HackZero Privacy Policy

Effective date: 2026-06-02 Last updated: 2026-06-02

Plain-language summary. Agentic Security, Inc., a Delaware corporation, doing business as “HackZero” (“HackZero”, “we”, “us”, or “our”) runs an AI penetration-testing platform at hackzero.ai. This policy explains what personal data we collect when you visit our website, create an account, sign a Rules of Engagement or contract, or pay for a subscription, and the choices and rights you have. Two points to read first. (1) For the data we hold as a business about you (your account, billing, and contact details), HackZero is the controller and you can exercise your rights directly with us. (2) For the data our autonomous agents read or capture from a customer’s source code and live applications during a security test, HackZero acts as a processor on the customer’s behalf under our Data Processing Addendum at /legal/dpa, and the customer is the controller; if you are an individual whose data was observed in such a test, contact the company that engaged us. We do not sell your personal data, and we do not use your data, or any customer data, to train artificial-intelligence models. Questions: [email protected].

1. Who we are and how to contact us

1.1 Controller identity

Agentic Security, Inc., a Delaware corporation, doing business as “HackZero” (“HackZero”, “we”, “us”, or “our”), is the controller (the party that decides why and how personal data is processed) for the personal data described in Section 3 of this policy, except for the customer product and scan data described in Section 1.4, for which HackZero is a processor.

1.2 Privacy Officer / Data Protection Officer

We have designated an individual accountable for the protection of personal data, consistent with the accountability principle of Canada’s Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”), Schedule 1, clause 4.1.

The EEA is not a market HackZero serves today, and HackZero has not appointed an EU/UK Article 27 representative.

1.3 Brazil “Encarregado” (LGPD Article 41)

For purposes of Brazil’s Lei Geral de Proteção de Dados Pessoais, Lei nº 13.709/2018 (“LGPD”), Article 41, our person in charge of processing (the “Encarregado”) is:

Where a local data-protection officer or database registration is required (for example, in Peru), HackZero complies with that requirement.

1.4 Important scope note: when HackZero is a processor, not a controller

This policy describes processing for which HackZero is the controller: website visitors, account holders, signers, and billing contacts (Sections 3.1 through 3.4).

It does not govern personal data that our platform reads from a customer’s source code or captures from a customer’s live web application during an authorized security engagement. For that data, the customer is the controller and HackZero acts only as a processor under the Data Processing Addendum (/legal/dpa) and the Master Services Agreement and Rules of Engagement that govern the engagement. If you are an end user, employee, or other individual whose personal data may have been observed during a security test, your rights are exercised with the customer that engaged us, not with HackZero. We will assist that customer as required by the Data Processing Addendum. See Section 3.5 and Section 13.

2. Scope of this policy

The Services are offered to businesses and organizations, and to individuals acting on their behalf; this policy nonetheless covers the personal data of individuals, such as account users and website visitors, that we process in connection with the Services.

This policy applies to:

• visitors to hackzero.ai and the marketing surface of dashboard.hackzero.ai;
• people who submit a contact or “talk to a security engineer” inquiry, or subscribe to our newsletter;
• account holders and workspace administrators of the HackZero dashboard;
• signers of a Rules of Engagement (“RoE”) or other contract;
• billing contacts for paid subscriptions.

This policy is published at /legal/privacy and forms part of a single, versioned legal stack with our Terms of Service (/legal/terms), Cookie Policy (/legal/cookies), Acceptable Use Policy (/legal/acceptable-use), Data Processing Addendum (/legal/dpa), Subprocessor List (/legal/subprocessors), AI Transparency Notice (/legal/ai), Vulnerability Disclosure Policy (/legal/security), and Refund & Cancellation Policy (/legal/refunds). Defined terms used here (for example “Services”, “Account”, “Customer”) carry the meaning given in the Terms of Service.

3. Personal data we collect, sources, purposes, and legal bases

We collect only the personal data necessary for the purposes described, consistent with the data-minimization principles of PIPEDA Schedule 1, clause 4.4, LGPD Article 6(III), and Mexico’s Ley Federal de Protección de Datos Personales en Posesión de los Particulares (“LFPDPPP”).

Legal-basis legend. For individuals in regions applying GDPR-style or LGPD-style bases: CP = performance of a contract (GDPR Article 6(1)(b); LGPD Article 7(V)); LI = legitimate interests (GDPR Article 6(1)(f); LGPD Article 7(IX)); C = consent (GDPR Article 6(1)(a); LGPD Article 7(I)); LO = compliance with a legal obligation (GDPR Article 6(1)(c); LGPD Article 7(II)). For California and other US states, we process this data as a “business” under the applicable consumer-privacy statute (see Section 11). The EU is not a launch market today, so GDPR bases are stated as a forward-looking, conservative measure and do not assert EEA establishment.

