Breachline is the world's first fully autonomous black-box pentesting platform. Its AI engine, Nebula, deploys specialist agents with a full offensive toolkit to discover, exploit, and report vulnerabilities without any human input. It delivers compliance-ready reports mapped to PCI-DSS 4.0, SOC 2, HIPAA, ISO 27001, OWASP Top 10, and NIST CSF.

How does autonomous pentesting work?

Nebula AI follows a multi-phase autonomous attack lifecycle: (1) Planning - classifies target and assembles optimal agent team, (2) Recon - runs tools in parallel to map attack surface, (3) Analysis - specialist agents test every vulnerability class with MITRE ATT&CK mapping, (4) Exploit - builds working PoC exploits in sandboxed containers, (5) Report - delivers executive summaries and technical deep-dives to Slack and email instantly.

What compliance frameworks does Breachline support?

Breachline automatically maps findings to 6 compliance frameworks: PCI-DSS 4.0, HIPAA, SOC 2 Type II, ISO 27001, OWASP Top 10, and NIST CSF with specific control IDs. Reports are audit-ready and delivered instantly via Slack and email.

Is Breachline safe to use on production systems?

Yes. Nebula runs all exploits in isolated Docker containers with fresh network namespaces. Containers self-destruct after each test, leaving zero artifacts on your infrastructure.

Privacy Policy | Breachline

1. Introduction

BreachLine Labs Limited ("BreachLine", "we", "our", or "us") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, disclose, and safeguard your personal data when you visit our website at breachline.io, use our autonomous penetration testing platform "Nebula", or otherwise interact with our services (collectively, the "Services").

This policy applies to all individuals who access or use our Services, including account holders, authorised users within an organisation, website visitors, prospective customers, and anyone who contacts us for support or enquiries.

We are registered with the Information Commissioner's Office (ICO) as a data controller. You can verify our registration on the ICO's public register at ico.org.uk. Our processing of personal data is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Please read this Privacy Policy carefully. By accessing or using our Services, you acknowledge that you have read and understood this policy. If you do not agree with our practices, please do not use our Services.

2. Data Controller

The data controller responsible for your personal data is:

BreachLine Labs Limited

167-169 Great Portland Street, 5th Floor

London W1W 5PF, United Kingdom

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this Privacy Policy and our data protection practices. If you have any questions about this policy, including any requests to exercise your legal rights, please contact our DPO using the details below:

Data Protection Officer

Email: privacy@breachline.io

Post: Data Protection Officer, BreachLine Labs Limited, 167-169 Great Portland Street, 5th Floor, London W1W 5PF, United Kingdom

3. Information We Collect

We collect and process the following categories of personal data. The specific data collected depends on how you interact with our Services and which features you use.

a) Account Data

When you register for an account, we collect your full name, email address, company or organisation name, job title, telephone number (where provided), and account credentials (passwords are stored in hashed form only). If you register via a third-party authentication provider (such as Google or GitHub), we receive your name and email address from that provider.

b) Usage Data

We collect information about how you interact with our platform, including pages visited, features used, scan configurations selected, dashboard interactions, search queries within the platform, time spent on various sections, click patterns, and user preferences and settings. This data helps us understand how our Services are used and how we can improve them.

c) Technical and Log Data

When you access our Services, we automatically collect technical information including your IP address, browser type and version, operating system, device identifiers, referring URLs, access timestamps, API call logs, error logs, and session identifiers. Our servers generate log files as part of standard operations, and these logs are essential for maintaining the security and integrity of our platform.

d) Scan Data

When you use our Nebula platform to conduct security assessments, we process data related to your scans, including target domains, IP addresses, and URLs that you authorise for testing; scan configuration parameters and scheduling preferences; vulnerability findings and their severity classifications; remediation recommendations generated by our AI systems; scan reports and executive summaries; and historical scan comparison data. Scan data may contain information about third-party systems that you are authorised to test. You are responsible for ensuring you have the proper authorisation to test any targets you submit to our platform.

e) Payment Data

When you purchase a subscription or make a payment, we collect billing name, billing address, company VAT number (where applicable), and payment card details. Payment card information is processed directly by our PCI-DSS compliant payment processor and is not stored on our servers. We retain only a tokenised reference, the last four digits of your card, card type, and expiry date for your records and our billing administration.

f) Communication Data

When you contact us via email, our in-platform chat, Slack integration, support tickets, or other communication channels, we collect the content of your messages, attachments, metadata (such as timestamps and sender information), and any feedback or survey responses you provide. If you use our Slack integration, we process messages directed to our Nebula agent within your authorised Slack workspace.

g) Marketing Data

Where you have opted in, we collect your marketing preferences, newsletter subscription status, event registration details, responses to promotional campaigns, and information about how you engage with our marketing communications (such as email open rates and link clicks). We also collect data from publicly available professional sources (such as LinkedIn) where we have a legitimate interest in contacting relevant security professionals about our Services.

