Privacy Policy
This policy describes how Vestige collects, processes and protects data while operating its Exposure Intelligence platform. We adopt the principles of the GDPR and Brazil's LGPD as a baseline, even where not strictly required.
1. Scope and purpose
Vestige observes exclusively the public surface of the internet and correlates the collected signals with the assets each organization registers on the platform.
Data is processed strictly for the discovery, monitoring and exposure-correlation purposes contracted by the customer.
2. Data we collect
Account data (name, work email, organization) provided at sign-up or login.
Signals and indicators collected from distributed public sources — Certificate Transparency, BGP routing, open indexes, threat feeds and DNS. We do not access third-party private systems and we do not authenticate or exploit.
Minimal usage telemetry for audit, security and operational improvement.
3. Handling sensitive information (PII)
When public-source collection indicates the presence of document types (for example, tax IDs), Vestige records only the presence and the count — never the value, which is redacted.
The goal is to flag exposure so the organization can act, not to reproduce or disclose the sensitive value.
4. Legal basis
Performance of contract, compliance with legal obligation and legitimate interest — always balanced against the data subject's rights.
For public-source data: processing of data made manifestly public by the subject.
5. Sharing
We do not sell data. We share only with processors strictly necessary to deliver the service (infrastructure, transactional email, payment processing), under a data-processing agreement.
Public authorities are served only upon a specific, documented legal order.
6. Retention
Account data is retained for the active subscription period plus the minimum term required by legal obligation.
Deletion requests are processed within 15 business days when no legal basis requires retention.
7. Data-subject rights
Access, rectification, deletion, portability, objection and withdrawal of consent, per GDPR and LGPD.
To exercise your rights: privacy@vtg.cx — response within 15 business days.
8. Security
Encryption in transit and at rest, per-organization data isolation, least-privilege access control, audit logs and periodic review of exposure surfaces.
9. Contact
Data Protection Officer (DPO): privacy@vtg.cx