Privacy Policy

Effective: March 2026

1. Who We Are

Nautilus Security Intelligence Platform ("Nautilus", "we", "us") is a SaaS vulnerability intelligence platform operated at nautilus-radar.com. For data protection matters, contact us at: privacy@nautilus-radar.com

2. What Data We Collect

Account Data

Username, email address, hashed password (Argon2), and account creation timestamp. Required to provide the service.

Session Data

Session identifiers stored in an HTTP-only cookie to keep you logged in. Free accounts are limited to 1 active session, Premium accounts to 3.

Usage Statistics (Anonymised)

We track daily and weekly page views using a SHA-256 hash of your IP address combined with a daily salt. Raw IP addresses are never stored. The hash cannot be reversed to your IP.

Subscription & Payment Data

If you subscribe to Nautilus Premium, payment is processed by LemonSqueezy (a third-party payment processor). We receive only a subscription status, subscriber ID, and billing portal URL — no card details.

User Settings & Preferences

Your configured technology watchlist, webhook URLs, notification preferences, and display settings.

3. How We Use Your Data

  • Providing and operating the Nautilus service
  • Sending transactional emails (account verification, password reset)
  • Processing subscription payments via LemonSqueezy
  • Analysing aggregate usage statistics (anonymised) to improve the product
  • Enforcing our Terms of Service (e.g. single-session limits)

We do not sell your data, use it for advertising, or share it with third parties except as required to operate the service (see Section 5).

4. Legal Basis (GDPR)

  • Contract (Art. 6(1)(b)): Account data, sessions, and subscription data — necessary to fulfil the service contract.
  • Legitimate Interest (Art. 6(1)(f)): Anonymised usage statistics — to understand aggregate platform usage. No individual profiling.
  • Consent (Art. 6(1)(a)): Acceptance of these terms at registration, recorded with timestamp.

5. Third-Party Services

LemonSqueezy — Payment processing. Their privacy policy applies to payment data: lemonsqueezy.com/privacy

Brevo (Sendinblue) — Transactional email delivery (verification, password reset). Emails are routed through their SMTP relay.

Hosting — Our servers are hosted within the EU. Data does not leave the EU.

6. Data Retention

  • Account data: retained for the lifetime of your account
  • Anonymised visit hashes: 90 days rolling window
  • Session data: cleared on logout or after inactivity
  • After account deletion: all personal data removed within 30 days

7. Your Rights (GDPR)

As an EU resident you have the right to: access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and objection. You can delete your account at any time in Settings → Account → Delete Account. For other requests, contact privacy@nautilus-radar.com.

8. Cookies

We use two cookies: a session cookie (sessionid) for authentication, and a CSRF cookie (csrftoken) for security. Both are strictly necessary for the service to function. No tracking or marketing cookies are used.

9. Changes to This Policy

We will notify registered users by email of material changes at least 14 days before they take effect.

Terms of ServiceContact