Privacy Policy

Last updated: March 4, 2026

1. Information We Collect

We collect information across three categories when you use Maced:

Account Data

Information you provide when creating an account, including your name, email address, organization name, and authentication credentials (such as OAuth tokens from connected providers).

Target System Data

During penetration tests, our autonomous AI agents actively interact with your target systems and may access, process, and temporarily store data exposed by those systems. This includes but is not limited to: HTTP responses, API endpoint data, server configurations, error messages, application state, database responses, and any other information the target system returns during testing. For white-box pentests, this also includes source code from connected repositories.

Usage Data

We collect data about how you use the Platform, including pentest configurations, scan parameters, test results, report access patterns, and general platform interactions. We also collect technical data such as browser type, IP address, and device information.

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Platform and its penetration testing services
  • Generate pentest reports and security findings for your organization
  • Communicate with you about your account, security findings, and product updates
  • Improve our AI models, testing methodologies, and Platform performance using anonymized and aggregated data
  • Ensure the security and integrity of our Platform and prevent abuse
  • Comply with legal obligations

3. Third-Party AI Processing

Maced's autonomous agents are powered by third-party AI models, including Anthropic's Claude. Data collected during penetration tests — including target system responses, source code (for white-box tests), and other information gathered from your systems — is transmitted to these AI providers for processing as part of the pentest workflow.

We select AI providers that maintain appropriate data handling and security practices. However, you should be aware that your target system data is processed by these third parties in order for the service to function. We recommend reviewing our AI providers' privacy policies for additional information about their data practices.

4. Source Code and Repository Access

For white-box penetration tests, Maced accesses source code from repositories you connect to the Platform (e.g., via GitHub). Source code is cloned into isolated, ephemeral sandbox environments for analysis. Code is not stored on our servers beyond the lifecycle of the pentest run, except where excerpts are included in generated reports to provide context for identified vulnerabilities.

5. Sandbox Data Lifecycle

All penetration test execution occurs within isolated sandbox environments. These sandboxes are provisioned on demand and destroyed immediately upon pentest completion or failure. Data generated or captured during testing (including agent logs, tool outputs, and intermediate findings) is retained only in the final pentest report delivered to your organization.

No persistent copy of your target system data, source code, or credentials is retained in sandbox environments after destruction.

6. Data Retention

  • Account data is retained for as long as your account is active or as needed to provide services.
  • Pentest reports and findings are retained according to your organization's configured retention policy.
  • Sandbox environments are destroyed immediately upon pentest completion.
  • AI processing logs are retained for a limited period for debugging and service improvement purposes, then deleted.
  • Credentials and access tokens provided for testing are encrypted in transit and at rest, and are not persisted beyond the active test run.

You may request deletion of your account and associated data at any time by contacting us.

7. Data Security

We implement industry-standard security measures to protect your data, including:

  • Encryption of data in transit (TLS) and at rest
  • Isolated, ephemeral sandbox environments for each pentest run
  • Access controls and role-based permissions within organizations
  • Secure handling of credentials — any credentials or tokens provided for testing are encrypted and automatically purged after the test run completes
  • Regular security assessments of our own infrastructure

While we take reasonable measures to protect your data, no system is completely secure. You are responsible for maintaining the security of your account credentials and for the data you choose to expose to the Platform through your target system configurations.

8. International Data Transfers

Your data may be processed in jurisdictions outside your country of residence, including the United States and other regions where our infrastructure providers and AI processing partners operate. By using the Platform, you consent to the transfer and processing of your data in these jurisdictions. We take steps to ensure that data transfers comply with applicable data protection laws.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you
  • Correction — request correction of inaccurate or incomplete data
  • Deletion — request deletion of your personal data, subject to legal retention requirements
  • Portability — request a machine-readable copy of your data
  • Restriction — request that we restrict processing of your data in certain circumstances
  • Objection — object to processing of your data for certain purposes

To exercise any of these rights, contact us at privacy@maced.ai. We will respond to your request within 30 days.

10. Children's Privacy

Maced is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will take steps to delete such information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or through a prominent notice on the Platform prior to the changes taking effect. Your continued use of the Platform after such changes constitutes acceptance of the updated policy.

12. Contact

If you have questions about this Privacy Policy or our data practices, please contact us at privacy@maced.ai.