Last updated: 28 May 2026

Privacy & Data

We collect the minimum data needed to run this site — no third-party trackers, no behavioral profiling, no surprises.

1. Who we are

Zfuzz is an open-source security platform operated by the Zfuzz Security team. This page covers data handling for zfuzz.com (the marketing site, the @zfuzz/mcp documentation, and the blog).

For data handling on our commercial platform (zfuzz.com), see the separate privacy policy on that site.

2. What we collect

2.1 Audience measurement (no cookies)

We run a first-party, cookie-less analytics tracker. When you visit a page, we record:

  • The page you visited (path and slug)
  • The type of event (pageview, scroll depth, button click, copy command)
  • Your referrer (the page that linked here, if any)
  • Your user-agent string (browser version)
  • A SHA-256 hash of your IP address (used to deduplicate pageviews — the raw IP is never written to disk)

We do not set any cookies. We do not use localStorage or sessionStorage. We do not fingerprint your browser. No Google Analytics, no Meta Pixel, no Hotjar.

This processing falls under the CNIL audience-measurement exemption (Délibération n° 2020-091) and the equivalent EDPB Guidelines 03/2022. No consent banner is required because we meet all six criteria: strictly necessary measurement, first-party, no cross-site tracking, no third-party transmission, no individual profiling, retention capped at 13 months.

2.2 Newsletter

When you subscribe to our newsletter, we store:

  • Your email address
  • The date and time you subscribed
  • The page from which you subscribed
  • Your unsubscribe token (random UUID)

We use this only to send you the weekly newsletter. We never share, sell, or rent your email. Every email contains a one-click unsubscribe link in the footer. You can also email hello@zfuzz.com to remove your address at any time.

Legal basis: consent (GDPR Art. 6(1)(a)).

2.3 MCP package telemetry

The @zfuzz/mcp npm package runs 100% locally on your machine. It does not send any telemetry, no anonymous usage data, no crash reports. Nothing leaves your computer unless you explicitly ask the MCP server to fetch a public resource (NVD CVE lookup, OSV.dev advisory check, etc.).

3. Cookies set by infrastructure providers

We do not set any cookies ourselves. However, if you reach this site through Cloudflare (our CDN/security front), Cloudflare may set the following cookie strictly for security purposes:

NamePurposeLifetimeConsent
__cf_bm Cloudflare bot management — distinguishes humans from automated traffic to protect the site. 30 minutes Exempt (strictly necessary — CNIL & EDPB)

4. How long we keep your data

DataRetention
Analytics events (hash IP, UA, page, event)13 months, then automatically purged
Newsletter subscription (email + metadata)Until you unsubscribe, or 3 years of inactivity
Server access logs (IP, request line)30 days, then automatically purged

5. Where your data lives

All data is stored on infrastructure located in the European Union (Hetzner Cloud, Germany & Finland). We do not transfer personal data outside the EU/EEA. Database backups are encrypted (AES-256) and stored in the same region.

6. Your rights (GDPR Articles 15-22)

You have the right to:

  • Access — ask what data we hold about you
  • Rectify — correct inaccurate data
  • Erase — ask for deletion of your data
  • Restrict — limit how we process your data
  • Portability — receive your data in a machine-readable format
  • Object — oppose specific processing
  • Withdraw consent — at any time, for newsletter

To exercise any of these rights, email hello@zfuzz.com. We respond within 30 days.

You also have the right to lodge a complaint with your local data-protection authority — in France, the CNIL.

7. Security

We practice what we preach. Zfuzz scans itself with its own SAST/SCA/secrets engines on every commit. TLS 1.3 in transit, AES-256 at rest, argon2 password hashing, MFA on every admin account, row-level security on every database table, immutable SHA-256 chained audit logs.

8. Changes to this page

We will post any material changes here and update the "Last updated" date at the top. For substantial changes affecting newsletter subscribers, we will also notify you by email.

9. Contact

Privacy questions: hello@zfuzz.com
Security disclosure: hello@zfuzz.com
General: hello@zfuzz.com