Introduction

Oryon is the trade name under which the security products and services developed by VULNSCAN TECH SL are offered. In this policy, references to Oryon include the company, the platform, the website, and the related services.

This Privacy Policy describes our practices regarding the collection and use of personal data and summarizes the rights you can exercise as a data subject.

We understand privacy as an ongoing responsibility. For that reason, we may update this policy when our practices, products, or the applicable regulations change.

As a company with roots in the European Union, we use the General Data Protection Regulation (GDPR) as the primary reference for our privacy program. Where relevant, we also take into account other regulatory frameworks applicable in the markets where we operate.

Privacy contact channel

By email: support@oryontechnology.com

VULNSCAN TECH SL is based in Madrid, Spain. If you have questions about this policy or about how we process personal data, you can contact us through our privacy channel.

If you wish to exercise your rights or send us an inquiry related to data protection, you can write to us through the following contact channel.

How we collect and use your personal information

Depending on the product or channel you use, Oryon may process data from website visitors, leads, customers, authorized dashboard users, workspace administrators, invited members, and extension or API users. The main categories of data processed may include:

Account and authentication data: email address, name, avatar, user identifiers, access provider, credentials managed by Oryon where applicable, and data associated with password login, magic link, Google OAuth, or SSO.
Workspace and organization data: workspace or company name, roles, memberships, invitations, verified domains, seats, and authorized users.
Service and security data: projects, linked repositories, scan identifiers, findings, dependency vulnerabilities, suppressions, remediation states, audit data, technical logs, and security events.
Technical analysis data: file paths, technical messages, hashes, operational metadata, and, where applicable, code snippets or the minimum context needed for synchronization, triage, enrichment, or AI features.
Commercial, support, and contact data: company, role, business phone number if you provide it, messages, demo requests, support emails, and any other information you choose to share with us.
Billing and subscription data: subscribed plan, billing interval, subscription status, customer or subscription identifiers generated by the payment provider, and minimum data associated with charges or the billing portal.

We use this data to create and manage accounts, authenticate users, operate the dashboard, allow access to workspaces, provide support, manage subscriptions, protect the security of the service, and enable the use of the extension, APIs, and available integrations.

When you use analysis, synchronization, or AI features, Oryon may process security results, findings, dependency vulnerabilities, technical metadata, and limited code fragments or context to the extent necessary to provide those features.

Some information may be obtained directly from you, from other members or administrators of the workspace, from identity providers, from payment providers, or from integrations and systems that you choose to connect or use.

Oryon does not sell personal data and does not use customer data for purposes unrelated to the provision, security, improvement, and reasonable administration of the Services.

Legal bases for processing

We process personal data where necessary to perform a contract or to take pre-contractual steps requested by the user or the customer, for example to create accounts, operate workspaces, provide the service, handle support, enable contracted features, and manage subscriptions.

We also process data on the basis of our legitimate interests to protect platform security, prevent fraud or abuse, maintain technical and audit records, diagnose incidents, improve the product, and manage B2B commercial relationships compatible with our activity.

Where required by law, we rely on consent for certain processing activities, such as non-essential cookies or analytics on the website, as well as optional processing that the user chooses to activate.

We may also process data to comply with applicable legal obligations, including tax, accounting, security, cooperation with authorities, or evidence preservation requirements.

Privacy roles and responsibilities

Oryon acts as controller for data related to the public website, B2B marketing, account management, authentication, security, abuse prevention, billing, contractual relationship, and general support.

In relation to certain customer data processed within the service, such as snippets, findings, technical metadata, scan results, or information synchronized by authorized users, Oryon may act as a processor or service provider on behalf of the customer, depending on the case and the applicable contractual documentation.

The customer or workspace administrator is responsible for having a valid legal basis, instructions, and permissions to upload, synchronize, or otherwise have Oryon process repositories, snippets, findings, vulnerabilities, user invitations, and other data from its organization.

Use of the website and the platform

The public website may collect browsing information and technical browser or device context, as well as data linked to the contact form, cookie consent, and, if the user accepts it, analytics about website usage.

The dashboard and web app may process session, workspace, authentication, role, operating history, technical log, basic interface preference, and browser storage data that is strictly necessary for the application to function securely.

The extension, APIs, and synchronization flows may send Oryon analysis results, dependency vulnerabilities, operational metadata, and limited code fragments or context where necessary for synchronization, triage, enrichment, guided remediation, support, or AI features.

We use this information to operate, secure, maintain, and improve the service, prevent abuse, scale product and support, and provide a coherent experience across the public website, dashboard, extension, and integrations.

Cookies and tracking technologies

Oryon uses cookies and similar technologies for website operation, security, performance measurement, and, where applicable, personalization of the experience.

You can find more information about the cookies we use and how to accept or reject them in the Cookie Policy available on the website.

Sharing information with third parties

We may share personal data with providers that help us operate the service, such as infrastructure and hosting providers, storage, email, support, security, authentication, payment, analytics, and, where applicable, AI providers or integrations activated by the customer.

In the current setup and depending on the features used, this may include identity and authentication providers such as Google or SSO operators, payment and billing providers such as Stripe, and AI providers when the customer or authorized user uses AI-assisted features.

These third parties should only access data to the extent necessary to provide their services, under our instructions or the applicable contractual relationship, and may not use it for purposes incompatible with applicable law.

Oryon may also disclose data when the user requests it, when necessary to perform the service or an integration, when there is a legal obligation, or when we need to protect rights, security, property, or respond to incidents, claims, or competent authorities.

The website may include links to third-party services such as LinkedIn, YouTube, or Instagram. If you interact with those services, we recommend reviewing their own privacy policies.

Data transfers outside the EEA

Some of our providers or collaborators may process personal data outside the European Economic Area or allow remote access from third countries. This may occur, for example, in identity, payment, cloud, or AI services.

Where there is an international transfer, Oryon will seek to rely on valid mechanisms under applicable law, such as adequacy decisions, standard contractual clauses, or other appropriate safeguards.

Where the transfer is linked to the use of a service requested by the customer or authorized user, we may also rely on the performance of the contract, customer instructions, or another valid legal basis under the GDPR where applicable.

Data subject rights

GDPR and other privacy laws grant data subjects a number of rights in relation to their personal data, including:

the right to be informed
the right of access
the right to rectification
the right to erasure
the right to restrict processing
the right to data portability
the right to object
rights related to automated decision-making and profiling, where applicable

This policy is intended to explain what data we process and how we use it.

If you wish to confirm whether Oryon processes your data, access it, rectify it, erase it, or restrict its processing, you can contact us.

You may also request information about the purposes of processing, the categories of data, the recipients, the source of the data when it was not obtained directly from you, and the applicable retention periods.

If you believe that the processing is not appropriate, you may file a complaint with the competent supervisory authority, including the Spanish Data Protection Agency (AEPD) where applicable.

Data retention and storage

We retain account, authentication, and workspace data while the relationship with the user or customer remains active and for the additional time needed to manage incidents, security, service continuity, contractual obligations, or pending offboarding.

Subscription, billing, invoicing, and support data may be kept for the periods required by tax, accounting, commercial, or claims-defense laws.

Technical, security, audit, authentication, abuse, or fraud records are kept for as long as reasonably necessary to investigate incidents, demonstrate actions taken, protect the platform, and comply with legal or security obligations.

Findings, dependency vulnerabilities, suppressions, technical metadata, and other service operating data are retained for as long as necessary to provide the contracted functionality, maintain operating history, restore service, comply with backups, or follow customer instructions, unless the law requires a different period.

Where we act on behalf of a customer as processor, the retention of certain data may also depend on what has been contractually agreed with that customer and on its valid instructions.

If you need more detail about where your data is stored or for how long, you can write to us at support@oryontechnology.com.

Children's data

Oryon does not intentionally direct its services to minors or knowingly seek to collect personal data from minors.

If we detect that data from a minor has been provided to us without an adequate legal basis, we will take reasonable steps to delete or block it.

Changes to this policy

We may update this privacy policy to reflect changes in our practices, our services, or the applicable law.

When the change is significant, we will take reasonable steps to communicate it through the website or through other appropriate channels.

The last updated date indicates the time of the most recent revision of this policy.

Questions, concerns, or complaints

By email: support@oryontechnology.com

If you have questions, concerns, complaints, or wish to exercise your data protection rights, you can contact Oryon through: