legal
Privacy Policy
Effective Date: February 15, 2024
Scope of this Policy
In this Privacy Policy (“Policy”), we describe how Threatology, Inc. (“Threatology”, “SnapAttack”, “we”, “us” or “our”) collects, uses, and discloses personal information. In particular, this Policy applies to the personal information we collect through the following sources:
- Any Threatology website where we post this Policy, including domains and sub-domains of threatology.com and snapattack.com (our “Sites”)
- Our software, products, and platform that we make available to you (collectively, with our Sites, the “Services”)
- Offline when you interact with us, such as contacting customer support or providing us information at a conference or other event
Additional Notices & Terms
Depending upon your relationship with us, additional privacy notices may apply. In addition, if you have executed a customer agreement with us, we will use your information, including your personal information, in accordance with and as permitted by the terms of our agreement and this Policy. If there is a conflict between your customer agreement and this Policy, then your customer agreement will govern.
Disputes
SnapAttack complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce. SnapAttack has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, SnapAttack commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF to PrivacyTrust, an alternative dispute resolution provider based in the United Kingdom. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.privacytrust.com/drs/SnapAttack for more information or to file a complaint. The services of Privacy Trust are provided at no cost to you.
SnapAttack will offer individuals the opportunity to choose (opt-out) whether their personal information is (a) to be disclosed to a third party, or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. You can exercise your rights and choice by contacting us at privacy@snapattack.com.
The Information We Collect About You
Information We Collect Directly From You
The information we collect from you depends on how you use our Services and interact with us.
- When you create an account to use our Services we will collect information including your name, e-mail address, company, title, a profile picture or avatar, and personal or business contact information. If you subscribe to an enterprise account, we (or our payment processor) will also collect your billing and payment information.
- When you upload content to the Services, such as threat intelligence, attack sessions, analytics, posts, comments, or videos, we will collect information about you that you include in that content.
- If you subscribe to our mailing list or newsletters, or interact with us at events, conferences, webinars, or through other marketing activities, we will collect your name, e-mail address, company, title, and personal or business contact information.
- If you submit a support ticket, we will collect any feedback that you provide, to include optional screenshots and/or videos, as well as your account information so that we may respond to your request.
- If you contact us or request information from us, we will collect your name, contact information, and your communications with us.
Information We Collect from Other Sources
We also may collect information about you from other sources.
- As permitted by applicable law and third-party terms, we may collect information about you from content posted on other websites. For example, we may collect your name and contact information from software code, blog posts, articles, or research papers you have authored on third party websites that we make available through the Services. The intent is to credit authorship back to you as the original author.
- If a user of our Services, which could include your employer or any other person or entity, shares or uploads content to the Services that includes your personal information, we will have access to that information. Although we strongly discourage users from sharing or uploading content that includes unnecessary personal information, we cannot control what users share with the Services.
- If you obtain our Services through a partner or a managed services provider, we will obtain your personal information to create and manage accounts. As permitted by the agreement with your managed services provider, we may use your information in accordance with this Privacy Policy.
Information We Collect Automatically
We automatically collect information about your use of our Services through cookies, web beacons, and other technologies. We also automatically collect information about your use of our content in the Services. We also may use tools that allow us to monitor how you navigate the Services, such as how you move your cursor or where you enter text (without seeing the actual text you enter) to help us improve the Services, to identify and diagnose bugs, and to enable you to provide us feedback. To the extent permitted by applicable law, we may combine this information with other information we collect about you, including your personal information. Please see the section “Cookies and Other Tracking Mechanisms” below for additional information.
Information Automatically Collected from the Sites
- domain name, web pages you view on the Site, and links you click on the Site
- the referring URL, or the webpage that led you to our Site
- the length of time you visit our Site and or use our Services
- your browser type, device operating system, and device’s IP address
Information Automatically Collected by Platform and Software
Our Services provide a library of cyber threat intelligence, attacks, and defensive analytics. We provide software and integrations with other tools to enable the automatic collection of this data. In many instances, we provide users with the ability to configure what data the software collects.
For captured cyber attacks, we may capture:
- Device identifiers, hostnames, and IP addresses
- Operating system and software versions
- System event logs, network packet data, and forensic artifacts
- Video recording or screenshots of user activity
- Keystrokes and clipboard contents a user makes during an emulated cyber attack, which may include credentials or other sensitive information
- Scripts and binaries executed on the device, which may include malware and cyber threats
- Analytic hits or alerts on malware and cyber threat behavior and related information regarding such attacks
For enterprise accounts with configured integrations, we may automatically collect information from other software, such as Endpoint Detection and Response (EDR) or Security Information and Event Management (SIEM) tools. Please contact your employer for additional information. This information includes:
- Analytic hits or alerts on malware and cyber threat behavior
- System event logs, network packet data, and forensic artifacts
- Device identifiers, hostnames, and IP addresses
- In some instances, personally identifiable information such as first or last names, email addresses, or usernames
- In rare instances, sensitive information such as passwords or API keys that may be present in files or if used on command lines
How We Use Your Information
We use your personal information for the following purposes:
Service Provisioning/Transactional Purposes:
- To provide our Services to you.
