Privacy Policy

The data controller is Over Holding Srl, with registered office at Viale Tricesimo n.200, 33100 Udine, Italy, VAT IT02945890305 (hereinafter "Zero Hunt", "we", "us").

For any privacy-related inquiries, you may contact our Data Protection Officer at: dpo(at)zerohunt.ai

We process personal data only when we have a lawful basis to do so:

• Consent (Art. 6(1)(a)): When you voluntarily contact us via email or submit a demo request, you consent to processing your contact details for the purpose of responding to your inquiry.
• Legitimate interest (Art. 6(1)(f)): We collect minimal technical data (anonymized analytics) to ensure the security and proper functioning of our website.
• Contractual necessity (Art. 6(1)(b)): When you enter into a commercial relationship with us, we process data necessary for contract performance.

We may collect and process the following categories of personal data:

• Contact information: Name, email address, company name, and job title when you contact us or request a demo.
• Technical data: IP address (anonymized), browser type, operating system, referral source, and pages visited. This data is collected via Cloudflare Web Analytics, which does not use cookies or track individuals.
• Communication data: Content of emails or messages you send to us.

Zero Hunt is an autonomous AI-powered cybersecurity platform. In accordance with the EU AI Act (Regulation (EU) 2024/1689), we provide the following transparency information:

• AI system classification: Zero Hunt's penetration testing engine operates as a high-risk AI system under Annex III of the AI Act, as it is deployed in the domain of critical infrastructure security. We maintain full compliance with the requirements of Title III, Chapter 2.
• Human oversight: All AI-driven security assessments operate under human-in-the-loop supervision. Autonomous actions are bounded by operator-defined rules of engagement, and kill-switch mechanisms are always available.
• Data processing by AI: The AI engine processes only network and system data within the customer's on-premise environment. No customer data is transmitted externally. The AI does not process personal data of end users unless explicitly included in the assessment scope defined by the customer.
• Training data: Our AI models are trained on publicly available vulnerability databases, security advisories, and synthetic environments. No customer data is used for model training.
• Risk management: We maintain a comprehensive risk management system in accordance with Art. 9 of the AI Act, including continuous monitoring, bias assessment, and robustness testing.

We retain personal data only for as long as necessary to fulfill the purposes described above:

• Contact inquiries: Retained for 12 months from the last interaction, unless a commercial relationship is established.
• Contractual data: Retained for the duration of the contract plus 10 years as required by Italian fiscal regulations.
• Technical/analytics data: Anonymized and aggregated; no individual-level data is retained.

We do not sell, trade, or rent personal data. We may share data with the following categories of recipients, only to the extent necessary:

• Hosting provider: Cloudflare, Inc. (USA) — for website hosting and analytics. Cloudflare operates under the EU-US Data Privacy Framework.
• Email provider: Self-hosted mail server located in the EU.

For any transfer of personal data outside the EEA, we ensure appropriate safeguards are in place in accordance with Chapter V of the GDPR, including Standard Contractual Clauses (SCCs) or adequacy decisions.

This website does not use cookies for tracking or advertising purposes. Cloudflare Web Analytics is privacy-first and does not use cookies, fingerprinting, or any client-side state to collect analytics. No cookie consent banner is required.

Under the GDPR, you have the following rights:

• Right of access (Art. 15): Obtain confirmation of whether your data is being processed and request a copy.
• Right to rectification (Art. 16): Request correction of inaccurate data.
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
• Right to restriction (Art. 18): Request restriction of processing in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interest.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at dpo(at)zerohunt.ai. We will respond within 30 days as required by law.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali):

Garante per la protezione dei dati personali
Piazza Venezia, 11 — 00187 Roma, Italy
www.garanteprivacy.it

We may update this privacy policy to reflect changes in our practices or legal requirements. Material changes will be indicated by updating the "Last updated" date at the top of this page. We encourage you to review this policy periodically.