Privacy Policy

Last updated: June 19, 2026

This Privacy Policy governs the processing of personal data by Türkol Yazılım Bilgisayar Sanayi ve Ticaret Limited Şirketi ("Türkol", "we", "us"), operator of the Vulnytics product and the website at vulnytics.com.
Tax ID 8800579984 (Şarköy Tax Office) · İSTİKLAL MAH. GANOS SK. NO: 5 B, 59800 Şarköy / Tekirdağ, Turkey.

1. Data Controller

The data controller responsible for your personal data is Türkol Yazılım Bilgisayar Sanayi ve Ticaret Limited Şirketi, contactable at support@vulnytics.com.

2. Data We Collect

Account information — for paid plans: your name, email address and company name, provided directly or through our payment processor at checkout.
Scan metadata — for each scan, the type, slug and version of your installed plugins, themes and WordPress core. This is the only site data the plugin transmits to our API.
Licensing data — your license key and a derived site token, used to validate your subscription and group your sites.
Technical data — IP address, request timestamps and basic API logs, collected to operate and secure the service.
Payment data — handled by our payment processor (see §5). We never store your full card details.

What we do not collect: Vulnytics does not transmit your site's content, page URLs, post or comment data, user accounts, passwords or any file contents to our servers. Vulnerability matching uses only the component name and version.

3. Purpose of Data Processing

We process data to: match your installed components against our vulnerability database and return findings; provide the security score, hardening, malware, protection and reporting features; validate licenses and process payments; provide support; and operate, secure and improve the service.

4. Legal Basis for Processing

We rely on (a) performance of a contract (providing the service you signed up for), (b) legitimate interests (operating and securing the service, preventing abuse), (c) legal obligations (tax, accounting), and (d) consent where required (e.g. optional analytics). This Policy is provided in accordance with the GDPR and Turkey's KVKK.

5. Data Sharing

We share data only with the service providers necessary to run Vulnytics:

Paddle — our Merchant of Record, which processes payments, billing and invoices. Paddle acts as a separate controller for payment data under its own privacy policy.
Cloud hosting providers — to host the API and store the vulnerability database.
Vulnerability data feeds — we compile public and commercial vulnerability data into our own database; we never send your data to these feeds.
Legal authorities — where required by law.

We do not sell your personal data.

6. Data Retention

Account and licensing data are retained for the life of your subscription and as required for tax/accounting purposes afterward. Scan metadata is retained to provide history and trends and is deleted on request or when you uninstall (subject to your "keep data" setting). API logs are kept for a limited period for security and debugging.

7. Your Rights

Under the GDPR and KVKK you have the right to access, rectify, erase, restrict or object to the processing of your personal data, and to data portability. To exercise any right, email support@vulnytics.com. We will respond within 30 days.

8. The Plugin — what leaves your WordPress site

Privacy is a core design choice. The Vulnytics plugin sends only an inventory of {type, slug, version} for your installed components to our API for matching. Hardening, integrity, malware, login-security and virtual-patching features run entirely on your own server and transmit no file contents or credentials.

9. Cookies

The vulnytics.com website uses only the cookies necessary for it to function and, where applicable, privacy-respecting analytics. The WordPress plugin itself does not set tracking cookies. See our Cookie Policy.

10. Security

We protect data with encryption in transit (TLS), access controls, and a server-side matching architecture that keeps the vulnerability database off your site. No system is perfectly secure, but we take reasonable, industry-standard measures to protect your data.

11. Account & Data Deletion

You may request deletion of your account and associated personal data at any time by emailing support@vulnytics.com. Data is deleted within 30 days, except where retention is required by law.

12. Children

Vulnytics is a business product not directed to children, and we do not knowingly collect personal data from anyone under 16.

13. Changes to This Policy

We may update this Policy from time to time. Material changes will be reflected by the "Last updated" date above and, where appropriate, communicated to account holders.

14. Contact

Questions about this Policy or your data: support@vulnytics.com.