Privacy Policy

Effective Date: March 18, 2026

CELVEX Group ("we," "us," "our") operates the website celvexgroup.com and provides cybersecurity scanning and advisory services. This Privacy Policy explains what data we collect, why we collect it, how we use it, and what rights you have over it.

We are a cybersecurity company. We understand better than most how important your data is. We treat your information with the same care and diligence that we bring to protecting our clients' systems. If anything in this policy is unclear, email us at privacy@celvexgroup.com and we will explain it in plain language.

1.1 What We Collect

We collect the following categories of personal information:

Data Type	When Collected	Purpose
Name	When you fill out a contact form, sign up for a newsletter, or engage our services	To identify you and communicate with you
Email address	When you fill out a contact form, sign up for a newsletter, or engage our services	To send you information you requested, respond to inquiries, and deliver reports
Company information	When you fill out a contact form or engage our services	To understand your organization and tailor our services
Domain names	When you submit a domain to our free scan tool or engage our services	To perform the security scan you requested

We do not collect:

• Social Security numbers or government IDs
• Financial information (payments are processed by our payment provider; we never see your card number)
• Biometric data
• Location data beyond what your IP address reveals at the country level
• Passwords, credentials, or authentication tokens belonging to you or your users

1.2 How We Collect It

• Directly from you: When you fill out forms on our website, email us, or submit domains for scanning.
• From our analytics tool: We use Plausible Analytics, a privacy-friendly analytics platform that does not use cookies, does not collect personal data, and does not track individuals across sites. Plausible collects only aggregate data such as page views, referral sources, and browser type. No individual visitor profiles are created.
• From our CRM: We use Twenty CRM (self-hosted on CELVEX-controlled infrastructure) to manage business relationships. When you interact with us via email or forms, your contact information is stored in our Twenty CRM instance.

1.3 What We Do NOT Use

We do not use:

• Google Analytics
• Facebook Pixel
• Any invasive tracking scripts, fingerprinting tools, or cross-site trackers
• Any advertising cookies or retargeting pixels
• Any data enrichment services that build profiles on individuals without their knowledge

1.4 How We Use Your Data

We use your data for the following purposes only:

1. To provide services you requested. If you submit a domain for scanning, we use that domain name to run our scan and deliver results to you.
2. To communicate with you. If you contact us, we reply. If you sign up for updates, we send updates.
3. To improve our services. We use aggregate analytics (via Plausible) to understand how people use our website so we can make it better. This data is never tied to an individual.
4. To manage our business relationship. We use Twenty CRM (self-hosted) to track conversations and ensure we follow up appropriately.
5. To fulfill our contractual obligations. When you engage us for paid services, we use information necessary to deliver those services as described in the applicable Statement of Work.

We will never use your data to:

• Build advertising profiles
• Sell to data brokers or any third party
• Target you with ads on other platforms
• Engage in any form of data monetization

1.5 Scanning Data -- Confidentiality and Handling

When you submit a domain to our free scan tool:

• We scan using passive, publicly available methods only. This means we query public DNS records, certificate transparency logs, publicly accessible headers, and other information that is already available to anyone on the internet. The free scan tool does not probe, exploit, authenticate, or interact with your systems beyond what a standard web browser does.
• We do not perform active exploitation, penetration testing, or any action that modifies, disrupts, or probes the target system.
• Scan results are confidential. We do not share your scan results with any third party. We do not publish them. We do not use them in marketing materials or case studies without your explicit written consent.
• Scan results are retained for 90 days from the date of the scan, after which they are permanently and irreversibly deleted from our systems.
• During the retention period, scan results are accessible only to you (via the link we provide) and to CELVEX Group personnel who need access to provide support.

When you engage us for paid services:

• We act as a data processor, not a data controller, with respect to any client data, systems data, or engagement data we access during the course of a paid engagement. You remain the data controller at all times.
• All engagement data -- including findings, reports, communications, and supporting evidence -- is treated as strictly confidential and is subject to the confidentiality terms in your Statement of Work.
• Engagement data is retained only for the period specified in your SOW and is securely destroyed upon request or upon the expiration of the agreed retention period.

1.6 Data Sharing -- We Do Not Sell Your Data

We do not sell, rent, lease, trade, or otherwise monetize your personal data. Under no circumstances. This is not negotiable.

We share data only with the following service providers, who process it on our behalf under contractual data protection obligations:

Provider	Purpose	Data Shared
Plausible Analytics	Website analytics	No personal data (aggregate page views only)
Twenty CRM (self-hosted on CELVEX-controlled infrastructure)	CRM and pipeline management	Name, email, company information
Email sending service	Transactional and marketing emails	Name and email address

We may also disclose data if required by law, court order, or governmental regulation, or if necessary to protect our rights, property, or safety. If we receive a legal request for your data, we will notify you unless prohibited by law from doing so.

Important: While we carefully select service providers with strong security practices and require them to protect your data contractually, CELVEX Group is not liable for data breaches, security incidents, or unauthorized access that occur within third-party service provider systems (such as email providers or hosting services) that are beyond our direct operational control. We will, however, notify you promptly if we become aware that any such incident may have affected your data.

1.7 Data Retention

Data Type	Retention Period
Free scan results	90 days from scan date, then permanently deleted
Paid engagement data	As specified in the SOW, then securely destroyed
Contact information (name, email, company)	Until you unsubscribe or request deletion
Aggregate analytics data	Indefinite (contains no personal information)
Email correspondence	Duration of business relationship plus 2 years

1.8 Your Rights

Regardless of where you are located, we extend the following rights to all users:

• Right to access. You can request a copy of all personal data we hold about you.
• Right to deletion. You can request that we delete all personal data we hold about you. We will comply within 30 days, except where we have a legal obligation to retain it.
• Right to data portability. You can request your data in a structured, machine-readable format (JSON or CSV).
• Right to correction. You can request that we correct inaccurate data.
• Right to opt out. You can unsubscribe from marketing emails at any time using the link in every email. You can also email us to opt out of all non-essential communications.
• Right to restrict processing. You can ask us to limit how we use your data while a concern is being resolved.

For GDPR (EU/EEA/UK residents): Our legal basis for processing is (a) your consent where you have provided it, (b) legitimate interest in managing business relationships and improving our services, and (c) contractual necessity when providing services you have engaged us for. You have the right to lodge a complaint with your local data protection authority. For paid engagements where we process data on your behalf, we act as a data processor under Article 28 of the GDPR.

For CCPA (California residents): We do not sell personal information. We do not share personal information for cross-context behavioral advertising. You have the right to know what personal information we collect, request deletion, and not be discriminated against for exercising your rights.

1.9 Data Security

We protect your data using encryption in transit (TLS 1.2+), encryption at rest, access controls limited to personnel who need the data to do their jobs, and regular security reviews of our own systems. Because we are a cybersecurity company, we hold ourselves to a high standard here -- the same standard we hold our clients to.

All CELVEX Group personnel with access to client data are bound by confidentiality agreements and receive ongoing security awareness training.

1.10 Children

Our services are not directed at individuals under 18. We do not knowingly collect data from children. If you believe we have, contact us immediately and we will delete it.

1.11 Changes to This Policy

If we make material changes, we will post the updated policy on this page with a new effective date. For significant changes, we will also notify users via email where possible. We encourage you to review this page periodically.

1.12 Contact

For any privacy-related questions, requests, or concerns:

Email: privacy@celvexgroup.com
Response time: We will acknowledge your request within 5 business days and fulfill it within 30 days.

↑ Back to top