Legal

Privacy Notice

How Zeroday IQ Cyber Pte. Ltd. ("Zeroday IQ", "we", "our", "us") collects, uses, shares, and protects information in connection with our website, dashboard, scanners, AI agents, and related services.

Effective: 8 May 2026 Version: 1.0 Applies to: zerodayiq.com and the Zeroday IQ dashboard
At a glance

Privacy in plain English

  • We collect what we need to run scans you ask for and reply to your enquiries. Nothing for advertising.
  • We do not sell your data. We do not use your scan inputs, scan outputs, or chat history to train external AI models.
  • You can export, rectify, or delete your data at any time, including credentials you provided for authenticated scans.
  • We rely on a small set of subprocessors for hosting and AI inference. Each one is listed below.
  • Account data is encrypted at rest, transmitted over TLS, and accessed under least privilege controls.

1About this notice

This notice explains how Zeroday IQ handles information collected through our website at zerodayiq.com, our dashboard, our scanner pipeline, and any agents or integrations that connect to our service. It applies to website visitors, registered users, customers, and anyone who contacts us.

If your organisation has signed a Master Service Agreement, an Order Form, or a Data Processing Addendum with us, that document controls to the extent of any conflict with this notice.

2Who we are

Zeroday IQ Cyber Pte. Ltd. is a private company registered in Singapore, with its registered office at 9 Raffles Place, #29‑05, Republic Plaza, Singapore 048619.

We are the controller of personal information collected through our website, marketing operations, and dashboard for our own customers. When customers run scans on assets they control, we act as a processor in respect of personal data that may be incidentally captured during those scans.

3Information we collect

We collect only what we need to deliver the service and run our business. The categories below are exhaustive.

3.1 Information you give us

  • Account details: full name, work email, password hash (we never store passwords in plaintext), company name, role, and time zone.
  • Billing details: company name, billing contact, invoicing email, tax identifiers, postal address. Card data is captured by our payment processor; we never receive the full card number.
  • Communications: any message, attachment, screenshot, or call record you send us through the contact form, support email, or scheduled call.

3.2 Scan inputs

When you run a scan you provide one or more targets and, optionally, credentials or tokens that allow us to test authenticated surfaces:

  • Target identifiers (domains, hostnames, IP ranges, URLs, GraphQL endpoints, API base paths).
  • Optional login material you choose to give us (form login URLs plus username and password, JWTs, OAuth client credentials, API tokens, session cookies).
  • Optional cross‑user material for IDOR or BOLA testing (a second account's credentials).
  • Optional scoping rules (rate limits, allowed methods, exclusions, custom headers).

We treat scan inputs as confidential customer data. They are encrypted at rest, scoped to the user account that created them, and only processed for the scans that account requests.

3.3 Scan outputs

Findings and supporting evidence produced by the scanner pipeline and AI agents:

  • Discovered hosts, services, ports, certificates, and software fingerprints.
  • Vulnerabilities, severities, proof of concept payloads, captured request and response pairs, screenshots, and JSON dumps.
  • Compliance mappings (SOC 2, ISO 27001, HIPAA, GDPR, PCI DSS, NIST CSF, OWASP), with CWE, CVSS 3.1, and MITRE ATT&CK references.
  • Conversation history with the AI assistant. Each message is anchored to a specific scan record, since chat answers are grounded only in your stored scans.

You own this data. We hold it on your behalf so you can re‑open it, query it from chat, and generate PDFs. You can export or delete any scan from the dashboard.

3.4 Technical data

Standard server logs and product telemetry:

  • IP address, user agent, referrer, request path, and timing.
  • Authentication events (sign in, sign out, MFA challenges, password resets).
  • Error logs, performance metrics, and feature usage counters that help us debug and prioritise.

We retain technical data on a short cycle and never link it to advertising or third party identifiers.

4How we use information

We use the information described in section 3 for:

  • Operating the service: running scans, generating reports, surfacing chat answers grounded in your stored scans, scheduling continuous monitoring, and delivering notifications.
  • Account administration, billing, and customer support.
  • Securing the service: detecting abuse, abusive scanning, brute force attempts, scraping, and other adversarial activity.
  • Improving the service. We use aggregate, de‑identified statistics (for example, "median scan duration", "failure rate of module X") to prioritise engineering work. We do not feed your raw scan data into model training.
  • Communicating with you about service updates, billing, security advisories, and (where you have opted in) product news.
  • Complying with our legal, regulatory, audit, and reporting obligations.

