Privacy Policy
Last updated: April 14, 2026
This Privacy Policy explains how SprintSeven Limited (“SprintSeven”, “we”, “us”), the company that operates the SprintRED autonomous penetration testing platform, collects, uses, discloses, transfers, and protects personal data when you visit sprintred.com or use the SprintRED service.
We are headquartered in Hong Kong SAR and process personal data in accordance with the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”). Where we process the personal data of individuals in the European Economic Area, the United Kingdom, or California, we also comply with the relevant provisions of the EU/UK General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act / CPRA (“CCPA”).
1. Data Controller
The data controller responsible for personal data processed in connection with SprintRED is SprintSeven Limited, a company incorporated in Hong Kong SAR with company registration number [CR Number] and registered office at 701 Singga Comm Ctr, 148 Connaught Rd West, Hong Kong. You can reach our privacy team at [email protected].
2. Information We Collect
We deliberately collect the minimum personal data needed to operate, secure, and improve the service. The categories below describe what we collect and the source of that data.
Account information — name, business email, employer, role, and authentication credentials you provide when you create an account or contact us. Source: directly from you.
Engagement scope — IP ranges, hostnames, application URLs, API endpoints, and other target identifiers you authorize us to test, plus optional context (asset owners, change windows, technologies in scope). Source: directly from you.
Engagement output — findings, evidence (HTTP requests/responses, screenshots, stack traces), reproduction steps, and remediation status generated when SprintRED tests targets you have authorized. Source: produced by the service while operating against your scoped targets.
Service telemetry — log data, IP addresses, device and browser identifiers, timestamps, page views, and feature usage, used to operate, secure, and debug the service. Source: automatically when you interact with the website or platform.
Billing information — company billing address, tax identifiers, and payment references. We do not store full payment card numbers; payments are processed by third-party payment providers under their own privacy terms.
Communications — the content of emails, support tickets, and meetings you have with our team.
3. How We Use Personal Data
We use personal data only for the purposes listed below, and only to the extent necessary for each purpose:
(a) to provide, operate, secure, and improve the SprintRED platform; (b) to authenticate users and manage account access; (c) to execute the security engagements you authorize and produce findings and reports; (d) to provide customer support and respond to enquiries; (e) to bill customers and collect amounts owing; (f) to detect, prevent, and investigate fraud, abuse, and security incidents; (g) to comply with legal obligations, regulatory requests, and lawful court orders; and (h) with your consent, to send product updates and other communications you can unsubscribe from at any time.
4. Lawful Basis (GDPR / UK GDPR)
For individuals located in the EEA or UK, the lawful bases on which we rely are: performance of a contract with you or your employer (Article 6(1)(b)); compliance with legal obligations to which we are subject (Article 6(1)(c)); our legitimate interests in operating, securing, and improving the service, balanced against your rights and interests (Article 6(1)(f)); and your consent where we ask for it (Article 6(1)(a)). Where we rely on legitimate interests we have conducted a balancing assessment and you may request a copy by contacting us.
5. AI Models and Customer Data
SprintRED uses machine learning models to plan, prioritize, and validate security findings. Customer engagement data — including target details, scan results, and findings — is not used to train shared or third-party models and is not exposed to other customers. Where we use third-party model providers as sub-processors, we contract for zero data-retention modes and prohibit the use of customer data for model training. A current list of sub-processors is available on request.
6. How We Share Personal Data
We do not sell personal data and we do not share it for cross-context behavioural advertising. We disclose personal data only in the following circumstances:
(a) to sub-processors who provide infrastructure, hosting, payment, analytics, or customer-support services on our behalf, under written contracts that require equivalent levels of protection; (b) to your authorized administrators and team memberswithin your organization's SprintRED account; (c) when required by law, regulation, or lawful court order, after challenging overbroad requests where appropriate; (d) in connection with a corporate transaction such as a merger, acquisition, or asset sale, subject to confidentiality protections and continuing privacy commitments; and (e) with your explicit consent.
7. International Data Transfers
SprintSeven is established in Hong Kong SAR and our infrastructure providers operate facilities in multiple regions, including the United States and the European Union. Where personal data is transferred from the EEA, the UK, or other jurisdictions with cross-border transfer restrictions, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, and we conduct transfer impact assessments where required. A copy of the safeguards in place for any specific transfer is available on request.
8. Data Retention
We retain personal data only for as long as is necessary for the purposes set out above. Default retention periods are: account data — for the lifetime of the account plus 12 months after closure; engagement data and findings — 24 months after the engagement closes, unless your contract specifies a different period; service telemetry and security logs — 12 months; billing records — 7 years, to satisfy tax and accounting obligations under Hong Kong law. After the applicable retention period, personal data is deleted or irreversibly anonymized.
9. Security Measures
We apply technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These include: encryption of data in transit (TLS 1.2+) and at rest (AES-256); least-privilege role-based access control with mandatory multi-factor authentication for staff; isolated, distroless runtime environments for scan execution; continuous logging and monitoring; periodic third-party penetration testing; and a documented incident response plan. No system is perfectly secure, and we encourage you to report suspected vulnerabilities through our Security Disclosure page.
10. Your Rights
Subject to applicable law, you have the right to: request access to the personal data we hold about you; request correction of inaccurate or incomplete data; request erasure or restriction of processing; object to processing carried out under our legitimate interests; request portability of the data you have provided to us; and withdraw consent where processing is based on consent.
Hong Kong residents may exercise the data access and correction rights granted by sections 18 and 22 of the PDPO. EEA and UK residents have the rights described in Articles 15–22 of the GDPR/UK GDPR. California residents have the rights granted by the CCPA/CPRA, including the right to know, the right to delete, the right to correct, the right to opt out of sale or sharing (which we do not engage in), and the right to non-discrimination. To exercise any right, contact [email protected]. We will respond within the timeframe required by the applicable law (typically one month under the GDPR, or 40 days under the PDPO).
11. Cookies and Tracking
sprintred.com uses a minimal set of strictly necessary cookies and self-hosted analytics. We do not embed third-party advertising, social-media trackers, or cross-site profiling pixels. Your browser will only send the cookies necessary to operate the site, remember your preferences, and keep you signed in.
12. Children
SprintRED is a business-to-business service intended for use by organizations and their authorized personnel. The service is not directed at children under the age of 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the services we provide, or applicable law. The “Last updated” date at the top of this page reflects when the policy was last revised. Material changes will be notified to account holders by email or in-product notice at least 30 days before they take effect.
14. Contact
For privacy questions, requests to exercise your rights, or concerns about how we handle personal data, contact [email protected]. If you are based in Hong Kong, you also have the right to lodge a complaint with the Office of the Privacy Commissioner for Personal Data (PCPD). EEA and UK residents may complain to their local supervisory authority.
This page is provided for transparency. It does not create a contract and may be superseded by specific agreements you have signed with SprintSeven Limited.