Privacy Policy

Last updated: 2026-04-29 · Effective: 2026-04-29

1. Introduction

This Privacy Policy explains how RealExploit (the "Service"), operated under the trade name "Keystone Labs" ("Keystone Labs", "we", "us", or "our"), collects, uses, discloses, and protects personal data. Keystone Labs is a sole proprietorship; specific operator details are available upon written request to privacy@realexploit.io for legitimate legal purposes.

By using the Service, you consent to the data practices described in this Policy. If you do not agree, please do not use the Service.

2. Data We Collect

Account data.

Email address (required, used as account identifier and for service notifications).
Password — stored only as a bcrypt hash. We never store, log, or transmit your plaintext password.
Optional profile fields: organization name, display name.

Service-usage data.

API request logs: timestamp, endpoint, response status, requested CVE identifier, response latency.
IP address at signup and at each session start (for abuse prevention and security forensics).
Browser user-agent string and approximate session metadata.
Aggregate usage metrics (calls per month, quota consumption) for billing and capacity planning.

Billing data. Names and payment data are collected and processed by Paddle.com as Merchant of Record. Keystone Labs receives only transaction identifiers, plan, status, country (for tax purposes), and the last four digits / brand of the card. We never receive or store full card numbers, CVVs, or banking credentials.

Optional data. Any feedback, support correspondence, or content you voluntarily submit to us via email or the support form.

3. Purpose of Processing

We process the categories above for the following purposes:

Service delivery — authentication, session management, rate limiting, quota enforcement, abuse prevention.
Billing and account administration — invoicing, dunning, subscription lifecycle.
Customer support — responding to inquiries, troubleshooting, and resolving issues you report.
Security — detecting and preventing fraud, credential stuffing, account takeover, and abuse.
Product improvement — de-identified, aggregated analytics on usage patterns. Individual records are not used for analytics.
Legal compliance — responding to lawful requests, enforcing our Terms of Service, and meeting regulatory obligations.

4. Cookies and Tracking

The marketing site at realexploit.io sets no cookies. The application at app.realexploit.io uses a single first-party session cookie (a JWT) to maintain authentication. The cookie is HttpOnly, Secure, SameSite=Lax, and scoped to the application subdomain only.

We do not use third-party analytics pixels, advertising trackers, session-replay scripts, or behavioral profiling cookies. We do not participate in cross-site advertising networks. Because we set no advertising or analytics cookies, no Cookie Consent banner is required for compliance with EU/UK ePrivacy rules.

5. Third-Party Service Providers

We share personal data with the following sub-processors, each of whom is contractually obligated to process data only for the stated purpose and to implement appropriate security measures:

Paddle.com Market Limited — payment processing, tax remittance, fraud screening (Merchant of Record). Privacy policy.
Postmark (ActiveCampaign, LLC) — transactional email delivery (account verification, password reset, billing notifications). Privacy policy.
Cloudflare, Inc. — content delivery network, DDoS protection, edge security, bot management. Privacy policy.
Sentry (Functional Software, Inc.) — application error tracking, with PII redacted from stack traces. Privacy policy.
Hetzner Online GmbH — server hosting in Frankfurt, Germany. Privacy policy.

We do not sell, rent, or trade personal data to any third party. We may disclose data when legally compelled (subpoena, court order, regulatory request) and will challenge overbroad requests where appropriate.

6. Data Hosting Location

Personal data is processed and stored on infrastructure located in Frankfurt, Germany (European Union). Static assets are served via Cloudflare's globally distributed edge network. Some sub-processors listed above may process data internationally pursuant to their own data-processing agreements and Standard Contractual Clauses, where applicable.

7. Data Retention

Active account record — retained for the lifetime of your account. You can delete your account at any time via your dashboard or by emailing privacy@realexploit.io. Upon deletion, the user record is anonymized within 30 days.
API request logs — 90 days, then aggregated and anonymized.
Server access logs — 30 days.
Audit logs (administrative actions, security events) — 24 months, for compliance and forensic purposes.
Billing records and tax documents — up to 7 years, as required by typical financial-recordkeeping obligations.
Anonymized account stub — retained indefinitely for referential integrity of audit logs (no personal identifiers remain).