3.1 Website visitors

Note on how inquiries reach us today: our public contact page currently uses an email link (to [email protected]) and our application page is handled without server-side storage on the website. Today, contact submissions reach us as email, processed through our transactional-email provider and our Google Workspace mailboxes, rather than stored in the product database. We will update this policy if and when a server-side form ships.

3.2 Account holders and workspace administrators

We do not issue long-lived API tokens; authentication is session-based.

3.3 Signers (Rules of Engagement and contract signing)

3.4 Billing contacts

3.5 End users incidentally observed during testing (customer data; HackZero is processor)

During an authorized engagement our autonomous agents operate against the customer’s live web application and read the customer’s source code through a read-only GitHub App. Personal data of the customer’s own users or staff may be incidentally present in that source code, configuration, production data, or in captured request and response artifacts (for example names, emails, identifiers, or tokens within a captured HTTP exchange).

For this category, the customer is the controller and HackZero is the processor. We process it solely to deliver the engagement, validate exploits, and produce findings and evidence, under instruction from the customer and the signed RoE and Data Processing Addendum (/legal/dpa). We do not use this data for our own purposes, and we do not use it to train AI models (see Section 7). Retention follows the engagement contract: customer source code is permanently destroyed within thirty (30) days of termination on request (or earlier), non-editable backups are purged within sixty (60) days after that destruction, and signing and audit logs are retained for seven (7) years. Customers on the Compliance and Enterprise tiers may run the Services inside their own virtual private cloud, in which mode this data does not leave the customer’s perimeter.

4. How we use AI and automated processing

Our product performs security testing using autonomous AI agents that plan, execute, and report on penetration tests with limited human direction. HackZero uses one or more enterprise-grade foundation models, provided by reputable third parties and/or operated by HackZero, to power its autonomous testing agents and to generate report narratives. HackZero selects, configures, and maintains these models, and the specific models and configurations may evolve over time as the technology matures. Whichever model is used, the data-protection and confidentiality commitments stated here apply. The details of how the agents operate, our no-training and zero-retention posture, our human-in-the-loop review, and our hallucination and false-positive disclaimers are set out in the AI Transparency Notice (/legal/ai). The points relevant to your personal data are summarized here.

4.1 Where AI processing touches personal data

• Customer engagements. Our agents send target and scan context and source-code excerpts to one or more enterprise-grade foundation models, provided by reputable third parties and/or operated by HackZero, for inference. Any third-party model provider is a subprocessor (see Section 8 and /legal/subprocessors) configured for zero data retention and no model training on customer data. This is engagement data for which HackZero is a processor (Section 3.5).
• Website and account data. We do not subject your website-visitor, account, signer, or billing data to AI-driven profiling or scoring.

4.2 No training on your data; service quality and evaluation

No training on your data. We do not use your Customer Data, source code, or findings to train or fine-tune foundation models, and we require any third-party model provider we engage to apply the same restriction. You retain ownership of your Inputs and of the findings and reports the Services generate for you.

Service quality and evaluation. We may process de-identified and aggregated information derived from use of the Services to operate, secure, evaluate, benchmark, and improve the quality, accuracy, and reliability of the Services, including our detection capabilities and our internal model and system evaluations. De-identified and aggregated information does not identify you, your organization, or any individual, and is not used to train third-party foundation models on your identifiable data. See /legal/ai and /legal/dpa.

4.3 Automated decision-making transparency

We do not make decisions about website visitors, account holders, signers, or billing contacts that produce legal or similarly significant effects and that are based solely on automated processing. Our AI agents produce security findings about a customer’s systems; they do not make automated eligibility, credit, employment, or comparable decisions about individuals.

If this changes, we will provide, in accordance with applicable law, the transparency and review rights those laws require, including:

• Quebec (Law 25, Article 8.1). Where personal information is used to render a decision based exclusively on automated processing, we will inform the individual at or before the time of the decision; on request, disclose the personal information used and the principal factors and parameters that led to the decision; and advise the individual of the right to have the decision reviewed by a natural person and to submit observations.
• GDPR-style regions (GDPR Article 22). We will provide meaningful information about the logic involved and the right to obtain human intervention, to express a point of view, and to contest the decision.
• LGPD (Article 20). We will provide the right to request review of decisions taken solely on the basis of automated processing.
• Mexico (LFPDPPP) and other LATAM regimes. We will honor the right to object to automated decision-making and profiling where granted.

