Effective: March 21, 2026 · Last updated: March 23, 2026
The short version: We do not collect, store, or share any personal data. Everything stays on your device.
Overview
CVE Tracker is a read-only security research and monitoring tool that displays publicly available vulnerability data from the National Vulnerability Database (NVD). This Privacy Policy explains how the app handles your information.
1. Information We Collect
We do not collect any personal information. The app does not transmit any data about you to our servers because we do not operate any servers.
The following data is stored locally on your device only:
- Bookmarks — CVE IDs you save for later review (stored in device UserDefaults)
- Watched Vendors — vendor names you choose to monitor (stored in UserDefaults)
- Followed Products — product watchlists you create (stored in UserDefaults)
- Search History — recent search queries (stored locally on-device)
- CVE Cache — vulnerability data fetched from NVD, cached locally to improve performance (stored in your device's Cache directory as
cve_cache.json) - NVD API Key — if you provide one, it is stored securely in the iOS Keychain with device-only encryption (
kSecAttrAccessibleWhenUnlockedThisDeviceOnly) - Notification Preferences — timestamps used to prevent duplicate notifications
- App Launch Status — a flag indicating first-time app launch
None of this data leaves your device or is accessible to FGA Apps.
2. Third-Party Services
The app fetches publicly available data from the following external sources. When your device connects to these services, your IP address is transmitted as part of the standard internet request. We have no control over how these third parties handle network-level data.
- National Vulnerability Database (NVD) — operated by NIST, U.S. Department of Commerce. Used to fetch CVE vulnerability records. Endpoint:
https://services.nvd.nist.gov/rest/json/cves/2.0. If you provide an NVD API key, it is sent as an HTTP header to NIST to increase rate limits. See NIST's privacy policy. - Security News Feeds (RSS/Atom) — the app aggregates articles from these public feeds:
- The Hacker News —
feeds.feedburner.com/TheHackersNews - BleepingComputer —
bleepingcomputer.com/feed/ - Krebs on Security —
krebsonsecurity.com/feed/ - Dark Reading —
darkreading.com/rss.xml - CISA Advisories —
cisa.gov/cybersecurity-advisories/all.xml
- The Hacker News —
3. Push Notifications
Push notifications (CVE alerts and news alerts) are generated entirely on your device using Apple's UNUserNotificationCenter framework. The app does not use any third-party push notification services or route notification content through external servers.
Apple's APNs infrastructure may be involved in delivering device-level notification permissions. See Apple's Privacy Policy for details.
You can disable notifications at any time in iOS Settings › CVE Tracker › Notifications.
4. Background Activity
The app uses iOS Background App Refresh to periodically check for new CVE alerts and security news. This background activity only performs outbound requests to the NVD and news feed sources listed above — no personal data is transmitted.
Background task identifiers: com.cvetracker.app.news-refresh and com.cvetracker.app.cve-alert.
You can disable background refresh in iOS Settings › General › Background App Refresh › CVE Tracker.
5. Data Security
- All app data is stored locally using Apple's built-in storage mechanisms
- NVD API keys are protected by iOS Keychain encryption, accessible only when the device is unlocked
- All network connections enforce HTTPS (App Transport Security is enabled;
NSAllowsArbitraryLoads = false) - No analytics SDKs, crash reporting services, advertising networks, or social media integrations are included in the app
6. Data Retention and Deletion
All locally stored data (bookmarks, watchlists, cache, API key) persists on your device until you delete the app. Uninstalling CVE Tracker removes all associated app data from your device.
We have no access to your data and therefore cannot delete it on your behalf.
7. Children's Privacy
CVE Tracker is designed for security professionals, researchers, and technically oriented users. The app is not directed at children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect any information from children.
8. Changes to This Policy
If we make material changes to this Privacy Policy, we will update the "Last Updated" date above. Continued use of the app after changes are posted constitutes your acceptance of the updated policy.
9. Contact
If you have questions about this privacy policy, please visit our support page.
Summary
| Data collected by FGA Apps | None |
| Data sold or shared | None |
| Analytics / tracking | None |
| Advertising | None |
| Third-party SDKs | None |
| Data stored on device | Bookmarks, watchlists, cache, API key |
| External network requests | NVD (NIST) + 5 public news RSS feeds |