8. Your Rights

Depending on your jurisdiction of residence, you have rights regarding your personal data. We comply with the following frameworks for residents of the relevant regions.

European Union and United Kingdom (GDPR / UK DPA)

If you are a resident of the European Economic Area or the United Kingdom, you have the following rights under the General Data Protection Regulation and equivalent UK law:

Right of access (Article 15) — obtain a copy of your personal data and information about how it is processed.
Right to rectification (Article 16) — correct inaccurate or incomplete data.
Right to erasure / "right to be forgotten" (Article 17) — request deletion of your data.
Right to restriction of processing (Article 18) — limit how we use your data.
Right to data portability (Article 20) — receive your data in a structured, machine-readable format.
Right to object (Article 21) — object to processing based on legitimate interests.
Right to withdraw consent at any time, where processing is based on consent.
Right to lodge a complaint with your local supervisory authority.

To exercise these rights, contact privacy@realexploit.io. We respond within 30 days; extensions of up to two further months are possible for complex requests, with notice.

California, United States (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and the California Privacy Rights Act:

Right to know what personal information we collect, the categories of sources, and the purposes for which it is used.
Right to delete personal information we have collected.
Right to correct inaccurate personal information.
Right to opt out of the sale or sharing of personal information — we do not sell or share personal information for cross-context behavioral advertising, so no opt-out is necessary.
Right to limit use and disclosure of sensitive personal information.
Right to non-discrimination for exercising any of the above rights.

To exercise these rights, contact privacy@realexploit.io. Authorized agents may submit requests on your behalf with verifiable written authorization.

Other jurisdictions

Residents of other regions may have additional rights under local data-protection laws — including but not limited to Brazil's Lei Geral de Proteção de Dados (LGPD), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and Australia's Privacy Act 1988. Contact privacy@realexploit.io to exercise such rights; we honor reasonable requests in accordance with applicable local law.

9. Data Subject Verification

To protect your privacy and prevent fraudulent requests, we may request verification of your identity before fulfilling rights requests — typically by confirming control of the email address on file. For high-risk requests we may request additional reasonable verification.

10. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact privacy@realexploit.io and we will promptly delete it.

11. Security Measures

TLS 1.3 in transit for all client connections; HSTS preload enforced.
Bcrypt (cost factor 12) for password hashing; passwords are never logged in plaintext.
SHA-256 hashes with constant-time comparison for API keys, session tokens, email-verification tokens, and password-reset tokens. Plaintext values are shown to the user once and never persisted.
Encryption at rest provided by the hosting infrastructure.
Database least-privilege role separation: migrations run as a superuser role, the application runtime runs as a least-privilege role.
Audit logging of administrative actions for 24 months.
Cloudflare WAF, DDoS protection, and bot defense (Cloudflare Turnstile) on authentication endpoints.
PII redaction (emails, JWTs, API keys) in application logs before any renderer sees them.

12. Data Breach Notification

In the event of a personal data breach affecting your data, we will notify affected users without undue delay through the email address on your account and, where applicable, within 72 hours of becoming aware as required by GDPR Article 33. Notifications will include the nature of the breach, the categories of data affected, the likely consequences, and the remedial steps taken or recommended.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' advance notice via email and by posting the updated version on this page with a revised "Last updated" date. Continued use of the Service after the effective date constitutes acceptance.

14. Contact

Privacy inquiries and rights requests: privacy@realexploit.io
Data Protection Officer (DPO): privacy@realexploit.io
General support: support@realexploit.io
Security disclosures: security@realexploit.io

Disclaimer. This Privacy Policy is provided as a comprehensive baseline. Specific compliance obligations under your jurisdiction's data-protection law may differ. It is not legal advice; consult qualified legal counsel for your specific situation.