Privacy Policy

Last updated: April 15, 2026

1. Introduction

XEOPS.AI SARL ("Hargos.ai," "we," "our," or "us"), a French limited liability company registered in Paris (SIREN: 989 493 226, RCS Paris), operates the Hargos.ai platform — an automated web application security scanner designed for businesses.

This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you access our website at hargos.ai, our application at app.hargos.ai, and any related services (collectively, the "Services").

By using our Services, you acknowledge that you have read and agree to this Privacy Policy.

2. Data Controller

XEOPS.AI SARL

SIREN: 989 493 226 | SIRET: 989 493 226 00017 | RCS Paris | TVA: FR39989493226

Data Protection Officer: privacy@hargos.ai

Registered Office: Paris, France

3. Information We Collect

3.1 Account Information

When you register, we collect:

  • Full name
  • Professional email address (verified)
  • Password (hashed, never stored in plaintext)
  • Company/organization name (optional)

3.2 Billing Information

Payment processing is handled by Stripe. We do NOT store your credit card details. Stripe collects:

  • Payment card information (held by Stripe, PCI-DSS compliant)
  • Billing address
  • Transaction history

3.3 Scan Data

  • Target website URLs you submit for scanning
  • Domain ownership verification records
  • Scan results: discovered subdomains, vulnerabilities, severity ratings
  • Generated security reports

3.4 Automatically Collected

  • IP address (for rate limiting and legal compliance)
  • Browser type and version
  • Pages visited and usage patterns
  • Cloudflare analytics data

4. How We Use Your Information

  • Service Delivery: Perform security scans, generate reports, manage your account
  • Security: Prevent fraud, detect abuse, enforce domain ownership verification
  • Communications: Send scan results, account notifications, and (with consent) product updates
  • Improvement: Analyze usage patterns to improve our service (aggregated, anonymized data only)
  • Legal Compliance: Meet regulatory obligations under French and EU law

5. AI Processing

Our service uses AI models to analyze websites and detect vulnerabilities. AI processing occurs within EU jurisdiction (France) using Mistral AI.

Your scan data is NOT used to train AI models. We do not use your vulnerability findings, website information, or scan results to train, fine-tune, or improve any AI models.

6. Scan Data Confidentiality

We will NEVER disclose your vulnerability findings to third parties, including website visitors, competitors, or any other entity — unless legally compelled by a valid court order. Your security data is treated as strictly confidential.

7. Data Retention

Data TypeRetention Period
Account informationDuration of account + 30 days
Scan results & reports90 days after scan (or account deletion)
Billing records10 years (French tax law)
Server logs30 days
Domain verificationDuration of account

8. Data Sharing

We share data only with the following service providers, all operating within the EU or under adequate safeguards:

  • Scaleway (France): Cloud infrastructure hosting
  • Mistral AI (France): AI-powered vulnerability analysis
  • Stripe (EU/US): Payment processing (PCI-DSS Level 1)
  • Cloudflare (EU/US): CDN, DDoS protection, DNS

We do NOT sell your personal data. We do NOT share your data with advertisers.

9. Your Privacy Rights (GDPR)

Under the EU General Data Protection Regulation (GDPR), you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Portability: Receive your data in a machine-readable format
  • Restriction: Limit processing of your data
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw consent at any time

To exercise these rights, email privacy@hargos.ai. We respond within 30 days.

You may also lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés), the French data protection authority.

10. Security Measures

  • All data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Secrets managed via HashiCorp Vault (no hardcoded credentials)
  • Infrastructure hosted on Scaleway bare-metal servers in France
  • Regular security audits and vulnerability testing of our own platform
  • Access controls with role-based permissions

11. Cookies

We use minimal cookies:

  • Essential: Authentication session, language preference, theme preference
  • Security: Cloudflare Turnstile (bot protection)

We do NOT use advertising cookies or third-party tracking.

12. Children's Privacy

Our Service is not directed to individuals under 18. We do not knowingly collect personal data from children.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on our website at least 30 days before the changes take effect.

14. Contact Us

XEOPS.AI SARL

SIREN: 989 493 226 | RCS Paris | TVA: FR39989493226

Privacy: privacy@hargos.ai

Support: contact@hargos.ai

© 2026 Hargos.ai — All rights reserved. | Terms of Service