To raise a question about automated processing, contact [email protected].

5. Cookies and similar technologies

We use a small number of cookies. We use strictly necessary cookies and privacy-friendly, first-party analytics that do not track you across other websites. We do not use third-party advertising cookies or cross-site tracking. The strictly-necessary cookies are your authenticated session and cross-site-request-forgery protection, plus one functional cookie that tells the marketing site whether to show “Sign in” or “Go to dashboard”; that functional cookie carries no identifying information. Our content-delivery and security provider may set its own essential or security cookies at the network edge.

Where the law requires prior opt-in consent for non-essential cookies (including Brazil under the LGPD and the ANPD cookie guidance, Peru under Decreto Supremo 016-2024-JUS, and Quebec under Law 25, Article 9.1, which requires technology that identifies, locates, or profiles a person to be deactivated by default), we present a consent banner with granular controls and reject-all parity, and we honor recognized opt-out preference signals.

Full details, the cookie inventory table, and your controls are in the Cookie Policy at /legal/cookies.

Global Privacy Control. We treat a Global Privacy Control (GPC) browser signal as a valid request to opt out of any sale or sharing of personal information and of targeted advertising. We honor GPC for all visitors, everywhere we operate, whether or not the law that applies to you requires it.

6. How we share personal data and who our subprocessors are

We do not sell your personal data. We disclose personal data only as described here.

6.1 Service providers and subprocessors

We use vetted infrastructure and service providers (“subprocessors”) that process personal data on our behalf under contract, only for the purposes we specify. Our current subprocessors, their roles, the data categories they process, and their regions are listed and kept current at /legal/subprocessors. They include:

Consistent with PIPEDA Schedule 1, clause 4.1.3, we remain accountable for personal data transferred to a subprocessor for processing.

6.2 Other disclosures

• Within HackZero. To our personnel who need access to perform their roles.
• Professional advisers. Lawyers, auditors, and accountants under confidentiality duties.
• Corporate transactions. In a merger, acquisition, financing, or sale of assets, subject to this policy or a successor policy.
• Legal and safety. To comply with law, valid legal process, or to protect the rights, safety, or property of HackZero, our customers, or others. We note that data hosted in the United States may be subject to access by US authorities under, for example, the CLOUD Act (18 U.S.C. § 2701 et seq.) and FISA Section 702 (50 U.S.C. § 1881a). See Section 9.

We do not disclose personal data for cross-context behavioral advertising, and we do not “sell” or “share” personal data as those terms are defined in California law (Cal. Civ. Code § 1798.140(ad), (ah)).

7. International data transfers

Our primary processing location is the United States (our host’s San Jose, California region). Because we serve customers and visitors in Canada and Latin America from US-based infrastructure, personal data is transferred to and processed in the United States. All HackZero infrastructure is United States hosted. We rely on the following safeguards and disclosures.

• Transfer mechanism. For US and general transfers, we use Standard Contractual Clauses or the equivalent approved clauses for the relevant country with subprocessors and, where required, with our customers. Where we enter into the EU Standard Contractual Clauses, the governing law of those clauses is the law of Ireland, the competent supervisory authority is the Irish Data Protection Commission, and the Clause 17 (governing law) and Clause 18 (choice of forum and jurisdiction) options and the corresponding Annex selections designate Ireland accordingly.
• Brazil (LGPD Articles 33 to 36). For transfers from Brazil to the United States, absent an ANPD adequacy decision, we rely on the Brazilian Standard Contractual Clauses adopted by ANPD Resolution CD/ANPD No. 19/2024 (controlling in Portuguese), mandatory since 23 August 2025. These clauses are adopted in their entirety and not contradicted by this policy.
• Canada (PIPEDA and Alberta PIPA). We inform you that your personal information may be processed outside Canada, in the United States, and may be accessible to US law-enforcement or national-security authorities. On request, we will provide written information about our policies and practices for service providers outside Canada and identify the countries where processing occurs (Alberta PIPA, S.A. 2003, c. P-6.5, section 13.1). Contact [email protected].
• Quebec (Law 25, Article 17). Before communicating personal information outside Quebec (which, under Article 17, includes the rest of Canada), we conduct a documented transfer-impact assessment weighing the sensitivity of the information, the purposes of use, the protection measures (including contractual measures), and the legal framework of the destination jurisdiction, including United States laws such as the CLOUD Act and FISA Section 702. We transfer only where that assessment establishes adequate protection, and the transfer is the subject of a written agreement.
• Argentina (Ley 25.326, Article 12). The United States is not on Argentina’s adequacy list; we rely on model contractual clauses (Disposición 60/2016) or RIPD standard contractual clauses (Resolución 198/2023).
• Colombia (Ley 1581/2012, Articles 26 to 27). We supplement the SIC adequacy framework with a written transfer agreement (Circular Externa 002/2022 and 001/2025).
• Mexico (LFPDPPP, Articles 35 to 36). We disclose transfers in this notice and bind recipients by written instrument.
• Chile and Peru. We rely on contractual safeguards; for Chile we will adopt the transfer mechanism required by Ley 21.719 when it takes effect on 1 December 2026.

