1. Who we are
Zfuzz is an open-source security platform operated by the Zfuzz Security team. This page covers data handling for zfuzz.com (the marketing site, the @zfuzz/mcp documentation, and the blog).
For data handling on our commercial platform (zfuzz.com), see the separate privacy policy on that site.
2. What we collect
2.1 Audience measurement (no cookies)
We run a first-party, cookie-less analytics tracker. When you visit a page, we record:
- The page you visited (path and slug)
- The type of event (pageview, scroll depth, button click, copy command)
- Your referrer (the page that linked here, if any)
- Your user-agent string (browser version)
- A SHA-256 hash of your IP address (used to deduplicate pageviews — the raw IP is never written to disk)
We do not set any cookies. We do not use localStorage or sessionStorage. We do not fingerprint your browser. No Google Analytics, no Meta Pixel, no Hotjar.
This processing falls under the CNIL audience-measurement exemption (Délibération n° 2020-091) and the equivalent EDPB Guidelines 03/2022. No consent banner is required because we meet all six criteria: strictly necessary measurement, first-party, no cross-site tracking, no third-party transmission, no individual profiling, retention capped at 13 months.
2.2 Newsletter
When you subscribe to our newsletter, we store:
- Your email address
- The date and time you subscribed
- The page from which you subscribed
- Your unsubscribe token (random UUID)
We use this only to send you the weekly newsletter. We never share, sell, or rent your email. Every email contains a one-click unsubscribe link in the footer. You can also email hello@zfuzz.com to remove your address at any time.
Legal basis: consent (GDPR Art. 6(1)(a)).
2.3 MCP package telemetry
The @zfuzz/mcp npm package runs 100% locally on your machine. It does not send any telemetry, no anonymous usage data, no crash reports. Nothing leaves your computer unless you explicitly ask the MCP server to fetch a public resource (NVD CVE lookup, OSV.dev advisory check, etc.).
3. Cookies set by infrastructure providers
We do not set any cookies ourselves. However, if you reach this site through Cloudflare (our CDN/security front), Cloudflare may set the following cookie strictly for security purposes:
| Name | Purpose | Lifetime | Consent |
|---|---|---|---|
__cf_bm |
Cloudflare bot management — distinguishes humans from automated traffic to protect the site. | 30 minutes | Exempt (strictly necessary — CNIL & EDPB) |
4. How long we keep your data
| Data | Retention |
|---|---|
| Analytics events (hash IP, UA, page, event) | 13 months, then automatically purged |
| Newsletter subscription (email + metadata) | Until you unsubscribe, or 3 years of inactivity |
| Server access logs (IP, request line) | 30 days, then automatically purged |
5. Where your data lives
All data is stored on infrastructure located in the European Union (Hetzner Cloud, Germany & Finland). We do not transfer personal data outside the EU/EEA. Database backups are encrypted (AES-256) and stored in the same region.
6. Your rights (GDPR Articles 15-22)
You have the right to:
- Access — ask what data we hold about you
- Rectify — correct inaccurate data
- Erase — ask for deletion of your data
- Restrict — limit how we process your data
- Portability — receive your data in a machine-readable format
- Object — oppose specific processing
- Withdraw consent — at any time, for newsletter
To exercise any of these rights, email hello@zfuzz.com. We respond within 30 days.
You also have the right to lodge a complaint with your local data-protection authority — in France, the CNIL.
7. Security
We practice what we preach. Zfuzz scans itself with its own SAST/SCA/secrets engines on every commit. TLS 1.3 in transit, AES-256 at rest, argon2 password hashing, MFA on every admin account, row-level security on every database table, immutable SHA-256 chained audit logs.
8. Changes to this page
We will post any material changes here and update the "Last updated" date at the top. For substantial changes affecting newsletter subscribers, we will also notify you by email.
9. Contact
Privacy questions: hello@zfuzz.com
Security disclosure: hello@zfuzz.com
General: hello@zfuzz.com