1, Workers)Website hosting, binary distribution, database, license issuanceGlobal
Paddle.com Inc.Payment processing, tax remittance, invoicingGlobal
Resend (or comparable)Transactional email for license deliveryEU / US
Email providerCustomer support inboxProvider's region

We do not share customer data with any party other than these subprocessors, and only to the extent each one needs the data to perform its function.

Changes to this policy

We may update this policy from time to time. Material changes will be announced on our website at least 30 days before they take effect.

Contact

Privacy questions, data-rights requests, or anything else: hello@vulkro.com.