Cookie and Tracking Technologies Policy
Effective date: 2026-06-02 Last updated: 2026-06-02
In plain language. This notice explains the small files and similar technologies that HackZero uses when you visit hackzero.ai or sign in to dashboard.hackzero.ai. We use only the cookies we need to run the site and keep you signed in, plus one small cookie that tells our marketing pages whether to show “Sign in” or “Go to dashboard,” plus privacy-friendly, first-party analytics that do not track you across other websites. We do not use third-party advertising cookies or cross-site tracking, and we do not sell or share your personal information for cross-context behavioral advertising. Where the law requires consent before non-essential tracking (for example the European Union, Quebec, and Brazil), we ask first. We honor the Global Privacy Control opt-out signal for all visitors, everywhere we operate, whether or not the law that applies to you requires it. You can manage your choices through the cookie banner and through your browser at any time. This notice supplements our Privacy Policy at /legal/privacy.
1. About this notice
1.1 Who we are
This Cookie and Tracking Technologies Policy (“Cookie Policy” or “Notice”) is published by Agentic Security, Inc., a Delaware corporation, doing business as “HackZero” (“HackZero”, “we”, “us”, or “our”), with its principal place of business and notice address at 2810 N Church St STE 88242, Wilmington, Delaware 19802, United States.
In this Notice, “Services” means our public website at hackzero.ai, our customer dashboard at dashboard.hackzero.ai, and the related pages and features we operate. “You” means a visitor to our website, a person who signs in to the dashboard, or any individual whose device interacts with the Services.
1.2 What this Notice covers (and what it does not)
This Notice describes the cookies, software development kits (“SDKs”), local storage, pixels, tags, and similar technologies that we and our service providers use on the Services, the purposes for which we use them, the legal basis and consent model that apply in each region we sell into, and how you can manage or withdraw your choices.
This Notice does not cover:
- Our broader handling of personal information, which is described in our Privacy Policy at /legal/privacy. This Notice and the Privacy Policy are intended to be read together; defined terms used here have the meanings given here or in the Privacy Policy.
- Personal data that our autonomous testing agents may encounter inside a customer’s own systems during an authorized engagement. That data is processed under our Data Processing Addendum at /legal/dpa and the applicable Rules of Engagement (“RoE”) and Master Services Agreement (“MSA”), where HackZero acts as a processor for the customer (the controller), not under this Notice.
- The terms governing your use of the Services, which are in our Terms of Service at /legal/terms and our Acceptable Use Policy at /legal/acceptable-use.
1.3 Other documents you may want
- Privacy Policy: /legal/privacy
- Terms of Service: /legal/terms
- Acceptable Use Policy: /legal/acceptable-use
- Data Processing Addendum: /legal/dpa
- Subprocessor List: /legal/subprocessors
- AI Transparency Notice: /legal/ai
- Vulnerability Disclosure Policy: /legal/security
- Refund and Cancellation Policy: /legal/refunds
2. What cookies and similar technologies are
“Cookies” are small text files placed on your device when you visit a website. They let the website remember your actions and preferences (such as that you are signed in) over a period of time. Cookies set by the website you are visiting are “first-party” cookies. Cookies set by a domain other than the one you are visiting are “third-party” cookies.
We use the term “cookies and similar technologies” (or “tracking technologies”) to cover the following, all of which can store or read information on your device or recognize your device across requests:
- HTTP cookies. Session cookies are deleted when you close your browser. Persistent cookies remain for a set period or until you delete them.
- Local storage and session storage (collectively “web storage”). Browser storage that a website can read and write, used to keep small amounts of state on your device.
- Software development kits (SDKs). Pieces of code embedded in an application that can collect device or usage data. We do not embed third-party advertising or analytics SDKs in the Services as of the effective date of this Notice.
