CVEium
Sign Up

Privacy Policy

How CVEium handles your data

Last updated: February 9, 2026

1. Introduction

CVEium ("we", "us", or "our") operates CVEium CIS, a vulnerability disclosure management platform. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our Service.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data We Collect

Account Information

When you create an account, we collect your email address, display name, and password (stored as a secure hash). If you sign up through a third-party provider, we receive your name and email from that provider.

Team and Organization Data

If you create or join a team workspace, we store team names, member roles, and invitation records.

Product Data

Data you upload or create within the Service, including: product and release information, Software Bills of Materials (SBOMs), component inventories, vulnerability triage records (dispositions, justifications, impact statements), VEX documents, and audit log entries.

Billing Information

If you subscribe to a paid plan, payment processing is handled by Stripe. We store your Stripe customer identifier and subscription status. We do not store credit card numbers or payment details directly.

Usage Data

We collect basic usage metrics such as product counts, release counts, and published disclosure counts for subscription limit enforcement. We do not track individual page views or clicks.

3. How We Use Your Data

We use your data to:

  • Provide and operate the Service
  • Scan your SBOMs against known vulnerability databases (NVD, OSV)
  • Send email notifications when new vulnerabilities are found (Owners and Admins only)
  • Process subscription payments through Stripe
  • Enforce usage limits based on your subscription plan
  • Respond to support requests
  • Comply with legal obligations

We do not sell your data. We do not use your data for advertising or profiling.

4. Data Storage and Security

Your data is stored on Supabase Cloud infrastructure in the European Union (Frankfurt, Germany). All data is encrypted in transit (TLS) and at rest. Database access is protected by row-level security policies ensuring you can only access data belonging to your accounts and teams.

The Service is delivered via Cloudflare's global network, which provides DDoS protection and edge caching for static assets. Cloudflare does not have access to your stored data.

5. Data Sharing

We share your data only with the following categories of service providers, all bound by data processing agreements:

  • Supabase — Database hosting, authentication, and file storage
  • Stripe — Payment processing for paid subscriptions
  • Email provider — Transactional email delivery for account verification, password resets, and CVE match notifications
  • Cloudflare — Content delivery and DDoS protection

We do not share your data with any other third parties unless required by law or with your explicit consent.

Published Disclosures

When you publish a VEX document through the Service, the disclosure content is made publicly accessible at a URL you control. This is an intentional action you initiate through the approval workflow. Only the VEX document content is published — your account information, team details, and internal triage records are not included.

6. Cookies

We use only essential cookies required for the Service to function. See our Cookie Policy for details.

7. Your Rights

Under the GDPR and applicable data protection laws, you have the right to:

  • Access — Request a copy of the personal data we hold about you
  • Rectification — Request correction of inaccurate personal data
  • Erasure — Request deletion of your personal data and account
  • Portability — Receive your data in a machine-readable format (SBOMs, VEX documents, audit logs)
  • Restriction — Request limitation of processing in certain circumstances
  • Objection — Object to processing based on legitimate interest

To exercise any of these rights, contact us at privacy@cveium.com. We will respond within 30 days.

8. Data Retention

We retain your data for as long as your account is active. If you close your account, we retain your data for 30 days to allow recovery or export, after which it is permanently deleted. Audit logs may be retained for up to 12 months after account closure for compliance purposes.

9. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email with at least 30 days' notice. The "Last updated" date at the top of this page indicates when the policy was last revised.

11. Contact

For questions about this Privacy Policy or to exercise your data rights, contact us at privacy@cveium.com.