Privacy Policy

Last Updated: April 7, 2026

1. Introduction

Phantava ("Company," "we," "us") operates the Phantava platform. This Privacy Policy explains how we collect, use, store, and protect your information when you use our Service. It should be read alongside our Terms & Conditions, which govern your use of the Service including our autonomous AI Assessment feature and Terminal environment.

2. Information We Collect

Account Information

  • Email address and display name
  • Authentication credentials (hashed and encrypted)
  • Team membership and role information
  • Profile data (title, avatar)

Assessment Data

  • Target scope definitions (IP addresses, domains, URLs)
  • Assessment configurations and credentials you provide
  • Vulnerability findings and security reports
  • Tool output and terminal session history
  • Screenshots and evidence artifacts captured during assessments (see Section 3 for detail)

Autonomous AI Agent ActivityBecause Phantava's Assessment feature operates without human intervention, additional data is generated and logged during execution:

  • AI agent decision logs — records of the actions, reasoning steps, and tool invocations made by the AI agent during an Assessment
  • Target-derived content — data retrieved from target systems during testing, including HTTP responses, page content, API output, and error messages. This content may contain information originating from the target environment that we do not control
  • Prompt injection artifacts — in instances where adversarial content in a target system influences AI behavior, those interactions may be logged for security and diagnostic purposes
  • Assessment lifecycle events — start time, stop time, scope, and completion status of each Assessment

Terminal Session DataWhen using the Terminal, interactions between you and the AI are logged including user inputs, AI responses, and any tool invocations made during the session.

Evidence ArtifactsAssessments and Terminal sessions may generate evidence artifacts, including:

  • Raw HTTP request and response captures
  • Payload data generated or used during testing
  • Network traffic samples
  • Screenshots and annotated images
  • Exported findings and report files

These artifacts are stored encrypted and linked to your account and Assessment record.

Usage Data

  • Login history (IP address, browser user-agent, geolocation)
  • Feature usage patterns and session activity
  • Error logs and diagnostic information

Knowledge Base Content

  • Documents you upload for RAG-based retrieval
  • Custom prompts and report templates

3. How We Use Your Information

  • To provide and operate the Service, including powering autonomous AI Assessments and Terminal sessions
  • To authenticate your identity and manage access
  • To process AI-assisted security assessments and generate findings
  • To log and audit AI agent activity for transparency, debugging, and accountability
  • To generate reports and security findings
  • To improve the Service and develop new features
  • To communicate with you about your account
  • To enforce our Terms & Conditions and prevent abuse
  • To investigate and respond to potential unauthorized use, scope violations, or incidents

4. AI Model Training Policy

Phantava does not use your assessment data, findings, evidence artifacts, custom prompts, uploaded documents, or Terminal session history to train AI models without your explicit opt-in consent.

Default LLM provider integrations (see Section 5) are governed by those providers' own data usage and retention policies. Where supported, Phantava uses zero-retention API configurations to minimize data persistence at the provider level. A current list of LLM providers and their applicable data handling policies is maintained at [privacy policy link / docs page].

If you participate in any voluntary data contribution or model improvement program, we will obtain separate, explicit consent at the time of opt-in, and you may withdraw that consent at any time by contacting privacy@phantava.com.

5. Third-Party Services

The Service integrates with third-party providers as configured by your team. The nature of autonomous AI-driven security testing means that data — including target-derived content — may flow through these integrations during Assessment execution.

LLM Providers (e.g., OpenAI, Anthropic, Google)Assessment conversations, tool outputs, and target-derived content retrieved during Assessments may be sent to your configured LLM provider for AI processing. These providers have their own privacy policies and data retention practices. Where zero-retention API configurations are available, Phantava uses them by default. The active LLM provider for your team is configurable and disclosed in the Service dashboard.

MCP Servers & Third-Party Tool IntegrationsCommands and data are executed and exchanged via your configured MCP infrastructure and any third-party tools integrated into the Service. Data passed through these integrations — including target-derived content, credentials, and findings — may be subject to those tools' own retention and processing policies. We do not control or monitor MCP server environments or third-party tool behavior. You are responsible for reviewing the privacy practices of any integrations your team enables.

Cloud Provider IntegrationsWhere Assessments involve cloud misconfiguration detection or testing against cloud-hosted assets (AWS, Azure, GCP), data relevant to those assessments may be processed through those providers' APIs. These interactions are governed by the respective cloud provider's terms and privacy policies.

SupabaseOur backend infrastructure provider for authentication, database, and storage. Data is stored within Supabase's secure cloud infrastructure under our configuration and access controls.

Payment ProcessorsSubscription billing is handled by third-party payment processors. We do not store full credit card numbers.

6. Data Storage & Security

We implement industry-standard security measures including:

  • Encryption at rest and in transit (TLS 1.2+)
  • API key encryption for stored credentials
  • Encrypted storage of all evidence artifacts
  • Row-level security policies on all database tables
  • Role-based access control within teams
  • Regular security audits of our infrastructure

Data is stored in secure cloud infrastructure. While we take reasonable measures to protect your data, no method of electronic storage is 100% secure.

Breach NotificationIn the event of a confirmed data breach affecting your assessment data or personal information, Phantava will notify affected account holders within 72 hours of confirming the breach, in accordance with applicable law.

7. Data Retention

  • Account data is retained for the lifetime of your account
  • Assessment data and AI agent activity logs are retained according to your team's configuration and subscription tier
  • Evidence artifacts (HTTP captures, payloads, screenshots, exported findings) are retained for a period defined by your subscription tier and deleted permanently upon expiry unless exported
  • Terminal session history can be managed through the dashboard settings
  • Login history is retained for security auditing purposes
  • Target-derived content processed during Assessments is retained only as part of the associated Assessment record and subject to the same retention schedule

Upon account deletion, we will delete your personal data within 30 days, except where required by law or legitimate business interests (e.g., fraud prevention).

8. Bug Bounty & Responsible Disclosure Program Use

If you use Phantava in connection with a third-party bug bounty or responsible disclosure program, please be aware that:

  • Data submitted to or generated within Phantava during such engagements — including target scope, findings, and artifacts — is handled under this Privacy Policy, not the program operator's policies
  • Phantava does not share your assessment data with bug bounty program operators or third-party platforms without your explicit action (e.g., an export or submission you initiate)
  • You are responsible for ensuring that autonomous AI-driven testing is permitted by the relevant program before initiating an Assessment

9. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Export your data in a portable format, including assessment findings and reports
  • Object to or restrict certain processing
  • Withdraw consent where processing is based on consent, including any AI training opt-in

To exercise these rights, contact us at privacy@phantava.com. We will respond within 30 days.

10. Cookies & Tracking

We use essential cookies for authentication and session management. We do not use third-party advertising trackers. Analytics, if used, are privacy-respecting and do not track individual users across sites.

11. Children's Privacy

The Service is not intended for individuals under 18. We do not knowingly collect data from minors. If we learn that we have collected data from a minor, we will delete it promptly.

12. International Data Transfers

Your data may be processed in the United States. By using the Service, you consent to the transfer and processing of your data in the US, which may have different data protection laws than your jurisdiction.

13. Changes to This Policy

We may update this Privacy Policy periodically. Material changes — including changes to LLM provider integrations, evidence artifact retention periods, or AI training practices — will be communicated via email or in-app notification. The "Last updated" date reflects the most recent revision.

14. Contact Us

For privacy-related inquiries, contact us at privacy@phantava.com.