- Pixels, tags, and web beacons. Tiny images or snippets of code embedded in a page or email that signal that the page or email was loaded, and that can be associated with cookies. We do not use third-party advertising or analytics pixels on the Services as of the effective date of this Notice.
- Device and browser identifiers and fingerprinting signals. Information such as IP address, user-agent, and device or browser characteristics that can be combined to recognize a device. Our content delivery network and hosting providers process IP address and traffic metadata to deliver and secure the Services, as described in our Privacy Policy at /legal/privacy.
Some of these technologies are not technically “cookies.” Where a technology can identify, locate, or profile you, we treat it under this Notice and under the applicable consent rules regardless of the label.
3. How we use these technologies
We use cookies and similar technologies for the following purposes:
- To run the Services and keep you signed in. Our authentication is session-cookie based. We set a session cookie when you sign in to the dashboard and a security token to protect form submissions against cross-site request forgery. These are strictly necessary.
- To remember a basic interface state. We set one small functional cookie so our marketing pages can show the correct call to action (“Sign in” versus “Go to dashboard”). It carries no identifying information.
- To measure and improve the Services. We use privacy-friendly, first-party analytics to understand how visitors use the site so we can improve it. These analytics do not track you across other websites.
- Marketing. We do not use third-party advertising cookies or cross-site behavioral tracking technologies. If this changes, we will update this Notice, add the technologies to the table in Section 4, and obtain consent or provide an opt-out as required by your region.
We do not use cookies or similar technologies to make decisions about you that produce legal or similarly significant effects through solely automated processing.
4. Categories of cookies and similar technologies we use
The table below lists the cookies and similar technologies in use on the Services, organized by category: strictly necessary, functional, and first-party analytics. We do not use third-party advertising or cross-site tracking technologies.
Cookie lifetimes are approximate and depend on your browser. “Session” means the cookie is deleted when you close your browser or your session ends. We periodically review and update this table.
4.1 Strictly necessary cookies
These cookies are required to operate the Services and to provide features you have asked for, such as signing in. They cannot be switched off through our cookie banner because the Services would not function without them. Under the consent rules in Section 6, strictly necessary cookies do not require prior consent in any region (they are exempt as essential), though we still disclose them.
| Name | Provider | Purpose | Type and key properties | Duration |
|---|---|---|---|---|
sessionid | HackZero (first party, set by Django on dashboard.hackzero.ai) | Maintains your authenticated session so you stay signed in. This is the session authentication cookie. | First-party HTTP cookie. HttpOnly (not readable by JavaScript), SameSite=Lax, Secure (sent only over HTTPS in production). Domain .hackzero.ai. | Session, up to the configured maximum (Django default, approximately two weeks) |
csrftoken | HackZero (first party, set by Django) | Protects against cross-site request forgery on form and API submissions. Required for sign-in and other state-changing actions. | First-party HTTP cookie. SameSite=Lax, Secure (production). Readable by our own application code as required for the protection to work. | Up to 12 months |
__cf_bm, cf_clearance | Cloudflare, Inc. (our global edge network and security provider; see /legal/subprocessors) | Bot management and security challenge clearance at the network edge, to protect the Services from automated abuse. Classified as strictly necessary (security). | Third-party cookie set by our edge network. | __cf_bm approximately 30 minutes; cf_clearance up to approximately 12 months |
4.2 Functional cookies
These cookies enable a more convenient experience but are not strictly necessary. In regions that require prior consent for non-essential technologies, we treat functional cookies as requiring consent or notice as set out in Section 6.
| Name | Provider | Purpose | Type and key properties | Duration |
|---|---|---|---|---|
hz_auth | HackZero (first party) | A non-secret interface hint that tells our marketing pages whether to display “Sign in” or “Go to dashboard.” It carries a constant value of "1", holds no identifying information, and is not a security signal. Server-side authentication relies only on the sessionid cookie. | First-party HTTP cookie. Not HttpOnly by design (must be readable by JavaScript on the marketing site), SameSite=Lax, Secure (production). Domain .hackzero.ai. | Up to 30 days; re-set on each authenticated response and deleted on sign-out |
4.3 First-party analytics cookies
We use privacy-friendly, first-party analytics to measure aggregate site usage and improve the Services. These analytics are first-party only and do not track you across other websites. We do not use third-party advertising or cross-site tracking technologies. Where consent is required by your region, these technologies are set only with your consent.
