Exploita logoExploita

Privacy Policy

Last updated: March 19, 2026

Skynetix Corporation SRL (VAT ID: IT16149571008), with registered office at Viale Parioli, 73 — 00197 Rome, Italy, operating as "Exploita" ("we", "us", "our"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our platform at exploita.ai. By using the Service, you consent to the data practices described herein.

1. Data We Collect

We collect the following categories of data:

  • Account Data: Name, email address, password (hashed), profile picture, and display name provided during registration.
  • Payment Data: Transaction records and billing information. Credit card details are processed and stored exclusively by our third-party payment provider (Stripe) and never stored on our servers.
  • Scan Data: Domains scanned, scan configurations, results, vulnerability reports, target IP addresses, and associated metadata.
  • Usage Data: IP address, browser type, device information, pages visited, features used, timestamps, and geolocation data (country-level).
  • Communication Data: Support tickets, emails, and any messages you send us.
  • Domain Verification Data: Domain names, DNS verification tokens, verification attempt timestamps, verification status (pending/verified/failed), and associated IP addresses. This data is collected when you add and verify domains on the platform.
  • Compliance Data: Scan target history, domain verification records, authorization records, and account activity logs maintained for security, legal compliance, and abuse prevention purposes.
2. How We Use Your Data
  • Provide, maintain, and improve the Service.
  • Process transactions and manage your token balance.
  • Generate and deliver scan reports.
  • Send account notifications, security alerts, and service updates.
  • Detect, investigate, and prevent fraud, abuse, unauthorized scanning, and misuse of the Service.
  • Monitor compliance with our Terms of Service, including verification that users are scanning only authorized targets.
  • Cooperate with law enforcement investigations and respond to legal requests.
  • Comply with legal obligations.
  • Aggregate anonymized data for analytics and service improvement.
3. Data Disclosure to Law Enforcement

Exploita reserves the right to disclose any and all User data — including account information, scan history, target domains, IP addresses, timestamps, and usage logs — to law enforcement authorities, regulatory bodies, or other governmental agencies when: (a) required by law, court order, or subpoena; (b) we have a good-faith belief that disclosure is necessary to investigate, prevent, or address suspected illegal activity, fraud, or security threats; (c) to protect the rights, property, or safety of Exploita, its users, or the public; or (d) a User is reasonably suspected of violating our Terms of Service, including unauthorized scanning of third-party systems. We may also proactively report suspected illegal activity without prior notice to the User.

4. Legal Basis for Processing (GDPR)

We process your data based on:

  • Contract performance (Art. 6(1)(b)): To deliver the services you've requested.
  • Legitimate interest (Art. 6(1)(f)): To improve the platform, prevent abuse, ensure security, monitor compliance, and protect against misuse.
  • Consent (Art. 6(1)(a)): For marketing communications (you can opt out at any time).
  • Legal obligation (Art. 6(1)(c)): To comply with applicable laws, regulations, and law enforcement requests.
5. Data Sharing

We do not sell your personal data. We may share data with:

  • Service providers: Hosting, payment processing (Stripe), email delivery, and analytics — all bound by data processing agreements.
  • Law enforcement & government authorities: As described in Section 3 above.
  • Legal proceedings: In connection with litigation, arbitration, or regulatory proceedings involving Exploita.
  • Business transfers: In connection with a merger, acquisition, or sale of assets, with prior notice to affected users.
6. Data Retention
  • Account data is retained while your account is active and for 30 days after deletion.
  • Scan results are retained for 12 months, after which they are permanently deleted.
  • Scan target logs and compliance data (domains scanned, timestamps, IP addresses) are retained for a minimum of 36 months for legal compliance, abuse investigation, and law enforcement cooperation purposes.
  • Domain verification data (verification tokens, DNS verification attempts, verification timestamps, and domain status history) are retained for a minimum of 36 months. If a domain is deleted or an account is terminated, verification records are retained indefinitely for legal defense, compliance auditing, and abuse prevention.
  • Payment records are retained for 7 years as required by financial regulations.
  • Usage logs are retained for 90 days.
  • Data related to accounts terminated for Terms of Service violations may be retained indefinitely for legal defense, law enforcement cooperation, and abuse prevention purposes.
7. Data Security

We implement industry-standard security measures including encryption in transit (TLS 1.3), encryption at rest (AES-256), access controls, regular security audits, and secure infrastructure. Scan data is stored in isolated environments with strict access policies.

8. Your Rights

Under GDPR and applicable privacy laws, you have the right to:

  • Access: Request a copy of your personal data.
  • Rectification: Correct inaccurate or incomplete data.
  • Erasure: Request deletion of your data ("right to be forgotten"), subject to legal retention requirements.
  • Portability: Receive your data in a structured, machine-readable format.
  • Restriction: Limit how we process your data.
  • Objection: Object to processing based on legitimate interest.
  • Withdraw consent: For consent-based processing, at any time.

Note: Certain data (scan target logs, compliance records, and data related to abuse investigations) may be exempt from erasure requests under legitimate interest and legal obligation bases, particularly where retention is necessary for ongoing or anticipated law enforcement proceedings.

To exercise any of these rights, contact us at Contact us. We will respond within 30 days.

9. International Transfers

Your data may be processed in countries outside the European Economic Area (EEA). In such cases, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that a minor has provided personal data, we will take steps to delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be notified via email or a prominent notice on the platform. Continued use after changes constitutes acceptance.

12. Contact

Skynetix Corporation SRL
Viale Parioli, 73 — 00197 Rome, Italy
VAT ID: IT16149571008

Privacy inquiries: Contact us
Data Protection Officer: Contact us
Phone: +44 7441 427 222