Back to the report form Privacy notice

How we process security reports

This notice describes — as required by Article 13 GDPR — what personal data we process when you submit a vulnerability through our reporting form.

1. Controller

The controller for this processing is Behnke Group. You can find the full legal name, registered address, and general contact details in our imprint.

For data-protection requests relating to security reports, contact us at security@behnke.support.

2. Purpose and legal basis

We process your input exclusively to assess, triage and fix reported security issues in our systems, and — where necessary — to follow up with you. The legal basis is Article 6(1)(f) GDPR (legitimate interest in securing our systems and the data of our customers and users processed within them).

3. What we process

  • Provided voluntarily: your name (optional), your email address, your description of the issue (short summary, detailed description, reproduction steps, observed impact, additional notes), and the severity assessment you select.
  • Captured technically: the timestamp of submission, the interface language, and — if present in the HTTP request — your IP address and browser User-Agent string.

Your email address is required so we can follow up. Everything else is optional. Without an email address the form cannot be submitted.

4. Recipients

Your report is only read by Behnke Group's internal security team. A mail service provider may be involved in message delivery; where this is the case, a data-processing agreement under Article 28 GDPR is in place. We do not transfer the data to third countries outside the EU.

5. How long we keep your data

We apply a three-stage erasure schedule:

Data Retention
IP address, User-Agent 30 days after receipt, then automatically redacted
Reporter's name and email address 90 days after the case is closed, then automatically redacted
Report content (without contact data) up to 24 months from receipt, then automatically deleted

Automated erasure may take up to 24 hours to run. Beyond these periods we only retain data where and for as long as needed to respond to or investigate a specific security incident.

6. Your rights

At any time you have the right to:

  • Access the personal data we hold about you (Art. 15 GDPR)
  • Have inaccurate data corrected (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restrict processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Object to the processing (Art. 21 GDPR)

To exercise any of these rights, a short email to security@behnke.support is sufficient.

7. Right to lodge a complaint

You have the right to complain to a data-protection supervisory authority if you believe that our processing violates the GDPR. The competent authority is the one responsible for your place of residence, your place of work, or the place of the alleged infringement.

8. No automated decision-making

No automated decision-making in the sense of Article 22 GDPR takes place. Every report is reviewed by a person.

9. General Behnke Group privacy policy

For processing unrelated to security reports (e.g. general use of our websites), our general privacy policy applies in addition.

Last updated: 2026-04-24