| Name | Provider | Purpose | Type and key properties | Duration |
|---|---|---|---|---|
hz_analytics | HackZero (first party) | Measures aggregate site usage (pages viewed, referrer, aggregate trends) so we can improve the Services. Privacy-friendly and first-party only; does not track you across other websites. Set only with your consent where consent is required. | First-party HTTP cookie. SameSite=Lax, Secure (production). | Up to 12 months |
4.4 Marketing cookies (none in use)
We do not use marketing, advertising, retargeting, or cross-site behavioral tracking cookies, pixels, or SDKs. We do not sell or share personal information for cross-context behavioral advertising. Because we do not disclose personal information to a third party for cross-context behavioral advertising, no “sale” (Cal. Civ. Code section 1798.140(ad)) or “share” (Cal. Civ. Code section 1798.140(ah)) is effected through tracking technologies, and the homepage “Do Not Sell or Share” opt-out mechanics in Section 6.2 are not triggered. If this changes, we will update this Notice, add the technologies to a table here, and obtain consent or provide an opt-out as required by your region, including the California opt-out and the equivalent targeted-advertising and sale opt-outs in the other United States state-privacy jurisdictions.
5. First-party and third-party technologies; subprocessors
The session authentication cookie (sessionid), the cross-site request forgery token (csrftoken), and the interface hint cookie (hz_auth) are first-party cookies that we set directly.
Certain providers we use to deliver and secure the Services may set or read technologies at the network level or process device data in the course of providing their services. As of the effective date, these include:
- Cloudflare, Inc. (DNS, content delivery, TLS termination, web application firewall, and origin-lock), which processes traffic metadata and IP address and may set security cookies at the edge as noted in Section 4.1.
- Fly.io, Inc. (cloud compute and managed database hosting), which processes application and account data and serves the Services.
A full list of our service providers and subprocessors, including their roles, the data categories they process, and their regions, is published at /legal/subprocessors. We do not use third-party advertising networks, data brokers, or social media tracking pixels on the Services.
6. Legal basis and consent model by region
We sell into the United States, Canada, and Latin America (Mexico, Brazil, Argentina, Colombia, Chile, and Peru). The consent rules differ by region. We apply a single global design that satisfies the strictest applicable rule and then disclose the regional specifics below. In every region, strictly necessary cookies are used without prior consent because they are essential to provide the Services you request. Our cookie banner is a global opt-in banner with reject-all parity, the design described in Section 7.
6.1 European Union and United Kingdom style opt-in (for any European Union subsidiary or European traffic)
The EEA is not a market HackZero serves today, and HackZero has not appointed an EU/UK Article 27 representative. We do not assert an establishment in the European Economic Area. However, customers with European subsidiaries may direct European traffic to the Services. Where European Union or United Kingdom rules apply:
- Prior opt-in consent is required before any non-essential cookie or similar technology is set or read, consistent with the principle that non-essential storage and access require the user’s freely given, specific, informed, and unambiguous consent. Strictly necessary technologies are exempt.
- We rely on consent as the legal basis for non-essential technologies, and on our legitimate interests and the necessity of providing the Services for strictly necessary technologies, as further described in our Privacy Policy at /legal/privacy.
- Consent must be as easy to refuse as to give (reject-all parity), must not be obtained through pre-ticked boxes, and may be withdrawn at any time.
