Skip to main content
{P}eelSec

Privacy Policy

Effective: January 13, 2026 | Updated: January 13, 2026

1. Introduction

{P}eelSec ("we," "us," or "our") is a threat intelligence aggregation platform that helps security professionals, developers, and businesses stay informed about CVEs, data breaches, malware campaigns, and security news from multiple sources in one unified interface. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

By using {P}eelSec, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this Privacy Policy, please do not access or use our service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Name (if provided)
  • Password (hashed and salted, never stored in plain text)
  • OAuth tokens when you sign in with Google or GitHub (we do not store your OAuth provider passwords)

2.2 Tech Stack Profile

To personalize threat alerts, you may optionally provide information about your technology stack:

  • Programming languages you use (Python, JavaScript, Go, etc.)
  • Frameworks (React, Django, Spring, etc.)
  • Cloud providers (AWS, Azure, GCP)
  • Databases (PostgreSQL, MySQL, MongoDB, etc.)
  • Domains and email addresses for breach monitoring

This information is used solely to prioritize and personalize threat alerts relevant to your environment.

2.3 Connector Credentials

To connect to optional threat intelligence APIs (such as Have I Been Pwned, Shodan, or VirusTotal), you may provide API credentials. These credentials are:

  • Encrypted at rest using AES-256-GCM encryption
  • Used only to fetch data from services you configure
  • Never shared with third parties
  • Deletable at any time through your account settings

2.4 Usage Data

We automatically collect certain information when you use our service:

  • Threat feed browsing history and saved searches
  • Feed monitor configurations
  • User preferences (theme, view settings)
  • Favorite feeds and saved threat items
  • Investigation room queries and notes

2.5 Session and Authentication Data

  • Session tokens and authentication state
  • Login timestamps and session duration
  • IP addresses (for security and rate limiting)

2.6 AI Feature Data

If you use our AI-powered features (Investigation Room, Ask AI):

  • Your team may configure an OpenAI API key (stored encrypted)
  • Prompts and selected threat data are sent to OpenAI for analysis
  • We track AI usage counts for tier limits but do not permanently store AI conversation content
  • AI responses are cached temporarily to improve performance

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain our threat intelligence service
  • Aggregate and display threat data from configured sources
  • Personalize threat alerts based on your tech stack profile
  • Run scheduled monitors and send notifications about new threats
  • Authenticate your identity and manage your account
  • Process your requests and respond to inquiries
  • Send transactional emails (verification, password reset, threat alerts)
  • Generate AI-powered threat analysis and weekly intelligence briefings
  • Monitor and analyze usage patterns to improve our service
  • Detect, prevent, and address technical issues and security threats
  • Enforce our Terms of Service and comply with legal obligations

4. Data Retention

We retain your data for the following periods:

  • Threat feed history: 7 to 90 days depending on your subscription tier
  • Account information: Until you delete your account
  • Connector credentials: Until you disconnect the connector or delete your account
  • Notifications: 30 days
  • Session data: Until session expires or you log out
  • Investigation notes: Until manually deleted or account deletion

You can request deletion of your account and associated data at any time by contacting us.

5. Third-Party Services

We use the following third-party services to operate our platform:

5.1 Infrastructure

  • Neon: PostgreSQL database hosting (data stored encrypted at rest)
  • Vercel: Application hosting and deployment

5.2 Communications

  • Resend: Transactional email delivery (verification, notifications, alerts)

5.3 Authentication Providers

  • Google: OAuth sign-in (if you choose to sign in with Google)
  • GitHub: OAuth sign-in (if you choose to sign in with GitHub)

5.4 AI Services

  • OpenAI: AI analysis features use OpenAI's API for threat intelligence summaries

5.5 Threat Intelligence Sources

We aggregate threat data from various public and API-based sources including RSS feeds, CVE databases (NIST NVD, GitHub Advisories, CISA KEV), and optional connectors like Have I Been Pwned. Each source has its own data handling policies.

Each third-party service has its own privacy policy. We recommend reviewing their policies to understand how they handle your data.

6. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption at rest: All sensitive data including API credentials are encrypted using AES-256-GCM
  • Encryption in transit: All data transmitted over HTTPS/TLS
  • Password hashing: Passwords are hashed using secure algorithms (scrypt)
  • Session security: HTTP-only, secure cookies with CSRF protection
  • Rate limiting: Protection against brute force and abuse
  • Account lockout: Automatic lockout after failed login attempts

While we strive to use commercially acceptable means to protect your data, no method of transmission over the Internet or electronic storage is 100% secure.

7. Your Rights

You have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate personal data
  • Deletion: Request deletion of your personal data and account
  • Export: Export your threat data and investigation notes in various formats
  • Withdraw consent: Disconnect connectors and stop data collection at any time
  • Object: Object to processing of your personal data in certain circumstances

To exercise any of these rights, please contact us at privacy@peelsec.com.

8. Cookies and Tracking

We use cookies solely for authentication and essential functionality:

  • Session cookies: Required for authentication and maintaining your login state
  • Preference cookies: Remember your theme, accessibility settings, and display preferences

We do not use third-party tracking cookies, advertising cookies, or analytics services that track you across websites.

9. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. Our service providers (database, hosting, email) may process data in various locations. When we transfer data internationally, we ensure appropriate safeguards are in place in accordance with applicable data protection laws.

10. Children's Privacy

{P}eelSec is intended for security professionals, developers, and businesses, and is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. For significant changes, we may also send you an email notification.

Your continued use of our service after any changes indicates your acceptance of the updated Privacy Policy.

12. Contact Us

If you have any questions about this Privacy Policy, your personal data, or wish to exercise any of your rights, please contact us:

Email: privacy@peelsec.com

Subject line: Privacy Inquiry

We will respond to your request within 30 days.

13. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of Israel, without regard to its conflict of law provisions.