Customers on the Compliance and Enterprise tiers may run the Services inside their own virtual private cloud, in which case customer data does not leave the customer’s perimeter and no HackZero-side cross-border transfer of that data occurs.

8. Data retention

We keep personal data only as long as necessary for the purposes in Section 3, then delete, erase, or anonymize it, consistent with PIPEDA Schedule 1, clause 4.5, and LGPD Article 16. The retention periods are stated in the tables in Section 3. In summary:

• Account, organization, and role data: for the life of the account and a reasonable period afterward, then deleted or anonymized.
• Signing and audit records: seven (7) years for evidentiary purposes.
• Billing and tax records: for statutory accounting and tax-retention periods.
• Customer engagement data (processor role): per the engagement contract (source code destroyed within 30 days of termination on request; non-editable backups purged within 60 days after destruction).
• Newsletter email: until you unsubscribe.

Some records, in particular signing and audit records and tax records, may be retained, and may be exempt from deletion, where retention is required by law or for the establishment, exercise, or defense of legal claims.

Application and edge logs are retained up to 12 months, and longer where needed to investigate an incident or meet a legal obligation.

9. How we protect your data

We maintain technical and organizational measures appropriate to the sensitivity of the data, consistent with PIPEDA Schedule 1, clause 4.7, LGPD Article 46, and the security expectations of the US state privacy laws.

• Encryption in transit. TLS 1.3 at every hop: your browser to our CDN, our CDN to our servers, and our application to our database. HSTS is enforced on public domains.
• Encryption at rest. Database volumes are encrypted at rest, and backups, logs, contracts, and reports in object storage use per-object server-side encryption.
• Access control. Authentication is session-based with HttpOnly, SameSite=Lax, Secure cookies; we issue no long-lived API tokens. Database access uses scram-sha-256 authentication. Administrative access is restricted to staff accounts.
• Network isolation. The database is not exposed to the public internet (reachable only over a private network), and production traffic must pass through our origin-locked CDN.
• Audit logging. Database role and schema changes are logged with timestamp and actor and shipped off-host within seconds to tamper-evident storage. Signing actions are recorded as hash-chained audit events.
• Backups and recovery. Nightly backups, restore-tested weekly, with a measured recovery time of roughly three minutes.
• Vendor security. We use vetted providers; our primary host publishes a SOC 2 Type II report.
• AI safeguards. Our LLM provider is configured for zero data retention and no model training on your data.

Compliance program (status, stated honestly). Our SOC 2 Type II audit is in progress (technical controls live, pre-audit; no report issued yet), and an ISO/IEC 27001 audit is planned. HIPAA technical safeguards are in place and HIPAA is gated to the Compliance tier; business associate agreements and related policies are pending. We say “in progress” or “planned” and do not claim to be “certified” or “compliant” where an audit is not complete.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

10. Data-subject and consumer rights (overview)

Depending on where you live, you have rights over your personal data. The jurisdiction-specific sections below (Sections 11 through 15) describe them in detail and how to exercise them. As a general matter, and as a conservative superset, we honor requests to access, correct, delete, port, restrict, and object to processing, and to withdraw consent.

Controller-versus-processor routing (read this first). For account holders, billing contacts, signers, and website visitors, HackZero is the controller and handles your request directly. For individuals whose data was incidentally observed during a security test (Section 3.5), HackZero is a processor; please direct your request to the customer that engaged us (the controller), and we will assist that customer as required by our Data Processing Addendum.

