What we collect
We collect the minimum necessary to operate the service. We do not sell data, run advertising, or share your information with third parties beyond what is described here.
Account data
Email address, hashed password (Argon2id), account creation timestamp, and email verification status. No phone numbers, no real names required.
Conversation history
Messages you send and AI responses are stored in our database, linked to your account. This is required to show conversation history across sessions.
Usage metadata
Per-request AI token counts and spend in USD, used to enforce your weekly spend cap. No content is stored in the usage ledger — only token counts.
Session tokens
A short-lived JWT stored in an httpOnly cookie. The token holds your user ID and a session version number. It is never accessible to page JavaScript.
Analytics: If enabled, we use Plausible Analytics — a privacy-first, cookie-free analytics tool. No personal data or fingerprinting. Aggregated page view counts only.
Security controls
Security is not marketing copy for us — it is table stakes. Below are the concrete technical controls protecting your data.
Argon2id password hashing
OWASP 2024-recommended parameters: 19 MiB memory, 2 iterations, parallelism 1. Passwords cannot be recovered — only verified. Hashes are transparently upgraded when we tighten parameters.
httpOnly session cookies
Session JWTs are stored in httpOnly Secure SameSite=Lax cookies. They are inaccessible to JavaScript, mitigating XSS-based session theft.
CSRF protection
Every mutating request requires a matching CSRF token sent in the X-CSRF-Token header. The token is verified server-side against the session on all POST, PATCH, and DELETE routes.
TLS everywhere
All traffic between your browser and our servers is encrypted with TLS 1.2+. All calls to the h4ckbot inference backend are also made over TLS. No plaintext channels exist in the request path.
Encrypted backups
PostgreSQL backups are encrypted at rest before leaving the database host. Backup access is restricted to infrastructure automation — no human access to production backup files without a documented incident.
Session versioning
Each user row carries a session_version integer. Password changes, resets, or admin force-logouts increment it, instantly invalidating every outstanding session globally — no token blocklist required.
AI & your conversation data
We do not train AI models on your conversations. Ever.
Your prompts and the AI’s responses are stored to provide conversation history — not to improve AI models. This is especially important for pentest work, where your target details, methodology, and findings must remain confidential.
h4ckbot runs its own proprietary model — trained on offensive security, red-teaming, and penetration testing data. Your messages are processed entirely on h4ckbot’s own infrastructure. No conversation content is sent to any external AI provider. There is no third-party with access to your prompts.
What this means in practice: your engagement details, target data, and methodology stay within h4ckbot’s infrastructure. That said, do not paste live production credentials or data that would violate your engagement NDA — treat the AI as you would any internal tool.
Access controls & isolation
- Conversation data is strictly isolated per user — no user can query, read, or reference another user's conversations. All queries are scoped to the authenticated user's ID.
- All AI-capable endpoints require a verified email address and accepted Terms of Service. Accounts that skip verification are blocked from the chat interface.
- Role-based access: regular users can only access their own data. Admin endpoints require an explicit role flag and are not reachable by standard accounts.
- Rate limiting is applied to all authentication endpoints (login, registration, password reset) to prevent credential stuffing and enumeration.
- The weekly spend cap is enforced with database-level atomic locks, preventing race conditions that could allow cap bypass.
Data retention & deletion
Account and conversation data is retained as long as your account is active. We do not automatically delete inactive accounts in the current version — this will be updated when we implement a formal inactivity policy.
You may request full deletion of your account and all associated data at any time. We will process deletion requests within 30 days and confirm by email when complete. Deletion is permanent and irreversible.
Request account deletion
Email us with subject line Account Deletion Request from the address associated with your account.
contact@h4ckbot.comIncident response
Detection
Automated monitoring alerts on anomalous patterns. Engineering team is paged for critical events.
Containment
Affected accounts are suspended or sessions invalidated immediately while the scope is assessed.
Notification
Affected users are notified within 72 hours of a confirmed breach, as required by GDPR Article 33/34.
All security incidents are logged with a full timeline and reviewed post-incident. We maintain a private incident log used to drive security improvements.
Responsible disclosure
h4ckbot is used by people who find vulnerabilities for a living. We welcome responsible disclosure from the security community and commit to taking all reports seriously.
Our commitments
- No legal action against good-faith researchers
- Reports kept confidential until a fix is deployed
- Acknowledgement within 24 hours
- Fix timeline provided within 5 business days for critical issues
- Credit in release notes if you want it
What to include in a report
- Clear description of the vulnerability
- Step-by-step reproduction instructions
- Your assessment of impact and severity
- Any relevant screenshots or proof-of-concept
- Your preferred contact details for follow-up
Submit a vulnerability report