Legal

Privacy Policy

Last updated: March 2026

1. Introduction

pentests.work, operated by Triton InfoSec ("Company", "we", "us"), is committed to protecting your privacy. This policy describes how we collect, use, and protect your personal information. This policy complies with the Brazilian General Data Protection Law (LGPD) and the European General Data Protection Regulation (GDPR).

2. Information We Collect

Information you provide:

  • Name, email address, company name
  • Application URL and testing scope details
  • Test credentials (if provided for authenticated testing)
  • Payment information (processed by Stripe; we do not store card details)
  • Communications with our team

Information collected automatically:

  • IP address, browser type, and device information
  • Pages visited and interactions on our website
  • Referral source and UTM parameters

Information collected during testing:

  • Application responses, error messages, and HTTP traffic
  • Screenshots and evidence of vulnerabilities
  • Logs generated during automated and manual testing

3. How We Use Your Information

  • To deliver penetration testing services and reports
  • To communicate about your engagement and results
  • To process payments
  • To improve our services and testing methodology
  • To send relevant service updates (you can opt out at any time)
  • To comply with legal obligations

4. Legal Basis for Processing

We process your data based on:

  • Contract performance: Processing necessary to deliver the services you purchased
  • Legitimate interest: Improving our services, website analytics, and fraud prevention
  • Consent: Marketing communications (opt-in only)
  • Legal obligation: Tax, accounting, and regulatory compliance

5. Data Security

We implement industry-standard security measures to protect your data:

  • All data is encrypted in transit (TLS) and at rest
  • Access to client data is restricted to authorized team members
  • Test credentials are stored in encrypted vaults and destroyed after use
  • Our infrastructure follows security best practices

6. Data Retention

  • Test data and evidence: Retained for 90 days after report delivery to support re-testing, then permanently destroyed
  • Reports: Retained for 12 months, accessible to you via secure download
  • Account and contact information: Retained while you are an active client, deleted upon request
  • Payment records: Retained as required by tax and accounting regulations

You may request deletion of your data at any time by contacting privacy@pentests.work.

7. Third-Party Services

We use the following third-party services:

  • Stripe: Payment processing
  • Google Analytics: Website analytics (anonymized)
  • Google Tag Manager: Tag management

We do not sell, rent, or share your personal information with third parties for their marketing purposes.

8. Your Rights

Under LGPD and GDPR, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data
  • Restrict or object to processing
  • Data portability
  • Withdraw consent at any time

To exercise any of these rights, contact privacy@pentests.work. We will respond within 15 business days.

9. Cookies

Our website uses essential cookies for functionality and analytics cookies to understand how visitors use our site. You can manage cookie preferences through your browser settings.

10. International Data Transfers

Our services are operated from Brazil. If you are accessing our services from outside Brazil, your data may be transferred to and processed in Brazil or other jurisdictions where our infrastructure is located. We ensure appropriate safeguards are in place for all international transfers.

11. Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated date. We will notify you of material changes via email.

12. Contact

For privacy-related questions or requests, contact us at privacy@pentests.work.