Sixi AI

Privacy Policy

Last updated: March 24, 2026

1. Data Controller

Sixi AI (“we”, “us”, “our”) acts as the data controller for personal data processed through this platform. We are based in the European Union and comply with the General Data Protection Regulation (EU) 2016/679 (GDPR).

2. Data We Collect

  • Account data: Email address, display name, and authentication credentials (managed by Firebase Authentication).
  • Scan configuration: Target endpoint URLs, connector types, and scan parameters you configure.
  • Scan results: Attack payloads sent to your target, target responses, evidence of vulnerabilities, and generated reports.
  • Audit trail: Timestamps, user actions, IP addresses, and request metadata for security and accountability.

3. How We Use Your Data

  • To execute security assessments against targets you authorize.
  • To generate vulnerability reports and remediation recommendations.
  • To improve attack technique effectiveness across scans (anonymized cross-scan learning).
  • To maintain audit trails for compliance and accountability.

4. Legal Basis (GDPR Article 6)

  • Contract performance (Art. 6(1)(b)): Processing scan data is necessary to provide the service you requested.
  • Legitimate interest (Art. 6(1)(f)): Cross-scan learning to improve technique effectiveness, with your data anonymized.
  • Legal obligation (Art. 6(1)(c)): Maintaining audit logs as required by applicable law.

5. Data Retention

We apply the principle of storage limitation (GDPR Article 5(1)(e)):

  • Scan evidence (payloads, responses, attack chains): automatically deleted after 90 days.
  • Scan metadata (name, status, risk rating): archived after 365 days (evidence subcollections deleted, metadata retained).
  • Audit logs: retained for 2 years, then automatically deleted.
  • You can delete individual scans and targets at any time through the dashboard.

6. Data Security

  • All data in transit is protected by TLS 1.3.
  • Data at rest is encrypted by Google Cloud (AES-256).
  • Sensitive fields (credentials, evidence, conversation histories, attack payloads) are additionally encrypted at the application level using AES-128-CBC + HMAC-SHA256 (Fernet).
  • Authentication secrets in target configurations are masked in UI responses and encrypted in storage.

7. Your Rights (GDPR Chapter III)

Under the GDPR, you have the right to:

  • Access your personal data (Art. 15) — download scan reports via the dashboard.
  • Rectification (Art. 16) — update your account information.
  • Erasure (Art. 17) — delete your scans, targets, and account.
  • Data portability (Art. 20) — export scan reports in JSON, PDF, or Markdown format.
  • Object to processing (Art. 21) — contact us to opt out of cross-scan learning.

8. Cross-Scan Learning

Successful attack techniques are stored in an anonymized library to improve effectiveness across future scans. When shared cross-user, target names and response content are stripped. You can request exclusion from this by contacting us.

9. Sub-Processors

  • Google Cloud (Firestore): Data storage and authentication. EU data residency available.
  • LLM providers (Anthropic, Google, OpenAI): Used to generate and evaluate attack payloads. Only the target's responses and assessment context are sent — never your account data.

10. Contact

For privacy inquiries, data subject requests, or to report concerns:
Email: privacy@sixi.ai