Privacy Policy
How we collect, use, and protect your personal data
Last updated: 19 March 2026
1. Who we are
Luna Cybersecurity Platform ("Luna", "we", "us", "our") is the data controller responsible for your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are based at 124 City Road, London, England, EC1V 2NX, United Kingdom.
If you have any questions about this privacy policy or how we handle your data, you can contact us at [email protected].
2. What data we collect
We collect and process the following categories of personal data:
Account information
- Name, email address, and company name (provided at registration)
- Password (stored as a bcrypt hash, never in plaintext)
- Multi-factor authentication settings and backup codes
- API keys you create
Billing information
- Payment card details and billing address (processed and stored by Stripe; we do not store card numbers)
- Subscription plan, billing history, and invoices
Scan data
- Targets you add for scanning (domains, IP addresses, hostnames)
- Scan results, vulnerability findings, and associated metadata
- Scheduled scan configurations
- Reports you generate
Usage and technical data
- IP address and approximate location
- Browser type and operating system
- Pages visited and features used
- Timestamps of account activity
Communication data
- Emails and support requests you send us
- Notification preferences
3. How we use your data
We use your personal data for the following purposes and legal bases:
| Purpose | Legal basis (UK GDPR) |
|---|---|
| Providing and operating the Luna platform | Performance of contract |
| Processing payments and managing subscriptions | Performance of contract |
| Sending service-related notifications (scan results, security alerts) | Performance of contract |
| Responding to support requests | Performance of contract |
| Improving the platform and developing new features | Legitimate interest |
| Website analytics to understand how the site is used | Legitimate interest |
| Preventing fraud, abuse, and unauthorized scanning | Legitimate interest |
| Complying with legal obligations | Legal obligation |
4. Who we share your data with
We do not sell your personal data. We share data only with the following categories of third parties, solely to operate and improve the service:
| Third party | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing | Billing details, subscription data |
| Amazon Web Services (AWS) | Cloud infrastructure, hosting, and transactional email delivery | All platform data (encrypted at rest and in transit), email addresses and names for service notifications |
| Cloudflare | CDN, WAF, DDoS protection, and bot detection | IP addresses, request metadata |
| Website analytics and font delivery | Anonymised usage data, IP address | |
| Cloud database provider | Data storage and processing | All application data (encrypted at rest) |
| Error monitoring provider | Application performance and error tracking | Error logs, request metadata |
| Caching and session management provider | Rate limiting, session tokens, and security controls | Session identifiers, rate limit counters |
If you connect third-party integrations (such as Slack, AWS Route 53, or Cloudflare), data will be shared with those services as necessary to provide the integration you configured.
5. International data transfers
Our infrastructure is hosted on AWS. Some of our third-party service providers (including Stripe and Google) may process data outside the United Kingdom. Where this occurs, we ensure appropriate safeguards are in place, including:
- UK adequacy decisions for the recipient country
- UK International Data Transfer Agreement (IDTA) or addendum
- Binding corporate rules of the service provider
6. How long we keep your data
We retain your data for as long as necessary to provide the service and fulfil the purposes described in this policy. Specific retention periods are:
- Account and scan data: retained for the duration of your account. If you close your account, we will delete your data within a reasonable period, unless we are required to retain it for legal or regulatory purposes
- Billing records: retained for 7 years after the transaction to comply with UK tax and accounting obligations
- Support correspondence: retained for the duration of your account and a reasonable period after closure to handle any follow-up queries
- Analytics data: retained in anonymised form for up to 26 months
- Audit logs: retained for as long as necessary for security and compliance purposes
7. Your rights
Under UK GDPR, you have the following rights:
- Access: request a copy of the personal data we hold about you
- Rectification: ask us to correct inaccurate data
- Erasure: ask us to delete your personal data
- Restriction: ask us to restrict processing of your data
- Portability: request your data in a machine-readable format
- Objection: object to processing based on legitimate interest
- Withdraw consent: where processing is based on consent, you can withdraw it at any time
To exercise any of these rights, contact us at [email protected]. We will respond within one month. There is no fee for making a request in most circumstances.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
8. Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption in transit (TLS 1.3) and at rest
- bcrypt password hashing
- Multi-factor authentication
- Strict data isolation between organisations
- Comprehensive audit logging
- Regular security assessments of our own infrastructure
For more detail, see our Security & Trust page.
9. Children
Luna is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will delete it promptly.
10. Changes to this policy
We may update this privacy policy from time to time. We will notify you of significant changes by email or through the platform. The "last updated" date at the top of this page indicates when the policy was last revised.
11. Contact us
If you have questions about this privacy policy or wish to exercise your data protection rights, contact us at:
Luna Cybersecurity Platform
124 City Road, London, England, EC1V 2NX, United Kingdom
[email protected]