4. Lawful Basis for Processing

Under Article 6 of the UK GDPR, we must have a valid lawful basis to process your personal data. We rely on the following bases depending on the type of data and the purpose of processing:

a) Performance of a Contract (Article 6(1)(b))

We process your account data, scan data, payment data, and communication data as necessary to perform our contract with you -that is, to provide the Nebula platform and related services you have subscribed to. This includes creating and managing your account, executing security scans you initiate, generating reports and findings, processing payments for your subscription, and providing customer support related to your use of the Services.

b) Legitimate Interests (Article 6(1)(f))

We process certain data where it is necessary for our legitimate interests (or those of a third party), provided those interests are not overridden by your rights and freedoms. Our legitimate interests include: improving and optimising our platform based on usage data; maintaining the security and integrity of our Services through log analysis; detecting and preventing fraud, abuse, and unauthorised access; conducting internal analytics and business intelligence; and direct marketing to existing customers about similar products or services (soft opt-in). We have conducted legitimate interest assessments for each of these purposes and maintain records of those assessments.

c) Consent (Article 6(1)(a))

Where we rely on your consent, we will obtain it clearly and explicitly before processing. This applies to: marketing communications sent to prospective customers (non-existing customers); placement of non-essential cookies and similar tracking technologies; and any special category data processing, should it arise. You have the right to withdraw your consent at any time by contacting us at privacy@breachline.io or by using the unsubscribe mechanism provided in our communications. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

d) Legal Obligation (Article 6(1)(c))

We process certain data where it is necessary to comply with a legal obligation to which we are subject. This includes: retaining financial records and transaction data as required by HM Revenue & Customs (HMRC) and the Companies Act 2006; responding to lawful requests from law enforcement or regulatory authorities; and maintaining records required under applicable anti-money laundering legislation.

5. How We Use Your Information

We use your personal data for the following specific purposes, each mapped to its corresponding lawful basis:

Providing our Services -To create and manage your account, authenticate your identity, execute security scans, generate vulnerability reports, and deliver the core functionality of the Nebula platform. (Lawful basis: Contract)
Processing payments -To process subscription payments, issue invoices, manage billing enquiries, and handle refunds. (Lawful basis: Contract)
Customer support -To respond to your enquiries, troubleshoot issues, and provide technical assistance via email, in-platform chat, or Slack. (Lawful basis: Contract)
Platform improvement -To analyse usage patterns, identify bugs and performance issues, develop new features, and improve the accuracy of our AI-driven security assessments. (Lawful basis: Legitimate interest)
Security and fraud prevention -To monitor for suspicious activity, prevent unauthorised access, detect abuse of our platform, and maintain the overall security posture of our Services. (Lawful basis: Legitimate interest)
Communications -To send you essential service notifications, security alerts, product updates, changes to our terms or policies, and scheduled scan reports. (Lawful basis: Contract / Legitimate interest)
Marketing -To send promotional emails, newsletters, event invitations, and information about new features or services, where you have opted in or where we rely on soft opt-in for existing customers. (Lawful basis: Consent / Legitimate interest)
Legal compliance -To comply with applicable laws, regulations, and legal processes, including tax reporting obligations and responses to lawful data requests. (Lawful basis: Legal obligation)
Aggregated analytics -To produce anonymised, aggregated statistics about platform usage, vulnerability trends, and industry benchmarks. Aggregated data is not personal data under UK GDPR. (Lawful basis: Legitimate interest)

We will not process your personal data for purposes that are incompatible with those outlined above unless we provide you with notice and, where required, obtain your consent.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data to third parties for their marketing purposes. We will never monetise your personal data or scan results. We may share your data in the following limited circumstances:

a) Sub-processors and Service Providers

We engage trusted third-party sub-processors to help us deliver our Services. These providers process personal data only on our instructions and are contractually bound by data processing agreements that comply with Article 28 of the UK GDPR. Our sub-processors include cloud infrastructure providers (for hosting and data storage), payment processors (for billing and subscription management), email service providers (for transactional and marketing communications), analytics providers (for anonymised usage analytics), and customer support tools (for ticket management). A current list of our sub-processors is available upon request by contacting privacy@breachline.io.

b) Law Enforcement and Legal Requirements

We may disclose your personal data if required to do so by law, regulation, legal process, or enforceable governmental request. This includes complying with court orders, subpoenas, or statutory obligations; responding to requests from law enforcement agencies or regulatory bodies (such as the ICO, the National Crime Agency, or HMRC); and protecting the rights, property, or safety of BreachLine Labs Limited, our users, or the public. Where lawfully permitted, we will make reasonable efforts to notify you of such disclosures.

c) Business Transfers

In the event of a merger, acquisition, reorganisation, sale of assets, or insolvency, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal data, as well as any choices you may have regarding your data. The acquiring entity will be required to honour the commitments we have made in this Privacy Policy.

d) With Your Consent

We may share your data with third parties where you have given us explicit consent to do so, for example when you choose to integrate our Services with a third-party application or authorise us to share scan reports with a designated recipient.

e) Professional Advisers

We may share data with our professional advisers, including lawyers, auditors, and insurers, where necessary for the purposes of obtaining legal, accounting, or insurance advice, or to establish, exercise, or defend legal claims.