6.2 United States: notice plus opt-out of sale or sharing; honor the Global Privacy Control
The United States does not impose an European Union style prior-consent requirement for cookies. The operative obligations are notice, plus an opt-out of any “sale” or “share” effected through tracking technologies, plus honoring a recognized opt-out preference signal. We honor the Global Privacy Control for all visitors, everywhere we operate, whether or not the law that applies to a given visitor requires it (see Section 8).
- California (California Consumer Privacy Act, as amended by the California Privacy Rights Act; Cal. Civ. Code sections 1798.100 to 1798.199.100; regulations at 11 C.C.R. sections 7000 to 7304, effective January 1, 2026). Cookies and pixels that disclose personal information to third parties for cross-context behavioral advertising are a “share” (Cal. Civ. Code section 1798.140(ah)) and may be a “sale” (Cal. Civ. Code section 1798.140(ad)). Where we engage in such activity, we are required to provide a clear “Do Not Sell or Share My Personal Information” link and a “Limit the Use of My Sensitive Personal Information” link (Cal. Civ. Code section 1798.135(a)), or a single combined link, and to honor an opt-out preference signal (Cal. Civ. Code section 1798.135(b); 11 C.C.R. section 7025). As of the effective date, we do not sell or share personal information for cross-context behavioral advertising, so these links are not required; we state this here as required. We disclose our cookie categories, recipients, and purposes in this Notice and in our Privacy Policy at /legal/privacy.
- Do Not Track and online tracking disclosure (California Online Privacy Protection Act; Cal. Bus. & Prof. Code section 22575(b)(5) to (7)). See Section 8 for how we respond to Do Not Track and similar signals and whether third parties may collect information across sites and over time through the Services.
- Other United States state privacy laws. Tracking that supports targeted advertising or a sale triggers an opt-out and the honoring of a universal opt-out mechanism in several states, including the Colorado Privacy Act (Colo. Rev. Stat. sections 6-1-1301 to 6-1-1313; universal opt-out mechanism mandatory per section 6-1-1306(1)(a)(IV)), the Connecticut Data Privacy Act (Conn. Gen. Stat. sections 42-515 to 42-525; section 42-520(e)), the Texas Data Privacy and Security Act (Tex. Bus. & Com. Code sections 541.001 to 541.205; section 541.055(e)), the Oregon Consumer Privacy Act (ORS 646A.570 to 646A.589; ORS 646A.578, with universal opt-out honoring mandatory from January 1, 2026), the Montana Consumer Data Privacy Act (Mont. Code Ann. sections 30-14-2801 et seq.), and the Virginia Consumer Data Protection Act (Va. Code sections 59.1-575 to 59.1-585). We build to the strictest of these and honor the Global Privacy Control as the recognized signal for all visitors, not only where a universal opt-out mechanism is legally mandated. As noted above, we do not currently engage in targeted advertising or a sale.
6.3 Canada and Quebec (Law 25): tracking and profiling technology off by default, with notice
- Federal baseline (Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5). We provide notice of our use of cookies and similar technologies, rely on consent appropriate to sensitivity for non-essential technologies, and offer a means to withdraw consent, consistent with the consent principle (Schedule 1, clause 4.3) and the openness principle (clause 4.8).
- Quebec (Act respecting the protection of personal information in the private sector, CQLR c. P-39.1, as amended by S.Q. 2021, c. 25, “Law 25”). Technology that allows a person to be identified, located, or profiled (for example analytics, fingerprinting, geolocation, and cross-site tracking) must be deactivated by default (Art. 9.1), and we must inform you of the means available to activate those functions. In practice this means non-essential identifying, locating, or profiling technologies are off by default for Quebec visitors, with granular opt-in through the cookie banner and on-page notice of any such technology in use. As of the effective date we do not use identifying, locating, or profiling technologies beyond the strictly necessary and functional cookies listed in Section 4, so there is no such technology active by default.
