Konvu is a RSAC Launch Pad finalist 🎉Meet the founders in SF →

    Privacy Policy

    Last updated February 12, 2026

    1. Introduction

    This Privacy Policy describes how Konvu, Inc. ("Konvu," "we," "us," or "our") collects, uses, shares, and protects personal information when you:

    • Visit our website at konvu.com (the "Site")
    • Use Konvu's AI-powered vulnerability management platform (the "Service")
    • Communicate with us through email, support channels, or events

    For enterprise customers: If you have entered into a Master Subscription Agreement ("MSA") with Konvu, the Data Processing Agreement ("DPA") attached to the MSA governs our processing of personal data on your behalf as a data processor. In the event of any conflict between this Privacy Policy and the DPA, the DPA prevails with respect to the processing of Customer Data (as defined in the MSA).

    If you have questions, please contact us at privacy@konvu.com.

    2. Who We Are

    Konvu, Inc. is a Delaware corporation with its registered office at:

    1111B South Governors Avenue, STE 7673 Dover, Delaware 19904 United States

    Konvu operates through its affiliate, Konvu SAS, incorporated in France. For the purposes of EU and UK data protection law, Konvu, Inc. is the data controller for personal information collected through the Site and Service, except where we process personal data on behalf of enterprise customers under a DPA (in which case the customer is the data controller).

    Data Protection Officer: You can reach our Data Protection Officer at privacy@konvu.com or by post at the address above.

    3. Information We Collect

    3.1 Information You Provide

    When you create an account, contact us, or subscribe to the Service, we may collect:

    • Account data: your name, email address, and role within your organization (e.g., admin, member)
    • Contact and inquiry data: your name, email address, job title, and company name when you submit a form, request a demo, or email us
    • Payment data: billing address and payment method details, processed through our payment provider — we do not store full credit card numbers

    3.2 Information Collected Through the Service

    When your organization uses the Service, the following categories of personal data may be processed. These categories align with Annex I of our DPA:

    • Vulnerability and scanner data: CVE identifiers, severity scores, affected package names and versions, and file paths ingested from customer-connected vulnerability scanners
    • Code evidence data: minimal source code snippets retained as vulnerability evidence (configurable by the customer; full source code is retrieved temporarily and not persisted)
    • Usage and analytics data: IP addresses, browser type, device identifiers, session identifiers, page views, feature interactions, and audit logs
    • Communication data: email addresses and delivery metadata associated with transactional notifications and product alerts sent by the Service
    • Incidental personal data: any personal data that may be present within code snippets, file paths, or other data provided to the Service

    3.3 Information Collected Automatically on the Site

    When you visit the Site, we automatically collect:

    • Log data: IP address, browser type, operating system, referring URL, pages visited, and timestamps
    • Device data: device type, screen resolution, and language preferences
    • Analytics data: page interactions and navigation patterns, collected through cookies and similar technologies (see Section 7)

    We do not collect precise geolocation data (such as GPS coordinates).

    4. How We Use Your Information

    We use personal information for the following purposes:

    • Providing the Service: to operate, maintain, and deliver the vulnerability management platform, including AI-powered analysis
    • Account management: to create and manage your account, authenticate your identity, and communicate with you about your account
    • Customer support: to respond to your inquiries and resolve issues
    • Service communications: to send transactional emails, product alerts, security notifications, and service updates
    • Analytics and improvement: to understand how the Site and Service are used and to improve functionality, performance, and user experience
    • Marketing: to send you information about Konvu's products and services where you have consented or where we have a legitimate interest to do so — you can opt out at any time
    • Security: to detect, prevent, and respond to fraud, abuse, security incidents, and technical issues
    • Legal compliance: to comply with applicable laws, regulations, and legal processes

    We do not use personal information for targeted advertising or behavioral profiling for advertising purposes.

    If you are located in the European Economic Area, United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR:

    • Performance of a contract: processing necessary to provide the Service under the MSA, or to take steps before entering into a contract (e.g., responding to a demo request)
    • Legitimate interests: processing necessary for our legitimate business interests, such as improving the Service, website analytics, and ensuring security, where those interests are not overridden by your rights
    • Consent: where you have given explicit consent, such as opting in to marketing communications — you may withdraw consent at any time by contacting privacy@konvu.com or using the unsubscribe link in any email
    • Legal obligation: processing necessary to comply with applicable legal requirements

    For enterprise customers, our processing of Customer Data as a data processor is governed by the DPA and is based on the customer's instructions and applicable legal basis.