- To communicate with you about your use of our Services; to fulfill your orders, to respond to your inquiries, process payments, and for other customer service purposes.
- To tailor the content and information that we may send or display to you, to provide access to content, software, and products that you or your organization has purchased or licensed from us, to inform you about or send you software or content updates, to provide personalized help and instructions, and to otherwise personalize your experiences while visiting or using the Services.
- Making cyber threat intelligence, attack sessions, analytics, or other content available to community members, customers, or partners for threat detection and research.
- Protecting and securing the Site, including the networks and systems through which we provide the Services.
Marketing Communications:
In accordance with applicable laws, we may use your information:
- To send you marketing communications about our Services and other offerings.
- To send you news, newsletters, and event information.
- To send you marketing communications about products and services of our affiliated entities.
- To send you marketing communications about products and services of other entities that we think may be of interest to you. If you are interested in these entities’ products and services, you may provide your information directly to the appropriate entity.
Advertising:
- To assist us in determining relevant advertising content and media (whether on the Services or on nonaffiliated websites and media) and to create lookalike and Custom Audiences for our advertising campaigns.
- To evaluate the success of our advertising campaigns (including our online targeted advertising and offline promotional campaigns).
- See also the Ad Networks section discussed below.
Sites and Services Improvement/Research:
- To train and improve our cyber threat identification, monitoring, and analytics software. This includes training our machine learning/artificial intelligence algorithms and software to better identify potential cyber threats.
- To better understand how users access and use our Services, both on an aggregated and individualized basis. For example, we will evaluate which features of our Services are more (or least) used by users, and we will use this information to update or add new features to our Services. We may also use feedback provided by users to update our Services or develop new offerings.
- To administer surveys and questionnaires, such as for user engagement, market research or user satisfaction purposes.
- To create aggregated, anonymized, pseudonymized or de-identified data sets. We may use such data sets for cyber threat identification, research, product improvement and development, marketing, advertising, trend analysis and other purposes.
Legal Purposes:
- To comply with legal obligations and act in accordance with legal authorizations, as part of our general business operations, and for other business administration purposes, including to comply with our legal and regulatory requirements, authenticating your identity, maintaining our records, to monitor your compliance with your agreements with us, to collect debts owed to us, to safeguard our business interests, and to manage or transfer our assets or liabilities, for example in the case of an acquisition, disposition or merger, as described below.
- Where we believe necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person or property, or violations of this Policy, your customer agreement, and any applicable terms of use.
- For other purposes we may inform you about from time to time. Where required by applicable laws and regulations, we will obtain your consent if we wish to use your personal information for purposes requiring such consent.
How We Share Your Information
We may share your information, including personal information, as follows:
- Service Providers. We disclose the information we collect from you to service providers, contractors or agents who perform functions on our behalf. These service providers include our hosting provider for the Site and our payment processors.
- Affiliates. We may disclose your information to our affiliate and subsidiary organizations for the purposes described in this Policy.
- Community Members. When you post content to the Services, such as threat intelligence, attack sessions, analytics, or other posts, comments, or videos, that information will be available to other members of the community and visitors to the public areas of our Site. For enterprise subscribers, you may configure that content to be private to other members of your organization.
- Cybersecurity Information Sharing Organizations. We may share information we collect through the Services with both private and public sector cyber and information security sharing organizations for threat monitoring and cyber response purposes. Where possible, we will endeavor to share aggregated or de-identified information with these organizations.
- Advertising Networks. We share data with entities that perform targeted advertising on our behalf. Please see the discussion about Ad Networks below.
We also disclose information in the following circumstances:
- Business Transfers. If (i) we are or may be acquired by, merged with, or invested in by another company, or (ii) if any of our assets are or may be transferred to another company, whether as part of a bankruptcy or insolvency proceeding or otherwise, we may transfer the information we have collected about you to the other company. As part of the business transfer process, we may share certain of your personal information with lenders, auditors, and third-party advisors, including attorneys and consultants.
- In Response to Legal Process. We disclose your information to comply with the law, a judicial proceeding, court order, law enforcement request, or other legal process, such as in response to a court order or a subpoena.
