Privacy policy
Last updated: 20 June 2026
This page describes how Hykaro collects, uses, and protects your data. Question? Email me: privacy@hykaro.security.
Last updated: 20 June 2026
This page describes how Hykaro collects, uses, and protects your data. Question? Email me: privacy@hykaro.security.
Draft pending legal review. Sections marked [TO VALIDATE] need confirmation before publication.
Hykaro is a security-audit service operated by Cyril Pereira ("we", "us"). Hykaro lets vendors connect a Git repository or a URL, run security/quality/accessibility scans, and deliver a white-label PDF report to their own clients.
Account data. Email, name, hashed password, organization name, role, and authentication metadata (sessions, MFA enrolment, audit log).
Billing data. Plan, invoices, and payment status. Card details are handled directly by Stripe; we never see or store full card numbers.
Target data. The Git repository or URL you connect, and the source code or HTTP responses fetched only for the duration of a scan. In CI-agent mode, your source code never leaves your infrastructure; we only ingest the resulting findings.
Scan results. Findings (rule, severity, file/line, short code snippet), scores, and the generated reports.
Usage data. Product analytics via PostHog (EU instance), strictly to improve the service.
Legal bases (GDPR): performance of our contract with you; our legitimate interest in securing and improving the service; and your consent for non-essential analytics.
--network=none. No internet access, no access to other scans, no access to the orchestrator. The temporary filesystem is destroyed immediately after findings are extracted.When AI triage is enabled (Standard tier and above), only consolidated findings are sent to Anthropic (Claude) for prioritization: CWE identifier, file:line, and a snippet of at most 5 lines. No secrets, no full source code, no client data. AI triage is opt-out at any time at no extra cost. [TO VALIDATE: Anthropic data-processing terms / zero-retention confirmation]
| Sub-processor | Purpose | Location |
|---|---|---|
| Scaleway | Hosting, database, object storage | France (EU) |
| Stripe | Payments | EU / US |
| Anthropic (Claude) | AI triage (opt-in only) | US |
| PostHog | Product analytics | EU |
| Mailjet / OVH | Transactional email | France (EU) |
A full, current list and our Data Processing Agreement (DPA) are available on request: privacy@hykaro.security.
Under the GDPR you may request: access, rectification, erasure, portability, restriction, and objection. To exercise any right, email privacy@hykaro.security. You may also lodge a complaint with the French data protection authority, the CNIL (cnil.fr).
We use essential cookies (session, security) and analytics cookies (PostHog, EU). See our cookie notice for details and to manage your choices. [TO VALIDATE: consent banner & cookie inventory]
We may update this policy. The "last updated" date at the top reflects the current version; material changes will be communicated to account holders.