7. International Data Transfers

Our primary data processing operations are conducted within the United Kingdom and the European Economic Area (EEA). However, some of our sub-processors may be located in, or process data in, countries outside the UK and EEA.

Where we transfer personal data outside the UK, we ensure that appropriate safeguards are in place in accordance with the UK GDPR. These safeguards include:

UK Adequacy Regulations -We may transfer data to countries that the UK Secretary of State has determined provide an adequate level of data protection. The current list of countries with UK adequacy regulations is maintained by the UK Government.
International Data Transfer Agreement (IDTA) -Where no adequacy regulation exists, we use the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, as approved by the ICO, to ensure that your personal data receives an equivalent level of protection.
Supplementary Measures -In addition to contractual safeguards, we implement supplementary technical and organisational measures where necessary, including encryption of data in transit and at rest, pseudonymisation, and strict access controls.

We conduct transfer impact assessments to evaluate the legal framework of the recipient country and ensure that the safeguards we have in place are effective. You may request a copy of the relevant safeguards by contacting us at privacy@breachline.io.

8. Data Retention

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, including to satisfy any legal, regulatory, accounting, or reporting requirements. To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process it, and whether we can achieve those purposes through other means.

The following specific retention periods apply:

Account Data -Retained for the duration of your active account plus 6 months following account closure or deletion. This grace period allows for account recovery in the event of accidental deletion and ensures we can fulfil any outstanding contractual obligations.
Scan Results and Reports -Retained for 90 days by default from the date of scan completion. You may configure a shorter or longer retention period within your account settings. Scan data can also be manually deleted at any time from the platform. Upon expiry, scan data is permanently and irrecoverably deleted from our systems.
Technical and Log Data -Retained for 12 months from the date of collection. Logs are used for security monitoring, incident investigation, and platform stability purposes. After the retention period, logs are permanently deleted or anonymised.
Financial and Transaction Records -Retained for 7 years from the end of the financial year in which the transaction occurred, as required by HMRC and the Companies Act 2006 for tax and accounting compliance.
Marketing Data -Retained until you withdraw your consent or unsubscribe from marketing communications. Upon withdrawal, we will cease processing your data for marketing purposes within 72 hours, though it may take up to 14 days for all systems to fully reflect the change.
Communication Data -Support correspondence is retained for 24 months following the resolution of your enquiry, to enable us to reference previous interactions and provide continuity of service.
Usage Data -Retained in identifiable form for 12 months, after which it is aggregated and anonymised for long-term analytics. Anonymised data is no longer personal data and may be retained indefinitely.

When personal data is no longer required, we securely delete or anonymise it using industry-standard methods. Where full deletion is not immediately possible (for example, because the data is stored in backup archives), we isolate the data and protect it from further processing until deletion is feasible.

9. Your Rights Under UK GDPR

Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to certain exemptions and limitations.

a) Right of Access (Article 15)

You have the right to request a copy of the personal data we hold about you, along with supplementary information about how it is processed. This is commonly known as a "subject access request" (SAR). We will provide the data in a commonly used, machine-readable format.

b) Right to Rectification (Article 16)

You have the right to request that we correct any inaccurate personal data we hold about you, and to have incomplete personal data completed. You can update most account information directly through the Nebula platform settings.

c) Right to Erasure (Article 17)

You have the right to request that we delete your personal data in certain circumstances, including where the data is no longer necessary for the purpose it was collected, where you withdraw consent (and no other lawful basis applies), where you object to processing and there are no overriding legitimate grounds, or where the data has been unlawfully processed. Please note that we may be unable to comply with an erasure request where retention is necessary for compliance with a legal obligation, for the establishment, exercise, or defence of legal claims, or where another exemption applies.

d) Right to Restriction of Processing (Article 18)

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data, when the processing is unlawful but you oppose erasure, when we no longer need the data but you need it for legal claims, or when you have objected to processing pending verification of whether our legitimate grounds override yours.

e) Right to Data Portability (Article 20)

Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV), and to transmit that data to another controller without hindrance. You may also request that we transmit the data directly to another controller where technically feasible.

f) Right to Object (Article 21)

You have the right to object to processing of your personal data where we rely on legitimate interests as the lawful basis. Upon receiving an objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defence of legal claims. You have an absolute right to object to direct marketing at any time, and we will cease such processing promptly upon receiving your objection.

g) Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. Our Nebula platform uses AI and automated systems to classify vulnerabilities and generate recommendations, but these outputs are technical assessments provided as tools for your use -they do not constitute automated decisions with legal or similarly significant effects on you. If you believe any automated processing affects you significantly, you may contact us to request human review.

h) Right to Withdraw Consent

Where we rely on consent as the lawful basis for processing, you have the right to withdraw that consent at any time. You can do so by contacting us at privacy@breachline.io, using the unsubscribe link in marketing emails, or adjusting your preferences within your account settings.

How to exercise your rights: To exercise any of the above rights, please contact our Data Protection Officer at privacy@breachline.io or write to us at the registered address listed in this policy. We may need to verify your identity before processing your request to ensure the security of your data. We will respond to your request within one calendar month of receipt. If your request is complex or we receive a high volume of requests, we may extend this period by a further two months, in which case we will notify you within the initial one-month period and explain the reasons for the delay. There is no fee for exercising your rights, unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

10. Data Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised or unlawful processing, accidental loss, destruction, or damage. Our security measures include, but are not limited to:

Encryption -All data is encrypted in transit using TLS 1.2 or higher, and at rest using AES-256 encryption. Database connections are encrypted end-to-end.
Access Controls -We enforce the principle of least privilege, with role-based access controls (RBAC) limiting access to personal data to authorised personnel who require it for their role. Multi-factor authentication is required for all administrative access.
Infrastructure Security -Our infrastructure is hosted in secure, reputable data centres with physical access controls. We employ network segmentation, firewalls, intrusion detection systems, and continuous monitoring.
Security Testing -We conduct regular security assessments of our own platform, including penetration testing and vulnerability scanning. We also maintain a responsible disclosure programme for external security researchers.
Incident Response -We maintain a documented incident response plan. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and notify affected individuals without undue delay, as required by Articles 33 and 34 of the UK GDPR.
Employee Training -All staff with access to personal data receive data protection training upon onboarding and on an annual basis thereafter.
Regular Audits -We conduct internal audits of our data protection practices and security controls on a regular basis to identify and address potential vulnerabilities.

While we implement robust security measures, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to protecting your data to the highest standard reasonably achievable.

11. Children's Privacy

Our Services are not directed at, and are not intended for use by, individuals under the age of 18. Nebula is a professional cybersecurity platform designed for use by qualified security professionals, IT teams, and organisations. We do not knowingly collect or solicit personal data from anyone under the age of 18.

If we become aware that we have collected personal data from a child under 18 without appropriate parental consent or other lawful basis, we will take steps to delete that data as quickly as reasonably possible. If you believe that a child under 18 has provided us with personal data, please contact us immediately at privacy@breachline.io.

12. Cookies and Similar Technologies

Our website and platform use cookies and similar tracking technologies (such as web beacons and local storage) to distinguish you from other users, maintain your session, remember your preferences, and understand how you interact with our Services.

We categorise cookies as follows: strictly necessary cookies (required for the operation of our platform and placed without consent), functional cookies (used to remember your preferences and settings), analytics cookies (used to understand usage patterns and improve our Services), and marketing cookies (used to deliver relevant advertising where applicable). Non-essential cookies are placed only with your consent, which you can manage through our cookie consent banner.

For detailed information about the specific cookies we use, their purposes, and how to manage your cookie preferences, please refer to our separate Cookie Policy available on our website.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will update the "Last updated" date at the top of this page.

For material changes that significantly affect how we process your personal data or your rights, we will provide prominent notice by: sending an email notification to the address associated with your account; displaying a conspicuous notice within the Nebula platform upon your next login; and, where required by law, obtaining your consent before applying the changes to your data.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data. Your continued use of our Services after any changes to this policy constitutes your acceptance of the updated policy, except where explicit consent is required.

14. Complaints

We take all concerns about data protection seriously and aim to resolve any issues promptly. If you are unhappy with how we have handled your personal data or responded to a rights request, we encourage you to contact our Data Protection Officer first at privacy@breachline.io so that we can try to resolve the matter directly.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection. You can contact the ICO at:

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Telephone: 0303 123 1113

Website: ico.org.uk

We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us using the following details:

BreachLine Labs Limited

167-169 Great Portland Street, 5th Floor

London W1W 5PF, United Kingdom

Data Protection Officer: privacy@breachline.io

General enquiries: hello@breachline.io

We aim to respond to all legitimate enquiries within 5 working days. For formal data subject rights requests, we will respond within the statutory one-month timeframe as outlined in Section 9.