Olimpio

Privacy Policy

Last updated: 31 May 2026

1. Who we are

Olimpio Security Ltd ("Olimpio", "we", "us", or "our") provides a self-serve external vulnerability scanning platform for small businesses, IT consultants, and managed service providers. Users sign up, submit external domains or IP addresses they own or are authorised to test, and receive automated plain-English security reports.

This Privacy Policy explains what personal information we collect when you use our website and platform, why we collect it, how we use it, and your rights in relation to it. It covers both free and paid (Starter) account holders.

For questions about this policy, contact us at joe@olimpio.io.

2. Information we collect

Depending on how you use Olimpio, we may collect the following categories of information:

  • Account information — your name, email address, and account credentials when you sign up.
  • Subscription and billing information — your plan tier (Free or Starter) and payment status. Card details are handled directly by Stripe; we do not store payment card numbers.
  • Scan targets and results — the external domains and IP addresses you submit for scanning, and the findings, open ports, services, and vulnerability data that results from those scans.
  • GitHub Personal Access Token (Starter only) — if you connect a GitHub account for secrets detection, we receive and store your Personal Access Token (PAT). See section 5 for how this is handled.
  • Technical and usage data — IP address, browser type, device information, pages visited, timestamps, referral source, and platform usage patterns. This data helps us operate and improve the service.

3. Scan data

Scan data includes the domains, external IP addresses, ports, services, and vulnerabilities associated with your submitted targets. This data belongs to you and is used to generate your reports.

We do not sell scan data. We may use aggregated, anonymised, or de-identified scan statistics to improve our scanning methodology, reporting quality, and AI-generated explanations. We will not identify individual customers or their specific findings in any public communication.

Scan data is retained for as long as your account is active and for a reasonable period after account deletion or subscription cancellation to allow report access and resolve any disputes. You may request deletion of your scan data at any time by contacting us.

4. Scan scope and what we do not access

Olimpio performs external scanning only — against domains and external IP addresses you submit that are publicly reachable over the internet. We do not scan internal networks, systems behind firewalls, or any asset that requires authenticated access.

We do not access, read, copy, or retain any content from your internal systems, databases, applications, or private network infrastructure.

5. GitHub Personal Access Tokens and secrets detection

Starter account holders may optionally connect a GitHub account by providing a Personal Access Token (PAT). This integration allows Olimpio to scan your specified repositories for exposed or leaked API keys and secrets.

How we handle PATs:

  • PATs are stored encrypted at rest and are used solely to perform secrets scanning on your behalf.
  • We do not use your PAT to access any repositories beyond those required for the secrets scanning feature you have enabled.
  • We do not share or sell your PAT, or any content retrieved using it, to third parties, except where required to operate the scanning infrastructure.
  • We do not write to, modify, or deploy from your repositories.
  • Repository content accessed during scanning is processed to identify potential credential exposures and is not retained beyond what is needed to generate your findings report.

You can revoke the PAT at any time from within your GitHub account settings, which will immediately end our ability to perform further secrets scans. You can also disconnect the GitHub integration from within your Olimpio account.

We strongly recommend providing a PAT with the minimum permissions required for the secrets scanning feature (typically read-only repository access). We recommend rotating tokens regularly and revoking them if you no longer use the integration.

6. How we use your information

We use the information we collect to:

  • Create and manage your account and authenticate you when you sign in.
  • Run automated external scans and generate plain-English reports for your submitted targets.
  • Provide secrets detection and key-rotation reminders where you have enabled the GitHub integration.
  • Process and manage your Starter subscription and communicate billing-related information.
  • Send email alerts on scan completion where you have enabled this feature.
  • Improve the platform, scanning methodology, AI explanations, and reporting quality.
  • Maintain the security and integrity of the platform and prevent misuse.
  • Comply with our legal, regulatory, and accounting obligations.
  • Respond to your support requests and questions.

7. Legal bases for processing (UK GDPR)

Where UK GDPR applies, we rely on the following lawful bases depending on the context:

  • Contract — processing necessary to provide the service you have signed up for, including running scans, generating reports, and managing your account and subscription.
  • Legitimate interests — processing for purposes such as improving our platform, preventing fraud and misuse, maintaining security, and operating our business, where those interests are not overridden by your rights.
  • Legal obligation — processing required to comply with applicable laws, tax requirements, or regulatory obligations.
  • Consent — where you have opted in to specific communications or where consent is otherwise required.

8. Who we share information with

We do not sell personal information. We may share limited information with trusted third-party providers only where necessary to operate the platform and deliver the service. These include:

  • Cloud hosting and infrastructure providers used to run the platform and store data.
  • Stripe, our payment processor, who handles subscription billing.
  • Email delivery providers used to send account-related and alert emails.
  • Analytics or error monitoring tools used to improve platform reliability.
  • Professional advisers or legal representatives where required.
  • Law enforcement, regulators, or government authorities where we are legally required to do so.

Third parties are expected to handle data securely and only for the purposes for which they are engaged. Where providers are located outside the UK or EEA, we aim to use appropriate safeguards such as standard contractual clauses or approved transfer mechanisms.

9. Retention

We keep personal information for as long as your account is active and for a reasonable period afterwards to meet legal, accounting, and operational obligations. Specific retention periods:

  • Account data — retained while your account is active. Deleted or anonymised within a reasonable period after you request account deletion.
  • Scan data and reports — retained while your account is active. You may request deletion at any time.
  • GitHub PAT — deleted promptly when you disconnect the GitHub integration or delete your account.
  • Billing records — retained for the period required by applicable accounting and tax law (typically six years in the UK).
  • Technical logs — retained for a short period for security and operational purposes, then deleted or anonymised.

10. Security

We take reasonable technical and organisational measures to protect the information we hold, including encryption of sensitive credentials (such as GitHub PATs) at rest, access controls, and secure infrastructure practices.

No system or transmission method can be guaranteed completely secure. If you have security concerns about your account or believe your credentials may have been compromised, contact us immediately at joe@olimpio.io.

11. International transfers

Some infrastructure or service providers we use may process data outside the United Kingdom or European Economic Area. Where this occurs, we aim to ensure appropriate safeguards are in place, such as standard contractual clauses approved by the UK ICO or equivalent mechanisms.

12. Cookies and analytics

Our website may use essential cookies or similar technologies required for basic site operation, security, and authentication. If we introduce non-essential analytics, advertising, or tracking technologies, we will update this policy and request consent where required.

13. Your rights

Under UK GDPR, you may have the following rights depending on the lawful basis for processing:

  • Access — request a copy of the personal information we hold about you.
  • Correction — ask us to correct inaccurate or incomplete information.
  • Deletion — request that we delete your personal information, subject to legal retention requirements.
  • Restriction — ask us to restrict processing of your information in certain circumstances.
  • Portability — request your data in a structured, machine-readable format where applicable.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at joe@olimpio.io. We may need to verify your identity before responding.

14. Complaints

If you have concerns about how we handle your personal information, please contact us first so we can try to resolve the matter. If you remain unsatisfied, you have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time as the platform evolves. The "Last updated" date at the top of this page reflects when the current version was published. Where changes are material, we will notify you by email or via an in-app notice.

16. Contact

If you have questions about this Privacy Policy or want to exercise your rights, please contact us at joe@olimpio.io.

This Privacy Policy is provided as a working document and has not been reviewed by a qualified legal professional. Given that the platform handles sensitive credentials (GitHub PATs), scan data, and UK customer personal data, it should be reviewed by a solicitor with data protection expertise before being relied upon. This is particularly important for UK GDPR compliance obligations.