How to make a request. Email [email protected], or write to Agentic Security, Inc. (d/b/a HackZero), Attn: Privacy Officer, 2810 N Church St STE 88242, Wilmington, Delaware 19802, United States. We will verify your identity before acting, route your request based on our role, fulfill it within the timeframe the applicable law requires, and log it. We will not discriminate against you for exercising your rights.

Response window. We respond within 30 days of a verified request, extendable by a further period where the law allows, with notice. Where a specific statute (for example California) prescribes a different timeline, that timeline controls and is stated in the relevant section below. We operate a documented data-export and erasure workflow to fulfill these requests.

11. United States state privacy rights

11.1 California (CCPA / CPRA)

This section applies to California residents and is provided under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code §§ 1798.100 to 1798.199.100), and its regulations (11 C.C.R. §§ 7000 to 7304, effective 1 January 2026), and under CalOPPA (Cal. Bus. & Prof. Code §§ 22575 to 22579).

Categories of personal information we collect. In the preceding twelve months we have collected the following categories of personal information (as enumerated in Cal. Civ. Code § 1798.140(v)):

Retention by category. For each category above, we retain the personal information for the period stated in the corresponding tables in Section 3 and summarized in Section 8, and no longer than reasonably necessary for the disclosed business purpose. We rely on that cross-reference to Sections 3 and 8 for per-category retention disclosure under 11 C.C.R. § 7011(e)(5).

We collect account log-in credentials, which can be sensitive personal information. We use this only to authenticate you and for no purpose requiring a right to limit under Cal. Civ. Code § 1798.121. We do not use or disclose sensitive personal information for purposes beyond those permitted by Cal. Civ. Code § 1798.121(a).

Sources of personal information: directly from you; automatically from your device and our infrastructure; and from our subprocessors (for example our payment processor, for billing confirmations).

No sale or sharing; no “Do Not Sell or Share” link required, but stated here. We do not sell personal information and we do not share it for cross-context behavioral advertising (Cal. Civ. Code §§ 1798.120, 1798.135). Because we do not sell or share, we are not required to post “Do Not Sell or Share My Personal Information” or “Limit the Use of My Sensitive Personal Information” links, and we state that here. We do not use or disclose sensitive personal information in a way that triggers the right to limit.

Global Privacy Control. We treat a Global Privacy Control (GPC) browser signal as a valid request to opt out of any sale or sharing of personal information and of targeted advertising. We honor GPC for all visitors, everywhere we operate, whether or not the law that applies to you requires it. We recognize GPC and other opt-out preference signals as required by 11 C.C.R. § 7025, and even though we do not currently sell or share, if our practices ever change so that we sell or share, such a signal will continue to be treated as a valid opt-out.

Do Not Track (CalOPPA). Some browsers send “Do Not Track” signals. Because there is no common standard for these signals, we do not respond to them differently at this time. We do not knowingly permit third parties to collect personally identifiable information about your online activities over time and across third-party websites when you use our site.

Your California rights. You have the right to: know and access the specific pieces and categories of personal information we collect, use, and disclose (Cal. Civ. Code §§ 1798.100, 1798.110, 1798.115); delete (§ 1798.105); correct inaccurate information (§ 1798.106); opt out of sale or sharing (§ 1798.120, not applicable as we do neither); limit the use of sensitive personal information (§ 1798.121, not applicable as described); data portability (§ 1798.130(a)(2)); and non-discrimination (§ 1798.125).

How to exercise your rights. Submit a request by email to [email protected] or by writing to the postal address in Section 1. These are at least two designated methods. We will acknowledge within ten (10) business days and respond to verifiable requests within forty-five (45) days, extendable once by a further forty-five (45) days (ninety total) with notice. We will honor opt-out and limit requests as soon as feasible and within fifteen (15) business days.

Authorized agent. You may use an authorized agent to submit a request. We may require the agent to provide written permission and may require you to verify your identity directly with us, as permitted by 11 C.C.R. § 7063.

Non-discrimination and financial incentives. We will not discriminate against you for exercising your rights, and we do not offer financial incentives in exchange for personal information.

Minors. We do not knowingly sell or share the personal information of consumers under sixteen (16) years old.

Metrics. We do not buy, receive, sell, or share the personal information of ten million (10,000,000) or more California consumers per year, so the metrics disclosure of 11 C.C.R. § 7102 does not apply.