5Lawful bases for processing

Where the EU GDPR or UK GDPR applies, we process personal information under one of the following legal bases:

  • Performance of a contract with you, including signing you up, running scans you request, and supporting your account.
  • Legitimate interest in operating, securing, and improving our service, on a basis that does not override your rights and freedoms.
  • Consent, where you have specifically opted in (for example, marketing emails). You may withdraw consent at any time without affecting prior processing.
  • Legal obligation, where we must process information to comply with applicable law.

Where the Singapore Personal Data Protection Act (PDPA) applies, we rely on the consent and legitimate interest bases provided under the Act, including the deemed consent and legitimate interest exceptions.

6Sharing and subprocessors

We do not sell, rent, or disclose personal information for advertising. We share information only with the categories of recipient listed below, all under written agreements that require equivalent or stronger safeguards than this notice.

SubprocessorPurposeRegion
Hosting and databaseApplication hosting, MongoDB‑backed scan storage, log retentionAsia (primary), with redundancy where applicable
OpenAIAI inference for scan analysis, intent classification, and chat answersUnited States
AnthropicAlternative AI inference (selected per scan)United States
ShodanInternet asset enrichment during reconUnited States
VirusTotalFile and URL reputation lookups during scansUnited States
NVD (NIST)CVE matchingUnited States
Email providerTransactional and lead notification emailAsia / United States
Payment processorCard processing for paid plansUnited States

Subprocessors process data only on documented instructions from Zeroday IQ. We will notify customers of material additions or replacements with at least 30 days' notice through the dashboard or email, where contractually required.

We may also disclose information when compelled by valid legal process. We will challenge over‑broad requests where lawful and notify you unless the law forbids us from doing so.

7International transfers

Zeroday IQ is registered and headquartered in Singapore. Some of the subprocessors named above operate in the United States, the European Union, and other jurisdictions. When personal data leaves your home jurisdiction, we rely on appropriate safeguards, including the European Commission Standard Contractual Clauses, the UK International Data Transfer Addendum, and adequacy decisions where available.

8Data retention

  • Scan data and conversation history: retained while your account is active. You can delete individual scans or your entire account at any time. After account closure we retain scan archives for 30 days for export, then permanently delete them.
  • Account and billing records: retained for the duration of the contract and for as long as required by Singapore tax, accounting, and audit law (typically up to 7 years).
  • Marketing leads: retained until you ask us to delete or for a maximum of 24 months after the last contact, whichever is sooner.
  • Server logs: 30 days, except where extended retention is required for security investigation.
  • Backups: encrypted backups roll on a 30 day cycle. Deletion in the live system propagates to backups within that window.

9Security

We protect personal information using industry standard controls, including:

  • TLS 1.2+ for data in transit. AES‑256 for data at rest.
  • Secret management for API keys, tokens, and credentials provided as scan inputs. Secrets are never logged.
  • Least privilege access. Production access is gated to a small, named operations team with MFA enforced and audited.
  • Bcrypt password hashing for end user accounts. JWT auth for sessions.
  • Network segmentation between the dashboard, the scanner workers, and the database.
  • Annual third party penetration testing of our own platform. We also dogfood our scanner against ourselves.

No system can be guaranteed against every adversary. If you discover a vulnerability in our platform, please report it through the .

10Your rights

Depending on where you live you may have the right to:

  • Access the personal information we hold about you.
  • Rectify inaccurate information.
  • Erase your information in defined circumstances.
  • Restrict or object to certain processing.
  • Receive your data in a portable format.
  • Withdraw consent where processing is consent based.
  • Lodge a complaint with the Singapore PDPC, your national data protection authority, or the relevant supervisory authority in the EEA or UK.

To exercise any of these rights please contact us using the details in section 14. We respond within 30 days, or sooner where required by law. We may need to verify your identity before acting on a request.

11Children

The service is not intended for, and we do not knowingly collect personal information from, individuals under 16. If you believe a child has provided us with personal information, please contact us so we can delete it.

12Cookies and similar technologies

The marketing site at zerodayiq.com uses no third party analytics, no advertising pixels, and no cross site tracking cookies. The dashboard at /app uses a single first party authentication cookie to keep you signed in, and a localStorage entry for theme preferences. We do not embed third party fonts or trackers that profile your browsing across sites.

13Changes to this notice

We will update this notice when our practices change. The "Effective" date at the top of this page reflects the latest revision. For material changes that affect how we use personal information we will notify you in advance through email or the dashboard.

14How to contact us

For questions about this notice, requests to exercise your rights, or to nominate a data protection contact at your organisation, you can reach us through: