Exploita logoExploita

GDPR Compliance

Last updated: March 14, 2026

Exploita is committed to full compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). This page explains how we protect your data rights as a data subject, and the specific circumstances under which certain rights may be limited.

1. Data Controller

Exploita acts as the data controller for personal data collected through the platform.

Data Controller: Skynetix Corporation SRL
Registered Office: Viale Parioli, 73 — 00197 Rome, Italy
VAT ID: IT16149571008
Contact: Contact us
Data Protection Officer: Contact us
Phone: +44 7441 427 222

2. Lawful Basis for Processing

We process personal data under the following legal bases:

  • Article 6(1)(b) — Contract: Processing necessary to perform our contract with you (account management, scan delivery, token transactions).
  • Article 6(1)(a) — Consent: For optional marketing communications and non-essential cookies.
  • Article 6(1)(f) — Legitimate Interest: For platform security, fraud prevention, abuse detection, compliance monitoring, domain ownership verification via DNS, service improvement, and prevention of unauthorized use of scanning tools for illegal purposes.
  • Article 6(1)(c) — Legal Obligation: For tax records, financial reporting, law enforcement cooperation, and compliance with court orders or subpoenas.
3. Your Rights Under GDPR

As a data subject in the EU/EEA, you have the following rights:

  • Right of Access (Art. 15): Request a copy of all personal data we hold about you.
  • Right to Rectification (Art. 16): Request correction of inaccurate data.
  • Right to Erasure (Art. 17): Request deletion of your personal data, subject to exceptions below.
  • Right to Restrict Processing (Art. 18): Request limitation of processing while a dispute is resolved.
  • Right to Data Portability (Art. 20): Receive your data in JSON or CSV format.
  • Right to Object (Art. 21): Object to processing based on legitimate interest.
  • Right to Withdraw Consent (Art. 7): Withdraw consent at any time for consent-based processing.
  • Right Not to Be Subject to Automated Decisions (Art. 22): We do not make decisions based solely on automated processing that produce legal or similarly significant effects.
4. LIMITATIONS ON DATA RIGHTS — SECURITY & LEGAL COMPLIANCE

In accordance with GDPR Article 17(3) and Article 23, certain data rights may be restricted when necessary to:

  • Legal claims defense (Art. 17(3)(e)): We may retain data necessary for the establishment, exercise, or defense of legal claims, including data related to accounts investigated or terminated for Terms of Service violations.
  • Legal obligations (Art. 17(3)(b)): Data required by financial regulations, tax law, or other statutory retention requirements cannot be erased.
  • Crime prevention (Art. 23(1)(d)): Scan target logs, IP addresses, timestamps, and compliance data may be retained and exempt from erasure when necessary for the prevention, investigation, detection, or prosecution of criminal offenses, including unauthorized computer access.
  • Legitimate interest override: Where our legitimate interest in preventing misuse of the Service and cooperating with law enforcement outweighs the data subject's interest in erasure, we may deny erasure requests for relevant compliance data.

Specifically: scan target history, account activity logs, and associated metadata for accounts suspected of or confirmed to have engaged in unauthorized scanning or other Terms violations may be retained indefinitely for legal defense and law enforcement cooperation purposes, regardless of erasure requests.

5. Data Processing Activities
  • Account management: Registration, authentication, profile data — retained while account is active + 30 days.
  • Scan processing: Domain scanning, vulnerability detection, report generation — scan data retained for 12 months.
  • Compliance logging: Scan targets, IP addresses, timestamps — retained for minimum 36 months.
  • Payment processing: Via Stripe (sub-processor) — transaction records retained for 7 years.
  • Analytics: Anonymized usage data — retained for 90 days.
  • Abuse investigation data: Retained indefinitely where related to suspected or confirmed Terms violations.
6. Sub-Processors

We use the following sub-processors, all bound by Data Processing Agreements (DPAs):

  • Supabase: Authentication and database (EU region).
  • Stripe: Payment processing (certified under EU-US Data Privacy Framework).
  • Cloud infrastructure provider: Hosting and compute (EU data centers).
  • Email service provider: Transactional emails (DPA in place).
7. International Data Transfers

We prioritize processing data within the EU/EEA. When data must be transferred outside the EEA, we rely on EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs), and supplementary technical measures.

8. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights, we will notify the relevant supervisory authority within 72 hours (Article 33). If the breach poses a high risk, we will also notify affected users directly (Article 34).

9. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities, including our scanning engine and compliance monitoring systems, in accordance with Article 35.

10. Exercising Your Rights

Contact our Data Protection Officer at Contact us. We will verify your identity and respond within 30 days. For complex requests, we may extend by 60 additional days with notification. Requests that conflict with legal retention obligations or ongoing investigations may be partially or fully denied with explanation.

11. Supervisory Authority

You have the right to lodge a complaint with your local data protection supervisory authority if you believe your data protection rights have been violated.