Cookie Policy
Last updated: March 2026
1. Introduction
This Cookie Policy explains how BreachLine Labs Limited ("BreachLine", "we", "us", or "our") uses cookies and similar technologies when you visit our website at breachline.io and use the Nebula autonomous penetration-testing platform (collectively, the "Service").
We are committed to protecting your privacy and being transparent about the technologies we use. This policy is issued in compliance with the United Kingdom General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), as amended.
Under PECR, we are required to obtain your informed consent before placing cookies on your device, except where those cookies are "strictly necessary" for the provision of a service you have requested. We take this obligation seriously and have designed our cookie practices accordingly.
2. What Are Cookies
Cookies are small text files (typically containing letters and numbers) that are placed on your device -whether a computer, smartphone, tablet, or other internet-enabled device -when you visit a website. They are stored by your web browser and sent back to the originating website (or another website that recognises them) on each subsequent visit.
Cookies serve a wide range of functions. They can remember your login credentials so you do not have to re-authenticate on every page, record your preferences (such as language or theme), and help website operators understand how visitors interact with their services so they can improve performance and usability.
Cookies can be classified by their lifespan and by who sets them:
- • Session cookies -These are temporary cookies that expire when you close your browser. They enable core functionality such as maintaining your authenticated session as you navigate between pages.
- • Persistent cookies -These remain on your device for a set period (or until you manually delete them). They allow the Service to recognise you on return visits and remember your preferences.
- • First-party cookies -Set directly by breachline.io and readable only by our domain.
- • Third-party cookies -Set by a domain other than breachline.io, typically by external services we integrate with (such as authentication providers or payment processors).
In addition to cookies, we may use similar technologies such as local storage (HTML5 web storage) to store small amounts of data in your browser. Where we refer to "cookies" in this policy, we include these similar technologies unless otherwise stated.
3. How We Obtain Consent
In accordance with Regulation 6 of PECR, we obtain your clear, affirmative consent before placing any non-essential cookies on your device. When you first visit breachline.io, you will be presented with a cookie consent banner that clearly explains the categories of cookies we wish to set and allows you to accept or reject each category individually.
Our consent mechanism operates on an opt-in basis. No non-essential cookies are placed until you have made an active choice. You are free to accept all, reject all, or selectively enable individual categories. You are not required to accept non-essential cookies as a condition of using the Service.
Strictly necessary cookies are exempt from the consent requirement under PECR Regulation 6(4). These cookies are essential for the operation of the Service -for example, to authenticate your session or to protect against cross-site request forgery attacks. Without them, the Service cannot function as intended, and therefore consent is not required or sought for this category.
You may change your cookie preferences at any time by accessing the cookie settings control available in the footer of our website. Withdrawing consent will not affect the lawfulness of processing carried out prior to withdrawal. When you withdraw consent for a cookie category, we will remove the relevant cookies at the earliest opportunity (typically upon your next page load).
4. Cookies We Use
The tables below describe each category of cookie we use, the specific cookies within each category, their purpose, their duration, and whether they are first-party or third-party.
4.1 Strictly Necessary Cookies
These cookies are essential for the Service to function and cannot be switched off in our systems. They are set in response to actions you take that amount to a request for services, such as logging in, setting your privacy preferences, or filling in forms. Consent is not required for strictly necessary cookies under PECR.
Session & Authentication Cookies
Maintain your authenticated session after login and ensure requests are associated with the correct user account. These include the session identifier token and the NextAuth.js session cookie.
CSRF Protection Cookies
Protect against cross-site request forgery attacks by ensuring that form submissions and API requests originate from our Service and not from a malicious third-party site.
Security Cookies
Used for rate limiting, bot detection, and abuse prevention. These cookies help us identify and mitigate automated attacks, credential-stuffing attempts, and other malicious activity targeting the platform.
Load Balancing Cookies
Ensure that your requests are routed to the same backend server throughout your session, providing a consistent and reliable experience, particularly during active scan operations.
Cookie Consent Preferences
Stores your cookie consent choices so that we do not ask you again on subsequent visits and so that we can honour your preferences across sessions.
4.2 Functional Cookies
Functional cookies enable enhanced functionality and personalisation. They may be set by us or by third-party providers whose services we have integrated into our pages. These cookies require your consent under PECR. If you do not allow these cookies, some or all of these features may not function correctly.
User Interface Preferences
Remember your chosen theme (light/dark), language preference, dashboard layout configuration, sidebar state, and notification display settings. These ensure a consistent experience tailored to your preferences.
Recently Viewed Items
Store references to recently viewed scan reports, target assets, and findings so you can quickly navigate back to items you were working with. No sensitive scan data is stored in the cookie itself -only identifiers.
4.3 Analytics Cookies
Analytics cookies help us understand how visitors interact with the Service by collecting and reporting information. We use privacy-focused analytics solutions that anonymise or pseudonymise data wherever possible. These cookies require your consent under PECR. All analytics data is processed within the European Economic Area or the United Kingdom.
Privacy-Focused Usage Analytics
Collect anonymised usage patterns including pages visited, session duration, referral sources, and general geographic region (country level). We do not track individual users across websites, do not build advertising profiles, and do not share analytics data with third parties. IP addresses are anonymised before storage.
Performance Monitoring
Measure page load times, API response times, and client-side errors to help us identify and resolve performance issues. This data is aggregated and does not contain personally identifiable information. It enables us to ensure the Nebula platform remains responsive during intensive operations such as live scan monitoring.
4.4 Marketing & Advertising Cookies
We do not currently use any marketing, advertising, or behavioural tracking cookies.
