Academy Lab Telemetry Privacy Notice

1. Who we are

PortSwigger Ltd is the data controller and responsible for your personal data (collectively referred to as "PortSwigger", "we", "us" or "our" in this privacy notice).

If you have any questions about this notice or how we use your data, please contact:

PortSwigger Ltd
6 Booths Park
Chelford Road
Knutsford
WA16 8ZS
United Kingdom

hello@portswigger.net

2. What data we collect

We only collect telemetry data in specific Academy labs, and these labs are always clearly and visibly marked before you access them.

This means:

You will know in advance when a lab includes telemetry or AI interaction tracking.
There is no hidden or background data collection outside these labelled labs.
You can choose whether or not to proceed.

When you enter a marked lab, we collect technical and interaction data such as activity events, tool usage, and AI interactions, as outlined below:

a) User and session data

User ID
Session ID
Lab identifiers and titles
Session server instance information (e.g. hostname)

b) Activity and interaction data

Lab start and completion events
Comments submitted (including free-text content)
Product reviews (including content and username)
Actions taken within labs

c) AI scanner and tool interaction data

AI model used and scan activity
Iterations, tool calls, and execution results
Messages sent to and from the AI system (content may include user input)
Findings generated during scans

d) Content data (user-generated)

Blog comment content and author name (free-text field)
Product review content

Important: Free-text fields may contain personal data if entered by users.

3. Special note on personal data

We do not intentionally require users to provide personal data when using Academy Labs. However, as some features include free-text input fields, users may choose to enter information that contains personal data.

Users are therefore expected to take care not to include personal data unnecessarily. Where personal data is included, Academy Labs users should use commercially reasonable efforts to minimise any transfer of Customer Personal Data to PortSwigger. This includes, where reasonably practicable, removing, anonymising, or pseudonymising personal data in any content submitted as part of the labs.

4. How we use your data

We process telemetry data for the following purposes:

To operate and maintain the Academy platform and labs.
To monitor performance and ensure system reliability.
To detect and investigate security issues or misuse.
To analyse and improve product functionality and user experience.
To develop and improve AI-powered features.

5. Legal basis for processing

Under UK GDPR, we rely on:

Legitimate interests (Article 6(1)(f)), namely:
- maintaining platform performance and security
- improving our products and services
- understanding how labs are used

Where telemetry is not strictly necessary, we ensure that:

data collection is proportionate
privacy risks are minimised (e.g. truncation, filtering, pseudonymisation)

6. Data minimisation and controls

We implement the following safeguards:

Telemetry is only enabled for selected labs.
Data fields may be truncated (e.g. message/tool content limits).
We remove or mask personal data where feasible before analysis.
We regularly review whether all collected fields are necessary.

We may share telemetry data with:

Service providers supporting hosting, analytics, and infrastructure.
Internal teams for product development and security.

We do not share personal data for marketing purposes.

All third parties are subject to appropriate data processing agreements.

8. International transfers

Where data is transferred outside the UK, we ensure appropriate safeguards are in place, such as:

UK International Data Transfer Agreement (IDTA), or
Adequacy regulations

9. Data retention

We retain telemetry data only for as long as necessary to:

fulfil the purposes outlined above
comply with legal and regulatory obligations

10. Your rights

Under UK GDPR, you have the right to:

Access your personal data.
Request correction or deletion.
Restrict or object to processing.
Data portability (where applicable).

To exercise your rights, contact: