Your Data. Your Control.

We built Hawkra for security professionals, the kind of people who actually read privacy policies. So we wrote one worth reading. No legalese, no buried clauses, just a clear accounting of what we collect and why.

Effective: February 24, 2026

No Tracking

No analytics, no pixels, no fingerprinting. We never monitor what you do on the platform.

Encrypted at Rest

Every workspace is isolated with its own AES-256-GCM encryption key.

We Don't Sell Data

Your vulnerability data is yours. No advertising, no data brokers, no third-party monetization.

Who We Are

Hawkra is a vulnerability management and penetration testing platform operated by ReconhawkLabs LLC, based in Richmond, Kentucky. This policy covers the cloud-hosted (SaaS) version of Hawkra. If you deploy Hawkra on your own infrastructure, your data never touches our servers and this policy does not apply to that deployment.

What We Collect

We collect only what the platform needs to function. Here is a complete accounting.

Category	Data	Purpose
Account	Email address, display name, password (hashed with Argon2, we never store or see your plaintext password)	Authentication and account management
Authentication	Session tokens stored in HTTP-only cookies (not accessible to JavaScript)	Maintaining your logged-in session
Workspace Data	Networks, assets, vulnerabilities, notes, credentials, files, compliance responses	Core platform functionality. This is what you're here for. Sensitive fields are encrypted per-workspace.
Billing	Stripe customer ID, subscription status, plan type. We never see or store your payment card number. Stripe handles that entirely.	Payment processing (SaaS mode only)
Audit Logs	Actions performed, resource identifiers, IP address, timestamps	Security accountability and your workspace audit trail
Chat & AI	Messages you send, AI responses, workspace context you select for AI analysis	Team collaboration and AI-assisted analysis
Usage Metrics	Workspace count, asset count, storage used, API call count	Enforcing account quotas and plan limits

Legal Basis for Processing

Under the EU General Data Protection Regulation (GDPR), we are required to identify a lawful basis for each category of data processing. Here is how each activity is justified.

Processing Activity	Lawful Basis
Account creation & authentication	Performance of a contract (Art. 6(1)(b)) — necessary to provide the service you signed up for
Workspace data management	Performance of a contract (Art. 6(1)(b)) — core service delivery
Payment processing via Stripe	Performance of a contract (Art. 6(1)(b)) — necessary to fulfill your subscription
AI vulnerability analysis	Performance of a contract (Art. 6(1)(b)) — a core feature of the platform you chose to use
OSINT lookups (Shodan, HIBP, GeoIP)	Performance of a contract (Art. 6(1)(b)) — on-demand features initiated by you
Transactional emails (verification, MFA, password reset)	Performance of a contract (Art. 6(1)(b)) — necessary service communications
Audit logging (actions, IP addresses)	Legitimate interest (Art. 6(1)(f)) — security monitoring, fraud prevention, and regulatory compliance
Contact form processing	Legitimate interest (Art. 6(1)(f)) — responding to your inquiry

We do not rely on consent as the basis for any core service processing. This means we will not ask you to consent to data processing that is necessary to deliver the service. Where we rely on legitimate interest, we have conducted a balancing assessment to ensure our interests do not override your rights.

What We Don't Collect

This is the section most privacy policies leave out. We think it matters more than what we do collect.

No Analytics

No Google Analytics, no Mixpanel, no Amplitude, no tracking pixels of any kind.

No Fingerprinting

No browser fingerprinting, no canvas fingerprinting, no advertising identifiers. MFA device trust uses a random token, not device identification.

No Tracking Cookies

All of our cookies are functional and required for secure operation. There are no third-party tracking cookies.

No Telemetry

No usage pattern collection beyond the quota metrics listed above.

No Device Metadata

We do not collect or store browser versions, operating systems, or hardware details. IP addresses are logged only in audit trails for security accountability.

Hardware Access Disabled

Camera, microphone, and geolocation are explicitly disabled via HTTP Permissions-Policy headers.

Cookies

Hawkra uses a small number of cookies, all functional and required for secure operation. None are used for tracking. One additional cookie is set only if you opt in to the "Remember this device" option during multi-factor authentication.

hawkra_access

Your session token. HTTP-only (JavaScript cannot read it), Secure flag (HTTPS only), expires after 1 hour.

hawkra_refresh

Renews your session without re-entering your password. HTTP-only, Secure, expires after 7 days.

hawkra_csrf

Prevents cross-site request forgery attacks. This is the only cookie readable by JavaScript, by design.

hawkra_mfa_device

Optional. Set only when you choose "Remember this device" during multi-factor authentication. Contains a random token (not device fingerprinting data) so you can skip the MFA challenge on future logins. HTTP-only, Secure, expires based on your administrator's configuration.

There is no cookie consent banner because all cookies are functional. The MFA device trust cookie is only created when you explicitly choose to remember your device.

Third-Party Services

Some data is sent to external services when you explicitly initiate an action. Additionally, the platform runs a daily background scheduler that contacts public security intelligence sources to keep vulnerability data current.

Stripe - When you subscribe to a paid plan, we send your email address and plan selection to Stripe for payment processing. Stripe handles all card data directly and your payment information never passes through our servers.
AI Assistant - When you use the AI analysis feature, the workspace context you select (assets, vulnerabilities, notes) is sent to Google Gemini for processing. Only what you explicitly select is transmitted. Your account information, credentials, and other workspaces are never included. Self-hosted deployments can use a local language model with zero external data transmission.
OSINT Lookups - When you run a lookup, the query you enter (an email address, IP address, or domain) is sent to the relevant service: Have I Been Pwned, Shodan, or a GeoIP provider. These are on-demand queries that only fire when you click the button.
Vulnerability Intelligence (Background) - A daily background scheduler contacts public security intelligence sources — the National Vulnerability Database (NVD), CISA Known Exploited Vulnerabilities catalog, FIRST Exploit Prediction Scoring System (EPSS), and MITRE ATT&CK — to keep vulnerability data current. No personal data is transmitted in these requests.
Brave Search (Background) - The daily background scheduler uses Brave Search to enrich threat intelligence data. No personal data is included in these queries.

International Data Transfers

ReconhawkLabs LLC is based in the United States. If you use Hawkra from outside the US, your personal data is transferred to and processed in the United States.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the following safeguards for these transfers:

Standard Contractual Clauses (SCCs) - We use the European Commission's 2021 Standard Contractual Clauses with our third-party processors to ensure your data receives an adequate level of protection when transferred outside the EEA.
Encryption as a supplementary measure - Sensitive data is encrypted with AES-256-GCM before storage. Even in the event of unauthorized access to the underlying infrastructure, encrypted data remains unintelligible without the workspace-specific decryption keys.
Processor agreements - All third-party services that process personal data on our behalf (Stripe, Google Gemini, OSINT providers) are bound by data processing agreements that include transfer safeguards.

Self-hosted deployments are not affected by this section. Your data stays on your own infrastructure in the region you choose.

How We Protect Your Data

Security is not a feature we bolted on. It is how the platform is built.

Per-workspace encryption - Every workspace has its own unique encryption key. Sensitive data (credentials, notes, compliance responses, uploaded files) is encrypted with AES-256-GCM before it reaches the database. Workspaces are cryptographically isolated from each other.
Encryption in transit - All connections use TLS. The platform enforces HTTPS in production.
Password security - Passwords are hashed with Argon2 using OWASP-recommended parameters. We enforce a minimum length of 10 characters across 3 of 4 character classes, and check against a common password blocklist.
Multi-factor authentication - Optional MFA via authenticator app (TOTP) or email verification. When enabled, you can choose to remember trusted devices using a secure random token stored in a cookie, so you are not prompted on every login.
Access control - Every API request verifies workspace membership and role permissions. Four workspace roles (Owner, Editor, Remediation Analyst, Viewer) enforce least-privilege access.
Rate limiting - All endpoints are rate-limited to prevent brute force and abuse.
Security headers - Content Security Policy, X-Frame-Options, HSTS, Referrer-Policy, and Permissions-Policy headers are applied to every response.

Data Retention

We retain your data only as long as necessary for the purposes described in this policy. Below are the specific retention periods for each category.

Account data - Retained for the lifetime of your active account. Upon account deletion, your account and associated data are permanently removed immediately.
Workspace data - Retained until you delete the workspace. Deletion permanently removes all associated data including encrypted fields and files immediately.
Audit logs - Retained for the lifetime of the workspace. When a workspace is deleted, all associated audit log entries are permanently removed.
Payment records - Stripe customer and subscription IDs are retained for the lifetime of your subscription. Stripe retains payment data per its own retention policies.
Rate limiting data - Held in memory only during operation. Not persisted to any database and lost on server restart.
Contact form submissions - Forwarded to our support email. Not stored in any database.

You can delete your account through your account settings. Deletion is permanent and immediate.

Your Rights

Regardless of your jurisdiction, you have the right to:

Access - Request a copy of all data we hold about you
Correction - Update or correct inaccurate information
Deletion - Request that we delete your account and associated data
Export - Download your workspace data in CSV format. This is built into the platform and does not require a request.
Objection - Object to specific processing of your data
Complaint - If you are in the EEA, you have the right to lodge a complaint with your national data protection supervisory authority if you believe your data has been processed in violation of applicable law

To exercise any of these rights, contact us at contact@reconhawklabs.com. We will respond within 30 days.

Self-Hosted Deployments

If you deploy Hawkra on your own infrastructure using our self-hosted option, none of your data passes through our servers. You control the database, file storage, encryption keys, and all configuration. You are the data controller, and this privacy policy does not govern your deployment.

Changes to This Policy

When we update this policy, we will revise the effective date at the top and, for material changes, notify you via the email address on your account. We will not reduce your rights under this policy without your explicit consent.

Contact

If you have questions about this policy or how your data is handled:

ReconhawkLabs LLC

Richmond, Kentucky

contact@reconhawklabs.com