11.2 Other US states (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and similar)

This section applies to residents of US states with comprehensive consumer-privacy laws, including Virginia (VCDPA, Va. Code §§ 59.1-575 to 59.1-585), Colorado (CPA, Colo. Rev. Stat. §§ 6-1-1301 to 6-1-1313), Connecticut (CTDPA, Conn. Gen. Stat. §§ 42-515 to 42-525), Utah (UCPA, Utah Code §§ 13-61-101 to 13-61-404), Texas (TDPSA, Tex. Bus. & Com. Code §§ 541.001 to 541.205), Oregon (OCPA, ORS 646A.570 to 646A.589), Montana (MCDPA, Mont. Code Ann. §§ 30-14-2801 et seq.), and other states with similar laws as they take effect. We draft to the strictest common denominator and note exceptions where they matter.

Your rights. Subject to the applicable state law and verification, you may: confirm whether we process your personal data and access it; correct inaccuracies (note: Utah and Iowa do not grant a correction right); delete; obtain a portable copy; and opt out of (a) targeted advertising, (b) the sale of personal data, and (c) profiling in furtherance of decisions that produce legal or similarly significant effects (Utah and Iowa do not provide a profiling opt-out). We do not sell personal data, conduct targeted advertising, or engage in such profiling.

Universal opt-out mechanism. In states that require it (Colorado, Connecticut, Texas, Oregon, Montana, and others on their schedules), we honor a recognized universal opt-out mechanism, such as the Global Privacy Control, as an opt-out of targeted advertising and sale. Utah and Iowa do not require this mechanism.

Sensitive data. Where required (Virginia, Colorado, Connecticut, Texas, Oregon, Montana, and similar states), we obtain opt-in consent before processing sensitive data; in Utah and Iowa we provide notice and the ability to opt out. We process the limited category of sensitive data described in Section 11.1 (account credentials) only to authenticate you.

Right to appeal. If we decline to act on your request, you may appeal by replying to our decision or by emailing [email protected] with the subject line “Privacy Appeal”. We will respond to an appeal within the period your state’s law allows (generally forty-five (45) to sixty (60) days). If we deny your appeal, you may contact your state Attorney General. (Utah does not provide an appeal right.)

How to exercise. Email [email protected] or write to the address in Section 1.

12. Canada (PIPEDA and Quebec Law 25)

12.1 PIPEDA (all of Canada)

This section applies to individuals in Canada under PIPEDA. We address the ten fair-information principles in Schedule 1: accountability (we have a designated Privacy Officer, Section 1.2); identifying purposes (Section 3); consent (Section 3 and below); limiting collection (Section 3); limiting use, disclosure, and retention (Sections 6 and 8); accuracy (we keep personal information accurate for its purpose); safeguards (Section 9); openness (this published policy); individual access (below); and challenging compliance (below).

Consent. We rely on express consent for sensitive information and for our newsletter, and on implied consent where appropriate and reasonably expected for the purposes described. You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice, by contacting [email protected]; withdrawing consent may affect our ability to provide some Services.

Access and correction. You have the right to access the personal information we hold about you and to request correction. Contact [email protected].

Cross-border processing. Your personal information is processed in the United States and may be accessible to US authorities (Section 7). We remain accountable for it.

Challenging compliance and complaint. You may complain to our Privacy Officer at [email protected]. If you are not satisfied, you may complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca; 30 Victoria Street, Gatineau, Quebec K1A 1H3). Residents of Alberta and British Columbia may also contact their provincial commissioner (OIPC-AB; OIPC-BC).

12.2 Quebec (Law 25)

This section applies to individuals in Quebec under the Act respecting the protection of personal information in the private sector, CQLR c. P-39.1, as amended by S.Q. 2021, c. 25 (“Law 25”). It supplements Section 12.1.

• Person in charge (Article 3.1). Our Privacy Officer is the person in charge of the protection of personal information; contact is in Section 1.2.
• Privacy by default (Article 9.1). Technology that allows you to be identified, located, or profiled is deactivated by default; we inform you of the means to activate such functions. See Section 5 and /legal/cookies.
• Consent (Articles 12, 14, 21 to 22). Consent is manifest, free, enlightened, and given for specific purposes; we obtain express consent for sensitive personal information.
• Automated decision-making (Article 8.1). See Section 4.3.
• Data portability (Article 27). On request, we will provide the computerized personal information we have collected from you in a structured, commonly used technological format, and where requested and technically feasible, transmit it to a designated third party.
• Access, rectification, withdrawal, de-indexing. You may access, rectify, and request that we cease disseminating personal information or de-index it where the law permits.
• Complaint. You may complain to our Privacy Officer and to the Commission d’accès à l’information du Québec (cai.gouv.qc.ca).

Quebec-facing documents are provided in French in accordance with the Charter of the French Language (Bill 96); on request we provide this policy in French to Quebec consumers.

13. Mexico (LFPDPPP)

This section is the aviso de privacidad for individuals in Mexico under the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (in force 21 March 2025) and applicable guidance, as administered by the competent successor authority. We follow the Lineamientos del Aviso de Privacidad and any superseding regulation as they apply.

• Responsable. Agentic Security, Inc. (d/b/a HackZero), with the domicile in Section 1.
• Data and purposes. We process the personal data and for the purposes in Section 3. Primary (necessary) purposes are providing and securing the Services, contracting, and billing. Any secondary purpose (for example our newsletter) is offered with an opt-out.
• Sensitive data. We process limited sensitive data (account credentials) only to authenticate you.
• ARCO rights and revocation. You have the rights of Acceso (Article 22), Rectificación (Article 23), Cancelación (Article 24), and Oposición, together with the right to revoke your consent and to object to automated decision-making and profiling. To exercise these rights or to limit the use or disclosure of your data, send a request to [email protected] stating your name, the right you wish to exercise, and the relevant data. We will respond within the statutory period.
• Transfers. See Section 7. We bind recipients by written instrument. Where a transfer requires your consent under the LFPDPPP, we make that transfer only with your consent, unless one of the exceptions in Article 36 applies (for example, transfers necessary to perform a contract in your interest, transfers required by law or for the recognition, exercise, or defense of a right in a proceeding, or transfers between affiliates operating under the same internal policies).
• Changes. We will inform you of changes to this notice as described in Section 17.

This notice is the integral version; a short or simplified version may point here. The Spanish-language version controls for Mexican consumers and is available on request.

14. Brazil (LGPD)

This section applies to individuals in Brazil under the LGPD (Lei nº 13.709/2018).

• Controlador and Encarregado. Agentic Security, Inc. (d/b/a HackZero) is the controller; our Encarregado’s contact is in Section 1.3.
• Legal bases (Article 7). We rely on: consent (Article 7(I)); compliance with a legal or regulatory obligation (Article 7(II)); execution of a contract or preliminary procedures (Article 7(V)); regular exercise of rights in proceedings (Article 7(VI)); and the legitimate interests of the controller or a third party (Article 7(IX)). Sensitive data, if any, is processed under Article 11.
• Your rights (Article 18). Confirmation of processing; access; correction; anonymization, blocking, or deletion of unnecessary or non-conforming data; portability; deletion of data processed on the basis of consent; information about sharing; information about the consequences of refusing consent; revocation of consent; and the right to object to processing carried out on a basis other than consent. You may also request review of decisions based solely on automated processing (Article 20).
• How to exercise. Email [email protected].
• Transfers. See Section 7. We rely on the Brazilian Standard Contractual Clauses (Resolução CD/ANPD nº 19/2024).
• Breach notification. We notify the ANPD and affected data subjects within the timeframes set by ANPD guidance (see Section 16).
• Regulator. You may contact the Autoridade Nacional de Proteção de Dados (ANPD; gov.br/anpd).

The Portuguese-language version controls for Brazilian data subjects and is available on request.

15. Argentina, Colombia, Chile, and Peru

Individuals in these countries have rights analogous to ARCO (access, rectification, cancellation, opposition) and the constitutional right of habeas data, which cannot be waived or contracted away. To exercise any right, email [email protected].

• Argentina (Ley 25.326). Rights of information, access (Article 14, free of charge at intervals not exceeding six months), rectification, update, and suppression (Articles 16 to 17). The regulator is the Agencia de Acceso a la Información Pública (AAIP). Transfers rely on Disposición 60/2016 or RIPD clauses (Section 7).
• Colombia (Ley 1581/2012 and Decreto 1377/2013). Rights to know, update, rectify, delete, revoke authorization, request proof of authorization, and complain. Our política de tratamiento and aviso de privacidad are reflected in this policy. Período de vigencia de la base de datos (Decreto 1377/2013, Article 13). The database remains in force for as long as necessary to fulfill the purposes in Section 3 and to meet our legal, accounting, and evidentiary retention obligations (see Section 8); personal data is then deleted or anonymized. The regulator is the Superintendencia de Industria y Comercio (SIC), enforceable by acción de tutela (Article 15, Constitution). Transfers per Section 7.
• Chile (Ley 19.628; Ley 21.719 from 1 December 2026). Rights of access, rectification, and deletion or blocking today; from 1 December 2026, expanded rights including opposition, portability, and objection to automated decisions, with a new Agencia de Protección de Datos Personales (APDP) and statutory transfer mechanisms. We will upgrade this policy accordingly.
• Peru (Ley 29733 and Decreto Supremo 016-2024-JUS, in force 30 March 2025). Note: this law applies extraterritorially to providers outside Peru that offer services to or monitor individuals in Peru, so it directly regulates our processing of Peruvian users’ data. Rights of access, rectification, suppression or cancellation, opposition, and objection to automated decisions and profiling. The regulator is the Autoridad Nacional de Protección de Datos Personales (ANPDP), within MINJUS. Breaches are notified to the ANPDP within forty-eight (48) hours (Section 16).