- Quebec French-language requirement (Charter of the French Language, CQLR c. C-11, as amended by S.Q. 2022, c. 14, “Bill 96”). For Quebec users, this Notice and the cookie banner, granular preference controls, and on-page notices will be presented in French by default; an English version is available on express request after the French version has been presented. This complements the Law 25 default-off obligation above: both apply to the same Quebec-facing tracking surface.
- Software installation (Canada’s Anti-Spam Legislation, S.C. 2010, c. 23, “CASL,” section 8). Setting standard cookies, HTML, and JavaScript falls within the deemed-consent carve-outs in section 10(8) and does not require separate express consent. If we were to install an SDK or agent on your device beyond standard cookies and scripts, separate express consent meeting the form requirements of CASL would be obtained. We do not install any such software through the website as of the effective date.
- Alberta and British Columbia. Provincial private-sector privacy laws (Alberta Personal Information Protection Act, S.A. 2003, c. P-6.5; British Columbia Personal Information Protection Act, S.B.C. 2003, c. 63) impose transparency and reasonable-security duties that we meet through this Notice and our Privacy Policy at /legal/privacy.
6.4 Brazil (LGPD) and broader Latin America
- Brazil (Lei Geral de Proteção de Dados, Lei nº 13.709/2018, “LGPD”). Cookies that process online identifiers are personal data. Consistent with the Autoridade Nacional de Proteção de Dados guidance on cookies, we distinguish strictly necessary cookies (no consent required) from non-essential, analytics, and marketing technologies (prior opt-in), provide granular controls and reject-all parity, do not use pre-ticked boxes, and state the purpose, legal basis (LGPD Art. 7, consent or, where appropriate, legitimate interest), retention, and any third parties in this Notice. The Portuguese-language version of this Notice will control for Brazilian users once published.
- Peru (Ley 29733 and its Reglamento, Decreto Supremo 016-2024-JUS, in force 30 March 2025). Online identifiers and location data are personal data, and the Reglamento has extraterritorial reach over controllers outside Peru that offer services to or monitor individuals in Peru (Art. 5). We therefore treat Peru like Brazil: an opt-in banner for non-essential technologies, in Spanish.
- Mexico (Ley Federal de Protección de Datos Personales en Posesión de los Particulares, in force 21 March 2025). Cookie use is disclosed in this Notice and in our privacy notice (aviso de privacidad), and you are given a means to disable non-essential analytics technologies (an opt-out is acceptable for non-sensitive analytics), together with the means to exercise your ARCO rights and to limit the use of your data, in Spanish.
- Colombia (Ley 1581 de 2012 and Decreto 1377 de 2013). We disclose our use of cookies in our política de tratamiento and aviso de privacidad and obtain authorization for non-essential cookies; silence is not consent, in Spanish.
- Argentina (Ley 25.326 and Decreto 1558/2001). We disclose our use of cookies and obtain consent for non-essential technologies, in Spanish, and will align with the forthcoming reform once enacted.
- Chile. Under the current law (Ley 19.628) the regime is lighter; from 1 December 2026 the new law (Ley 21.719) is more demanding and adds rights of objection to automated decisions and profiling. We will upgrade to granular opt-in consent for Chilean users on that date, in Spanish.
For consumer-facing documents, the local-language version controls: Spanish for the Spanish-speaking Latin American jurisdictions, and Portuguese for Brazil. For Quebec, consistent with the French-language requirement (Bill 96, Section 6.3), the Quebec-facing banner, preference controls, and this Notice are served in French by default.
7. How to manage or withdraw your choices
You can manage cookies and similar technologies in two ways.
7.1 Through our cookie banner and preference center
When required by your region, we present a cookie banner the first time you visit and whenever your prior choice has expired or been reset. The banner lets you:
- Accept all non-essential technologies, or
- Reject all non-essential technologies (reject-all is presented with equal prominence to accept-all), or
- Manage choices by category (functional, analytics, and marketing), with strictly necessary technologies shown but not switchable.
