WEBVERSE

Loading...

Privacy

Privacy Policy

Effective date: 2026-04-28Last updated: 2026-04-28

1.Introduction

WebVerse Pro (“WebVerse,” “we,” “us,” or “our”) operates an online platform of realistic web application security training labs. This Privacy Policy explains what personal information we collect from you, how we use and share it, how long we keep it, and the rights you have over it.

This Policy applies to webverselabs-pro.com and every subdomain we operate, including but not limited to dashboard.webverselabs-pro.com, api.webverselabs-pro.com, blog.webverselabs-pro.com, and the lab and challenge subdomains we provision dynamically. It applies whether you access the platform from a browser, a VPN client, or any future first-party application we publish.

By creating an account or otherwise using the service, you confirm that you have read and understood this Policy. If you do not agree, do not create an account; if you already have one and want to leave, you can delete your account at any time from your dashboard settings.

2.Information We Collect

We try to collect only what we need to run the service well and to keep it safe. The categories below describe everything we collect today; if we add a meaningful new category in the future, we will update this Policy and surface the change before it takes effect.

2.1Account information

When you sign up with an email and password, we collect your email address, your chosen username (or one we auto-generate from your email’s local-part if you sign up via Google), and a cryptographic hash of your password. We never store your password in cleartext. Hashes are computed with a modern, salted, one-way hashing algorithm; the original password cannot be recovered from the hash.

When you sign in with Google, we additionally receive your Google account’s stable user identifier (the “sub” claim of the OpenID Connect ID token), the email address Google has verified for that account, your display name, and the URL of your Google profile picture. We store the sub as the canonical link key, the email as your account email, and the picture URL as a fallback avatar shown until you upload your own. We do not request or receive Google scopes beyond openid email profile.

2.2Subscription and payment information

Payments are handled exclusively by Stripe. We never see, store, or transmit your card number, expiry, CVC, or bank account details. From Stripe’s side of the integration we receive and store: a Stripe customer ID, a Stripe subscription ID, your plan tier (e.g. pro), your subscription status (e.g. active, past_due, cancelled), and the timestamp at which your current period ends. Webhook events from Stripe drive the lifecycle of your Pro entitlement on our side.

Stripe’s own collection and processing of payment data is governed by Stripe’s Privacy Policy. We recommend reading it.

2.3VPN connection metadata

WebVerse labs are only reachable through our VPN service. To route your traffic correctly and to detect abuse, we collect and store the following operational metadata about each VPN session:

  • A private VPN address assigned to your account. This address is stable per account so that your in-lab traffic always originates from the same source.
  • A client identifier embedded in the configuration file you download. This is what authenticates you to the VPN service.
  • The connection and disconnection timestamps for each VPN session.
  • A history of connect / disconnect events generated by the VPN service. These let us reconcile lab state and time out idle sessions.

We do not log the destination addresses, ports, packet contents, or DNS queries of your VPN traffic in the ordinary course of operation. We may inspect specific flows if we have a good-faith reason to investigate suspected abuse (see Section 3).

2.4Lab and challenge usage data

For each lab and challenge you start, we record which lab or challenge it was, when you started it, when you stopped or completed it, and how long it ran. When you submit a flag, we record the slug of the lab/challenge, the timestamp, whether the flag matched, and how long you took from start to solve. Successful solves contribute to your XP balance, your rank, and your daily-login solve streak. We retain solve and attempt history for the lifetime of your account so that your dashboard, achievements, and leaderboard placement remain accurate.

2.5Technical data

Like every internet service, we receive technical data with each request: your IP address, your user agent string, the URL you requested, the HTTP method and status code, response size, and timing. We retain summarized request logs for diagnostics and security purposes; see Section 5 for retention windows.

2.6Analytics

We use Google Analytics 4 on the marketing site to understand which pages visitors find, where they came from, and what they click. GA4 assigns a pseudonymous client identifier in a first-party cookie (_ga) and collects events such as page views, scroll depth, and outbound link clicks. We have IP anonymization enabled at the GA4 property level, which prevents Google from storing the full visitor IP address. We do not link GA4 client identifiers to your WebVerse account.

Google’s collection and processing of analytics data is governed by Google’s Privacy Policy. You can opt out of GA4 site-wide using Google’s opt-out browser add-on or by blocking the _ga cookie in your browser settings.

2.7Cookies

We use a small number of cookies. The list below is exhaustive for the platform we operate today.

