We collect the minimum signal needed to run agents against your authorized targets: the URLs you give us, the scope rules you set, the synthetic credentials you upload, and the network responses our agents capture during a run. Captured payloads tied to a confirmed finding are retained for 90 days; unconfirmed captures are dropped within 24h. We never train on your data. We never sell it. The formal privacy notice is in legal review.