You can reopen the preference center at any time through the “Cookie preferences” link in the website footer (or the equivalent control in the banner) and change or withdraw your choices. Withdrawing consent is as easy as giving it. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
7.2 Through your browser and device
Most browsers let you view, block, and delete cookies and clear web storage. You can usually find these controls in your browser’s settings or preferences, under “privacy” or “cookies.” Helpful references:
- Google Chrome, Mozilla Firefox, Apple Safari, and Microsoft Edge each publish instructions in their respective help centers for blocking or deleting cookies and clearing site data.
- You can set most browsers to block all cookies, block third-party cookies, or warn you before a cookie is set.
If you block or delete the strictly necessary cookies described in Section 4.1, parts of the Services (including signing in to the dashboard) will not work. See Section 9.
8. Do Not Track and Global Privacy Control
- Do Not Track (“DNT”). Some browsers offer a “Do Not Track” setting. There is no common industry standard for how websites must respond to DNT. Because our analytics are privacy-friendly and first-party only and we do not use third-party advertising or cross-site tracking technologies, there is no cross-site tracking for a DNT signal to stop, and we do not separately respond to DNT browser signals. We disclose this consistent with Cal. Bus. & Prof. Code section 22575(b)(5). If we add cross-site tracking technologies, we will update this Notice to describe our response to DNT.
- Third-party tracking over time and across sites. Consistent with Cal. Bus. & Prof. Code section 22575(b)(6), we disclose that, as of the effective date, we do not permit third parties to collect personally identifiable information about your online activities over time and across different websites through the Services.
- Global Privacy Control. We treat a Global Privacy Control (GPC) browser signal as a valid request to opt out of any sale or sharing of personal information and of targeted advertising. We honor GPC for all visitors, everywhere we operate, whether or not the law that applies to you requires it. The Global Privacy Control is a browser or device signal that communicates this opt-out preference, and is the recognized signal referenced in California (Cal. Civ. Code section 1798.135(b); 11 C.C.R. section 7025) and the universal-opt-out-mechanism states listed in Section 6.2. Because we do not sell or share personal information through tracking technologies, there is no sale or sharing for GPC to stop today; we have designed the Services so that this universal GPC handling remains in place if any future advertising or cross-site tracking technology is added.
9. Consequences of disabling cookies
Your choices have the following effects:
- If you disable strictly necessary cookies (
sessionid,csrftoken, and any security cookies set by our CDN), you will not be able to sign in to or use the dashboard, and form submissions and protected actions will fail. These cookies cannot be turned off through our banner because the Services depend on them. - If you disable the functional cookie (
hz_auth), our marketing pages may show “Sign in” even when you are already signed in to the dashboard. There is no security impact; the worst case is an incorrect interface label. - If you decline first-party analytics (and any marketing technologies, none of which are in use), the Services will work normally. Declining will not reduce the features available to you.
We do not use cookie walls on essential functions, and we do not condition access to the Services on your acceptance of non-essential technologies.
10. Changes to this Notice
We may update this Notice from time to time to reflect changes in the technologies we use, in our practices, or in the law. When we make changes, we will revise the “Last updated” date above and, for material changes (for example, adding analytics or marketing technologies, or beginning a sale or sharing of personal information), we will provide a more prominent notice, such as a banner on the Services or, where appropriate, an email, and we will obtain consent or provide an opt-out as required by your region before the change takes effect. We will keep prior versions on file. We review this Notice at least every twelve months consistent with Cal. Civ. Code section 1798.130(a)(5).
11. Contact us
If you have questions about this Notice or about how we use cookies and similar technologies, contact us at:
- Privacy: [email protected]
- Postal address: Agentic Security, Inc. (d/b/a HackZero), 2810 N Church St STE 88242, Wilmington, Delaware 19802, United States
For how we handle personal information more broadly, including your data-subject and consumer rights and how to exercise them, see our Privacy Policy at /legal/privacy.