  • token — authentication cookie. First-party, HttpOnly, Secure, SameSite=Lax. Carries your signed session and is what keeps you logged in across page loads. Lifetime: 24 hours from issuance, or until you log out.
  • oauth_state — used briefly during Google sign-in to bind your sign-in attempt to the browser that started it (CSRF defense). First-party, HttpOnly, Secure, SameSite=Lax. Lifetime: 10 minutes; deleted as soon as the sign-in completes.
  • _ga, _ga_* — first-party Google Analytics 4 cookies. Lifetime: up to 2 years. Pseudonymous client identifier and session state for analytics aggregation. See Section 2.6.
  • Stripe cookies — set by Stripe’s hosted Checkout flow during a billing transaction. Lifetime and purpose are governed by Stripe’s cookies policy.

We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking cookies of any kind.

3.How We Use Information

We use the information described above to:

  • Provide and operate the service. Authenticate you, render your dashboard, start and stop labs and challenges, route VPN traffic to the correct lab subnet, validate flag submissions, compute XP and rank, and surface achievements and recommendations.
  • Personalize your experience.Recommend labs based on what you’ve completed, surface progress indicators, and remember your last-known dashboard state across devices.
  • Process payments. Create and update Stripe subscriptions, react to webhook events, gate Pro-only features, and reconcile subscription state on a recurring schedule.
  • Send transactional email. Email verification on signup, password reset links when you ask for one, billing notifications, and security alerts. We use Resend to deliver these. We do not currently send marketing or promotional email; if we ever start, we will update this Policy and provide an opt-out mechanism in the email itself.
  • Detect and prevent abuse. Inspect anomalous traffic, rate-limit authentication endpoints, suspend accounts that violate the Acceptable Use Policy, and respond to reports from third parties about abuse originating from our network.
  • Comply with legal obligations. Respond to lawful requests from courts and government agencies, fulfill our tax and accounting obligations, and meet any applicable regulatory requirements.

We do not use your personal information to train machine learning models, to sell to data brokers, or to build advertising profiles. We have no third-party advertising on the platform.

4.How We Share Information

We share information only with the third parties listed below, and only to the extent described. Each third party is a “subprocessor” that handles specific data on our behalf under their own privacy terms.

  • Stripe— payment processing. Receives your name, email, billing address, and card details that you enter directly into Stripe’s hosted Checkout. We receive a customer and subscription identifier in return. Stripe Privacy Policy.
  • Google — OAuth sign-in and analytics. For OAuth, Google receives the URL of our consent screen request and returns your sub, verified email, name, and picture. For analytics, Google Analytics 4 receives the events described in Section 2.6. Google Privacy Policy.
  • Resend — transactional email delivery. Resend receives the recipient email address, message subject and body, and delivery metadata for each transactional email we send. Resend Privacy Policy.
  • Discord — public community notifications. When you complete a lab or challenge for the first time, or when you unlock an achievement, we post a notification containing your username, the lab/challenge name or achievement, and the solve time to public Discord channels run for the WebVerse community. This sharing is part of the platform’s public leaderboard culture and cannot currently be opted out of without deleting your account. If you do not want your username and progress shared in public Discord channels, do not use the service. We will surface this clearly during signup in a future release; in the meantime, this Policy is the canonical disclosure. Discord Privacy Policy.

We may also disclose information when required by law (subpoena, court order, lawful request from a government agency), to protect the rights, property, or safety of WebVerse, our users, or the public, or in connection with a corporate transaction such as a merger, acquisition, or asset sale — in which case we will notify affected users in advance where legally possible.

We do not sell personal information. We do not share personal information with advertising networks, data brokers, or third-party marketers.

5.Data Retention

We retain personal information only as long as we need it to operate the service. The retention windows below apply unless a longer period is required by law or by an active investigation.

  • Account information — retained while your account is active, and deleted within 30 days of you initiating account deletion in your dashboard settings. Backups containing your data are overwritten on a 90-day cycle, after which residual copies are gone.
  • Lab and challenge solve history — retained while your account is active so that your dashboard, achievements, and rank remain accurate. Deleted with the account.
  • VPN connection metadata and connect/disconnect events — retained for 90 days, then deleted. Your VPN configuration file remains valid for as long as the credentials inside it have not expired (currently around a year), so that you do not need to re-download it on every session.
  • Transactional email logs — Resend retains delivery metadata according to its own retention schedule; we do not keep an additional long-term store of message content on our side.
  • Application request logs — retained for 30 days at full fidelity, then rotated out. Aggregated traffic statistics may be retained longer in summarized form.
  • Stripe billing records— retained on Stripe’s side for the period required by financial-services regulation (typically seven years for tax and audit purposes).
  • Public Discord posts— once posted to the public Discord channel, a solve notification is part of the channel history and is governed by Discord’s retention policies. We do not delete historical Discord posts when you delete your WebVerse account.