    6. AI-Powered Processing

    The Service uses artificial intelligence, including third-party large language model ("LLM") providers, to analyze vulnerabilities and generate prioritization recommendations.

    How it works: When the Service performs AI-powered analysis, Customer Data is submitted to the LLM provider for inference. The data is processed ephemerally — it is not retained by the LLM provider beyond the duration of the inference request.

    No training on your data: Konvu does not use Customer Data to train, fine-tune, or improve any machine learning model, whether Konvu's own models or any third-party LLM. This commitment is contractually enforced through our agreements with LLM providers and reflected in our MSA (Section 9) and DPA (Section 4).

    Where source code is involved: when the Service accesses customer source code, it is temporarily processed in an isolated environment and deleted upon completion of analysis. Only analytical outputs (Service Outputs) are retained — not the source code itself.

    Our current LLM provider is OpenAI. Changes to LLM providers are governed by the sub-processor notification process described in the DPA and disclosed on our Trust Center.

    7. Cookies and Analytics

    7.1 Website Analytics

    We use the following analytics services on the Site:

    • Google Analytics: to understand how visitors interact with the Site, including page views, traffic sources, and engagement metrics. Google Analytics may set cookies on your device. You can opt out at tools.google.com/dlpage/gaoptout. For more information, see Google's Privacy Policy.

    7.2 Product Analytics

    Within the Service, we use:

    • PostHog: to track product usage, feature adoption, and user experience. PostHog processes IP addresses, device identifiers, session data, and feature usage events. This data is used solely for product improvement, not for advertising. For more information, see PostHog's Privacy Policy.

    You can manage cookies through your browser settings or through the cookie consent banner on our Site. Disabling cookies may affect the functionality of certain features. For detailed information about the specific cookies we use, see our Cookie Policy.

    8. Who We Share Your Information With

    We share personal information only as described below. We do not sell personal information.

    8.1 Service Providers and Sub-processors

    We use the following third-party providers to operate the Site and Service. For enterprise customers, the sub-processor list is maintained on our Trust Center and governed by the DPA (Section 6).

    ProviderPurposeLocation
    Amazon Web Services (AWS)Cloud infrastructure, compute, storage, and database servicesUnited States
    OpenAILLM inference for AI-powered vulnerability analysis (ephemeral; no data retention)United States
    Customer.ioTransactional and product alert email deliveryUnited States
    PostHogProduct analytics and usage trackingUnited States
    SalesforceCustomer relationship managementUnited States
    Help ScoutCustomer support ticketing and communicationsUnited States
    Konvu SASEngineering, support, and operational services (Konvu affiliate)France
    Google AnalyticsWebsite analytics (Site only)United States

    8.2 Other Disclosures

    We may also disclose personal information:

    • Legal requirements: to comply with applicable law, regulation, legal process, or government request
    • Protection of rights: to enforce our agreements, protect our rights, privacy, safety, or property, and that of our users or the public
    • Business transfers: in connection with a merger, acquisition, reorganization, or sale of assets, in which case the successor entity will be bound by this Privacy Policy

    9. International Data Transfers

    Konvu is based in the United States, and our primary infrastructure is hosted in the US. If you are located outside the United States, your personal information will be transferred to and processed in the United States.

    For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to the United States, we rely on the following safeguards:

    • EU Standard Contractual Clauses (SCCs): Module 2 (Controller to Processor) as approved by European Commission Implementing Decision (EU) 2021/914, incorporated into our DPA
    • UK International Data Transfer Addendum (IDTA): as issued by the UK Information Commissioner's Office, appended to the SCCs where applicable
    • Swiss Federal Act on Data Protection (FADP): references to GDPR in the SCCs are interpreted to include the FADP as applicable

    Our DPA, available to enterprise customers upon request or through execution of the MSA, contains the full text of applicable transfer mechanisms. The competent supervisory authority for purposes of the SCCs is the Commission Nationale de l'Informatique et des Libertés (CNIL, France), anchored to our affiliate Konvu SAS.

    10. Data Retention

    We retain personal information only as long as necessary for the purposes described in this Privacy Policy:

    • Account data: retained for the duration of your account and deleted or anonymized within thirty (30) days of a deletion request following account termination, unless retention is required by law
    • Service data (Customer Data): retained for the duration of the Subscription Term. Upon termination, deleted or returned within thirty (30) days of the customer's written request, as specified in the MSA (Section 5.4) and DPA (Section 10)
    • Backup copies: deleted no later than ninety (90) days following termination, in the ordinary course of backup rotation
    • Website analytics data: retained in accordance with the respective analytics provider's retention settings
    • Marketing and inquiry data: retained until you unsubscribe or request deletion, and in any case no longer than twenty-four (24) months after your last interaction with us

    When retention is no longer necessary, we delete or anonymize personal information. Data retained for legal or compliance purposes is isolated from active processing and remains subject to the security and confidentiality obligations of this Privacy Policy.