BreachLine does not serve advertisements, does not participate in advertising networks, and does not set cookies for the purpose of tracking you across third-party websites to build an advertising profile. Should this position change in the future, we will update this policy, obtain your explicit consent prior to setting any such cookies, and provide clear information about what data is collected and by whom.
5. Third-Party Cookies
Certain features of the Service require integration with third-party providers. These providers may set their own cookies on your device when you interact with their services through our platform. We have listed each third party below, along with the purpose of their cookies and a link to their respective privacy policies.
Authentication Providers (Google, GitHub)
If you choose to sign in using Google or GitHub OAuth, these providers will set cookies on your device to facilitate the authentication handshake and maintain your authenticated state with their service. These cookies are controlled by Google and GitHub respectively and are subject to their own privacy policies.
Payment Processing (Stripe)
We use Stripe to process payments securely. When you interact with payment forms, Stripe may set cookies to detect and prevent fraud, to manage the payment session, and to comply with regulatory requirements such as Strong Customer Authentication (SCA) under PSD2. Stripe processes payment data as an independent data controller for fraud prevention purposes.
Error Monitoring (Sentry)
We use Sentry to capture and diagnose application errors in real time. Sentry may set cookies to correlate error reports with browser sessions, helping our engineering team reproduce and resolve issues. Error reports may include technical information such as browser type, operating system, and stack traces, but do not intentionally include personal data.
Infrastructure Security (Cloudflare)
Cloudflare provides DDoS protection, web application firewall, and content delivery services for our platform. Cloudflare may set cookies to distinguish between humans and bots, to apply security challenge pages, and to manage rate-limiting. These cookies are strictly necessary for the secure operation of the Service.
6. How to Manage Cookies
In addition to using our cookie consent controls, you can manage cookies directly through your browser settings. Most modern browsers allow you to view, delete, and block cookies. Please note that if you disable strictly necessary cookies, certain features of the Service -including authentication and scan management -may not function correctly.
Below are instructions for managing cookies in the most commonly used browsers:
Google Chrome
Navigate to Settings > Privacy and Security > Cookies and other site data. From here you can block third-party cookies, clear cookies on exit, or manage exceptions for specific sites. Alternatively, visit Chrome's cookie support page.
Mozilla Firefox
Navigate to Settings > Privacy & Security > Cookies and Site Data. Firefox offers Enhanced Tracking Protection with Standard, Strict, and Custom levels. You can also manage exceptions and clear data for individual sites. See Firefox's cookie documentation.
Apple Safari
Navigate to Safari > Preferences > Privacy (macOS) or Settings > Safari > Privacy & Security (iOS). Safari blocks cross-site tracking cookies by default through Intelligent Tracking Prevention (ITP). You can also manage website data and remove stored cookies. See Safari's privacy guide.
Microsoft Edge
Navigate to Settings > Cookies and site permissions > Manage and delete cookies and site data. Edge offers Basic, Balanced, and Strict tracking prevention levels. See Edge's cookie management guide.
For more comprehensive information about managing cookies across different browsers and devices, visit www.aboutcookies.org or www.allaboutcookies.org.
7. Do Not Track Signals
Some web browsers transmit a "Do Not Track" (DNT) signal to the websites they visit. There is currently no universally accepted standard for how websites should respond to DNT signals, and no legal requirement under UK law to honour them.
However, BreachLine respects your privacy choices. As we do not engage in cross-site tracking or serve advertising cookies, our practices are already aligned with the intent of DNT signals. We will continue to monitor developments in this area and will update this policy if we adopt a formal DNT response mechanism in the future.
8. Changes to This Policy
We may update this Cookie Policy from time to time to reflect changes in our practices, the cookies we use, or applicable legal requirements. When we make material changes, we will:
- • Update the "Last updated" date at the top of this page.
- • Display a prominent notice on our website informing you of the change.
- • Where changes affect the categories of cookies we use or introduce new third-party cookies, re-present the cookie consent banner so you can review and update your preferences.
- • For registered users, send a notification via email or through the Nebula platform dashboard where the changes are significant.
We encourage you to review this policy periodically to stay informed about how we use cookies. Your continued use of the Service after changes are posted constitutes acceptance of those changes, except where fresh consent is required under PECR -in which case, we will always obtain that consent before setting new cookie categories.
9. Your Rights Under UK GDPR
Where cookies involve the processing of personal data, you have the following rights under the UK GDPR:
- • Right of access -You have the right to request a copy of the personal data we hold about you, including data collected via cookies.
- • Right to rectification -You have the right to request correction of any inaccurate personal data.
- • Right to erasure -You have the right to request deletion of your personal data in certain circumstances.
- • Right to restrict processing -You have the right to request that we limit our processing of your personal data.
- • Right to data portability -You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
- • Right to object -You have the right to object to the processing of your personal data in certain circumstances.
- • Right to withdraw consent -Where we rely on consent as the lawful basis for processing (as is the case for non-essential cookies), you have the right to withdraw that consent at any time. You can do so via our cookie settings control or by adjusting your browser settings.
To exercise any of these rights, please contact us using the details in Section 10 below. We will respond to your request within one month, as required by UK GDPR.
If you are not satisfied with our response or believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection. You can contact the ICO at ico.org.uk/make-a-complaint or by telephone on 0303 123 1113.
10. Contact Us
If you have any questions, concerns, or requests regarding this Cookie Policy or our use of cookies, please contact us:
BreachLine Labs Limited
167-169 Great Portland Street, 5th Floor
London W1W 5PF
United Kingdom
Email: privacy@breachline.io
We aim to respond to all cookie-related enquiries within 14 calendar days. For requests relating to your rights under UK GDPR, we will respond within one month, in accordance with our legal obligations.