Legal

Privacy Policy

Last updated: April 2025

The short version: HZSec runs locally. Your code never leaves your machine. We collect minimal data — just what's needed for billing and support. We don't sell your data to anyone.

1. Who we are

HZSec is developed by Horizon Zero Security ("we," "us," or "our"). If you have privacy questions, contact us at privacy@hzsec.io.

2. What data we collect

Data we do NOT collect:

Your source code, files, or project contents — these never leave your machine
Your scan findings or security results
Your Anthropic API key (encrypted locally, never transmitted to us)
Contents of your audit log or scan history

Data we DO collect:

Account data (Pro tier): Email address and billing information processed through Stripe. We store your email to manage your subscription and send account-related communications.
Usage analytics (optional): Anonymized, aggregated usage data — such as which scan modes are used most often. This contains no personal information and no file content. You can opt out in Settings.
Support communications: If you contact us, we retain the content of those communications.

3. How the Software handles your data locally

HZSec stores the following on your machine only:

Encrypted API key: Stored at ~/.hzsec/key.enc using AES-256-GCM encryption with PBKDF2-SHA512 key derivation. Only decryptable on your machine.
Scan history: Stored at ~/.hzsec/scan-history.json. Never transmitted.
Audit log: Stored at ~/.hzsec/audit.log. Never transmitted.
Backups: Stored at ~/.hzsec/backups/. Never transmitted.
Preferences: Stored at ~/.hzsec/prefs.json. Never transmitted.

4. Third-party services

Anthropic API (AI assistant, Pro only): When you use the AI assistant, a limited context is sent to the Anthropic API — specifically the relevant scan findings and any file snippet you select. Your full codebase is never sent. Anthropic's privacy policy applies to this data: anthropic.com/legal/privacy.

CISA / NVD (CVE sync): When you manually sync the CVE database, HZSec makes HTTPS requests to cisa.gov and nvd.nist.gov. No personal data is transmitted in these requests.

Stripe (billing): Payment processing for Pro subscriptions is handled by Stripe. We do not store your payment card details. Stripe's privacy policy applies: stripe.com/privacy.

5. How we use your data

To manage your account and subscription
To send you account-related emails (receipts, renewal notices)
To provide customer support
To improve the Software through anonymized analytics (if opted in)

We do not sell, rent, or share your personal data with third parties for marketing purposes.

6. Data retention

We retain your account data for as long as your account is active. If you cancel your Pro subscription and close your account, we delete your personal data within 30 days, except where required by law (such as billing records, which are retained for 7 years).

7. Your rights

Depending on your location, you may have rights to:

Access the personal data we hold about you
Correct inaccurate data
Request deletion of your data
Object to processing of your data
Data portability

To exercise any of these rights, contact us at privacy@hzsec.io.

8. Security

We use industry-standard security practices to protect your account data. Your API key is encrypted on your device and we never have access to it. If you discover a security issue with HZSec, please report it responsibly to security@hzsec.io.

9. Children

HZSec is not intended for users under 16 years of age. We do not knowingly collect personal data from children.

10. Changes to this policy

We may update this Privacy Policy. We will notify you of material changes by email. The "Last updated" date at the top of this page reflects the most recent revision.

11. Contact

Privacy questions: privacy@hzsec.io
Security issues: security@hzsec.io
General: hello@hzsec.io