6.Security Measures

Security is a non-negotiable feature of a security-training platform. The controls below are a representative, non-exhaustive list of what we do today. We deliberately keep the list high-level — specifics about how the platform is built do not belong in a privacy policy.

  • Password handling. All passwords are stored as one-way hashes computed with a modern, salted hashing algorithm. We never log, transmit, or store cleartext passwords.
  • Encryption in transit. Every public surface is served over TLS, with HTTP redirected to HTTPS at the edge. Authentication cookies are Secure and HttpOnly.
  • Per-user isolation.Each user is issued unique VPN credentials. Lab environments are network-isolated so that one user cannot reach another user’s running labs.
  • Session integrity. Authentication tokens are cryptographically signed and bound to your account. Tokens are invalidated immediately when you change your password.
  • Rate limiting and abuse controls. Authentication endpoints, signup, password reset, and other sensitive surfaces are rate-limited. Anomalous traffic is throttled or blocked.
  • Principle of least privilege. Operator access to production is restricted and audited. Lab environments run with bounded CPU, memory, and lifetime limits.

No system is impenetrable. If you discover a vulnerability, we welcome reports under our responsible disclosure process.

7.Your Rights

Depending on where you live, you may have some or all of the following rights with respect to your personal information.

  • Access. Request a copy of the personal information we hold about you.
  • Correction. Ask us to correct inaccurate information.
  • Deletion. Ask us to delete your account and associated data, subject to retention requirements that bind us by law.
  • Export. Receive a copy of your data in a portable, machine-readable format.
  • Withdrawal of consent. Where we rely on consent, withdraw it at any time.

Email.The only emails we send today are transactional (account verification, password reset, billing notifications, security alerts). Because they are necessary for service operation, you cannot opt out of them while you have an active account — the only way to stop them is to delete your account. We will introduce explicit opt-out controls if and when we begin sending non-transactional email.

Discord posts. First-solve and achievement notifications posted to the public Discord channels described in Section 4 cannot currently be suppressed on a per-user basis. We are aware this is a coarse control and may introduce a per-user opt-out in a future release; in the meantime, the only way to prevent Discord posts is to refrain from completing labs and challenges, or to delete your account.

EU and UK residents. The General Data Protection Regulation (GDPR) and the UK GDPR give you the additional rights to restrict processing, object to processing, request data portability, and lodge a complaint with your local supervisory authority. For our processing of personal data, our lawful bases are: contract (operating the service you signed up for), legitimate interests (security, fraud prevention, product improvement), and legal obligation (tax, accounting, lawful requests).

California residents. The California Consumer Privacy Act (CCPA) and CPRA give you the rights to know what personal information we collect about you, to delete it, to correct it, and to opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioural advertising, so the opt-out is moot in practice.

To exercise any of these rights, email us at [email protected]. For deletion specifically, the fastest path is to use the “Delete account” control in your dashboard settings, which initiates the deletion automatically.

8.International Data Transfers

We operate infrastructure in both the European Union and North America, and your personal information may be processed in either region. Our subprocessors (Stripe, Google, Resend, Discord) operate global infrastructures and may process your data in regions other than where you live.

Where personal data of EU or UK residents is transferred to a country that has not received an adequacy decision, we rely on the European Commission’s Standard Contractual Clauses (SCCs) and corresponding UK addenda as the legal basis for transfer, supplemented by the technical measures described in Section 6.

9.Children

WebVerse Pro is not intended for children. You must be at least 16 years old (or 13 in the United States, where COPPA applies) to create an account. We do not knowingly collect personal information from children below those thresholds. If we become aware that a child has registered, we will delete the account and any associated data without notice. If you are a parent or guardian and believe a child has provided us with personal information, please email [email protected] and we will act promptly.

10.Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page reflects the date of the most recent revision. Material changes — for example, a new category of data we collect, a new subprocessor that handles your data, or a meaningful change in your rights or our retention schedule — will be communicated to active users via email or via a prominent in-product banner before the change takes effect.

Your continued use of the service after a Policy revision becomes effective constitutes your acceptance of the revised Policy. If you do not agree with a revision, you should stop using the service and delete your account before the effective date.

11.Contact

Questions, concerns, or requests about this Privacy Policy or about how we handle your personal information can be sent to:

[email protected]

We aim to respond within fifteen business days, and faster for time-sensitive requests such as account deletion or suspected security incidents.

This document is a general template adapted for WebVerse Pro and does not constitute legal advice. For questions about how it applies to your jurisdiction, consult an attorney.