Where a local database registration is required (for example, with the AAIP in Argentina, the RNBD in Colombia, or the RNPDP in Peru), HackZero complies with that requirement. The Spanish-language versions control for these consumers.

16. Data-breach notification

If we determine that a security breach affecting personal data for which we are the controller has created a risk requiring notification under applicable law, we will notify affected individuals and the relevant regulators in accordance with that law, including the following representative timelines:

• United States. As required by the applicable state breach-notification statute, without unreasonable delay.
• PIPEDA (Canada). Where a breach of security safeguards creates a real risk of significant harm, we report to the Office of the Privacy Commissioner of Canada and notify affected individuals “as soon as feasible” (PIPEDA sections 10.1 to 10.3), and we keep a record of breaches for twenty-four (24) months.
• Quebec (Law 25). Where a confidentiality incident presents a risk of serious injury, we notify the Commission d’accès à l’information du Québec and affected individuals “with diligence” (Articles 3.5 to 3.7), and we keep a register of incidents for five (5) years (Article 3.8).
• Alberta PIPA. We report a real-risk-of-significant-harm breach to the OIPC-AB without unreasonable delay (section 34.1).
• Brazil (LGPD). We notify the ANPD and affected data subjects within the timeframe set by ANPD guidance (Resolução CD/ANPD nº 15/2024 contemplates an initial notice within three (3) business days, supplemented within twenty (20) business days).
• Peru. We notify the ANPDP within forty-eight (48) hours of becoming aware of a qualifying breach, and affected individuals where the risk is high.

Where HackZero is a processor (Section 3.5), we notify the customer (the controller) without undue delay and in any event within 72 hours of becoming aware, so the customer can meet its own obligations, as set out in the Data Processing Addendum (/legal/dpa).

17. Children

The Services are intended for businesses and are not directed to children. We do not direct the Services to, or knowingly collect personal data from, children under sixteen (16) (and under eighteen (18) where local law treats minors below that age as children). Consistent with the US Children’s Online Privacy Protection Act (15 U.S.C. §§ 6501 to 6506; 16 C.F.R. Part 312), we do not knowingly collect personal information from children under thirteen (13). In Colombia, Brazil, Mexico, and other LATAM jurisdictions, processing a child’s data requires the consent of a parent or guardian; we do not knowingly engage in such processing. If we learn that we have collected personal data from a child without the required consent, we will delete it. If you believe a child has provided us personal data, contact [email protected].

18. Changes to this policy

We may update this policy. We will revise the “Last updated” date above and, for material changes, provide advance notice by email or in-product notice with a stated effective date. We review this policy at least every twelve (12) months, as required by Cal. Civ. Code § 1798.130(a)(5), and we keep prior versions available on request. Your continued use of the Services after a change takes effect indicates your acceptance of the updated policy, except where additional or fresh consent is required by law (in which case we will obtain it).

19. How to reach us

For any privacy question, request, or complaint:

• Email: [email protected]
• Privacy Officer / DPO: our Privacy Officer, who can be reached at [email protected]
• Postal: Agentic Security, Inc., a Delaware corporation, doing business as HackZero, Attn: Privacy Officer, 2810 N Church St STE 88242, Wilmington, Delaware 19802, United States
• Copyright Agent (DMCA): Copyright Agent, Agentic Security, Inc., 2810 N Church St STE 88242, Wilmington, Delaware 19802, United States, [email protected].

Related documents: Terms of Service (/legal/terms) · Cookie Policy (/legal/cookies) · Acceptable Use Policy (/legal/acceptable-use) · Data Processing Addendum (/legal/dpa) · Subprocessor List (/legal/subprocessors) · AI Transparency Notice (/legal/ai) · Vulnerability Disclosure Policy (/legal/security) · Refund & Cancellation Policy (/legal/refunds).