    11. Data Security

    We maintain administrative, technical, and organizational security measures designed to protect personal information against unauthorized access, disclosure, alteration, or destruction. Our security program is described in our Trust Center and includes measures such as encryption in transit and at rest, access controls, and regular security assessments.

    No method of transmission or storage is completely secure. While we strive to protect your personal information, we cannot guarantee absolute security.

    For details about our security practices and certifications, visit our Trust Center or contact us at privacy@konvu.com.

    12. Your Privacy Rights (EEA, UK, and Switzerland)

    If you are located in the EEA, UK, or Switzerland, you have the following rights under applicable data protection law:

    • Access: request a copy of the personal information we hold about you
    • Rectification: request correction of inaccurate or incomplete personal information
    • Erasure: request deletion of your personal information where it is no longer necessary for the purposes for which it was collected
    • Restriction: request that we restrict the processing of your personal information in certain circumstances
    • Portability: receive your personal information in a structured, commonly used, machine-readable format
    • Objection: object to processing based on legitimate interests, including for direct marketing purposes
    • Withdraw consent: where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of prior processing
    • Automated decision-making: not be subject to decisions based solely on automated processing that produce legal or similarly significant effects — if such processing occurs, we will inform you, explain the key factors, and provide a way to request human review

    To exercise any of these rights, contact us at privacy@konvu.com. We will respond within thirty (30) days, or within the timeframe required by applicable law.

    If you believe we are processing your personal information unlawfully, you have the right to lodge a complaint with your local supervisory authority. For users connected to our French affiliate, the relevant authority is the CNIL (www.cnil.fr).

    13. US State Privacy Rights

    This section applies to residents of states with comprehensive privacy laws, including California (CCPA/CPRA), Colorado, Connecticut, Virginia, and other states with applicable privacy legislation.

    13.1 Your Rights

    Depending on your state of residence, you may have the right to:

    • Know what personal information we collect, use, and disclose
    • Access and obtain a copy of your personal information
    • Correct inaccuracies in your personal information
    • Delete your personal information
    • Opt out of the sale or sharing of your personal information
    • Not be discriminated against for exercising your rights

    13.2 How We Handle Your Data

    In the preceding twelve (12) months:

    • Categories collected: identifiers (names, email addresses, IP addresses), professional information (job titles, company names), internet activity (browsing data, feature usage), and geolocation data (IP-derived, not precise GPS)
    • Sold or shared for cross-context behavioral advertising: none — we do not sell personal information or share it for targeted advertising purposes
    • Disclosed for a business purpose: personal information is disclosed to the service providers listed in Section 8.1, solely for the purposes described in this Privacy Policy

    13.3 CPRA Service Provider Commitment

    Konvu processes personal information as a "service provider" (as defined under the CCPA/CPRA) on behalf of enterprise customers. We certify that we understand and will comply with the restrictions applicable to service providers, and will not sell, share, or use personal information for purposes other than performing the services specified in the MSA, except as permitted by the CCPA/CPRA.

    13.4 Exercising Your Rights

    To exercise your rights, contact us at privacy@konvu.com. We will verify your identity before processing your request. You may designate an authorized agent to submit a request on your behalf, provided the agent submits proof of authorization.

    If we decline your request, you may appeal by emailing privacy@konvu.com. We will respond in writing with our reasons. If the appeal is denied, you may contact your state attorney general.

    14. Children's Privacy

    The Site and Service are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child under 18, please contact us at privacy@konvu.com and we will take steps to delete it promptly.

    15. Changes to This Policy

    We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will indicate the date of the most recent update at the top of this page. For material changes, we will provide prominent notice on the Site or notify you by email.

    We encourage you to review this Privacy Policy periodically.

    16. Contact Us

    If you have questions about this Privacy Policy, want to exercise your privacy rights, or wish to make a complaint, please contact us:

    Data Protection Officer Konvu, Inc. 1111B South Governors Avenue, STE 7673 Dover, Delaware 19904 United States

    Email: privacy@konvu.com

    For enterprise customers seeking a copy of our DPA or information about our security practices, please visit our Trust Center or contact privacy@konvu.com.