Privacy Policy
The short version: HZSec runs locally. Your code never leaves your machine. We collect minimal data — just what's needed for billing and support. We don't sell your data to anyone.
1. Who we are
HZSec is developed by Horizon Zero Security ("we," "us," or "our"). If you have privacy questions, contact us at privacy@hzsec.io.
2. What data we collect
Data we do NOT collect:
- Your source code, files, or project contents — these never leave your machine
- Your scan findings or security results
- Your Anthropic API key (encrypted locally, never transmitted to us)
- Contents of your audit log or scan history
Data we DO collect:
- Account data (Pro tier): Email address and billing information processed through Stripe. We store your email to manage your subscription and send account-related communications.
- Usage analytics (optional): Anonymized, aggregated usage data — such as which scan modes are used most often. This contains no personal information and no file content. You can opt out in Settings.
- Support communications: If you contact us, we retain the content of those communications.
3. How the Software handles your data locally
HZSec stores the following on your machine only:
- Encrypted API key: Stored at
~/.hzsec/key.encusing AES-256-GCM encryption with PBKDF2-SHA512 key derivation. Only decryptable on your machine. - Scan history: Stored at
~/.hzsec/scan-history.json. Never transmitted. - Audit log: Stored at
~/.hzsec/audit.log. Never transmitted. - Backups: Stored at
~/.hzsec/backups/. Never transmitted. - Preferences: Stored at
~/.hzsec/prefs.json. Never transmitted.
4. Third-party services
Anthropic API (AI assistant, Pro only): When you use the AI assistant, a limited context is sent to the Anthropic API — specifically the relevant scan findings and any file snippet you select. Your full codebase is never sent. Anthropic's privacy policy applies to this data: anthropic.com/legal/privacy.
CISA / NVD (CVE sync): When you manually sync the CVE database, HZSec makes HTTPS requests to cisa.gov and nvd.nist.gov. No personal data is transmitted in these requests.
Stripe (billing): Payment processing for Pro subscriptions is handled by Stripe. We do not store your payment card details. Stripe's privacy policy applies: stripe.com/privacy.
5. How we use your data
- To manage your account and subscription
- To send you account-related emails (receipts, renewal notices)
- To provide customer support
- To improve the Software through anonymized analytics (if opted in)
We do not sell, rent, or share your personal data with third parties for marketing purposes.
6. Data retention
We retain your account data for as long as your account is active. If you cancel your Pro subscription and close your account, we delete your personal data within 30 days, except where required by law (such as billing records, which are retained for 7 years).
7. Your rights
Depending on your location, you may have rights to:
- Access the personal data we hold about you
- Correct inaccurate data
- Request deletion of your data
- Object to processing of your data
- Data portability
To exercise any of these rights, contact us at privacy@hzsec.io.
8. Security
We use industry-standard security practices to protect your account data. Your API key is encrypted on your device and we never have access to it. If you discover a security issue with HZSec, please report it responsibly to security@hzsec.io.
9. Children
HZSec is not intended for users under 16 years of age. We do not knowingly collect personal data from children.
10. Changes to this policy
We may update this Privacy Policy. We will notify you of material changes by email. The "Last updated" date at the top of this page reflects the most recent revision.
11. Contact
Privacy questions: privacy@hzsec.io
Security issues: security@hzsec.io
General: hello@hzsec.io