- To Protect Us and Others. We disclose your information when we believe it is appropriate to do so to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of our this Policy, your customer agreement, or any applicable terms of use, or as evidence in litigation in which we are involved.
- Aggregate and De-Identified Information. We may share aggregated, anonymized, or de-identified information about users with third parties for cyber threat intelligence and monitoring, marketing, advertising, research or similar purposes.
Our Use of Cookies and Other Tracking Mechanisms
Threatology and our service providers use cookies, local storage (HTML5), and other tracking mechanisms to track information about your use of our Services. We may combine this information with other personal information we collect from you (and our service providers may do so on our behalf).
Cookies
Cookies are alphanumeric identifiers that we transfer to your device’s hard drive through your web browser for record-keeping purposes. Some cookies allow us to make it easier for you to navigate our Site and Services, while others are used to enable a faster log-in process or to allow us to track your activities at our Site and Service. There are two types of cookies: session and persistent cookies.
- Session Cookies. Session cookies exist only during an online session. They disappear from your device when you close your browser or turn off your device. We use session cookies to allow our systems to uniquely identify you during a session or while you are logged into the Services. This allows us to process your online transactions and requests and verify your identity, after you have logged in, as you move through our Services.
- Persistent Cookies. Persistent cookies remain on your device after you have closed your browser or turned off your device. We use persistent cookies to track aggregate and statistical information about user activity.
Disabling Cookies
Most web browsers automatically accept cookies, but if you prefer, you can edit your browser options to block them in the future. The Help portion of the toolbar on most browsers will tell you how to prevent your computer from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether. Visitors to our Site who disable cookies will be able to browse certain areas of the Site, but some features may not function.
Clear GIFs, pixel tags and other technologies
Clear GIFs are tiny graphics with a unique identifier, similar in function to cookies. In contrast to cookies, which are stored on your device’s hard drive, clear GIFs are embedded invisibly on web and application pages. We may use clear GIFs (a.k.a. web beacons, web bugs or pixel tags), in connection with our Services to, among other things, track the activities of visitors and users, help us manage content, and compile statistics about Services usage. We and our service providers also use clear GIFs in HTML emails to help us track email response rates, identify when our emails are viewed, and track whether our emails are forwarded.
Analytics
We use automated devices and applications, such as Google Analytics, to evaluate usage of our Services. We also may use other analytic means to evaluate our Services. We use these tools to help us improve our Services’ performance and user experiences. These entities may use cookies and other tracking technologies, such as web beacons or local storage objects (LSOs), to perform their services. To learn more about Google’s privacy practices, please review the Google Privacy Policy at https://www.google.com/policies/privacy/. You can also download the Google Analytics Opt-out Browser Add-on to prevent your data from being used by Google Analytics at https://tools.google.com/dlpage/gaoptout.
Do-Not-Track
Currently, our systems do not recognize browser “do-not-track” requests. You may, however, disable certain tracking as discussed in this section (e.g., by disabling cookies); you also may opt-out of targeted advertising by following the instructions in the Ad Network section.
Ad Networks
We use network advertisers to serve advertisements on unaffiliated websites and other media (e.g., social networking platforms). This enables us and these network advertisers to target advertisements to you for products and services in which you might be interested. Ad network providers, advertisers, sponsors and/or traffic measurement services may use cookies, JavaScript, web beacons (including clear GIFs), and other tracking technologies to measure the effectiveness of their ads and to personalize advertising content to you. These cookies and other technologies are governed by each entity’s specific privacy policy, not this one. We may provide these parties with information, including personal information about you, as part of our advertising efforts.
Users may opt out of many ad networks. For example, you may go to the Digital Advertising Alliance (“DAA”) Consumer Choice Page for information about opting out of interest-based advertising and their choices regarding having information used by DAA companies. You may also go to the Network Advertising Initiative (“NAI”) Consumer Opt-Out Page for information about opting out of interest-based advertising and their choices regarding having information used by NAI members. App users may also download the AppChoices tool to manage interest-based advertising on their mobile device.
Opting out from one or more companies listed on the DAA Consumer Choice Page or the NAI Consumer Opt-Out Page will opt you out from those companies’ delivery of interest-based content or ads to you, but it does not mean you will no longer receive any advertising through our Services or on other websites. You may continue to receive advertisements, for example, based on the particular website that you are viewing (i.e., contextually based ads). Also, if your browsers are configured to reject cookies when you opt out on the DAA or NAI websites, your opt out may not be effective. Additional information is available on the DAA’s website at www.aboutads.info or the NAI’s website at www.networkadvertising.org
Links
Our Services may contain links to non-affiliated websites. Any access to and use of such linked websites is not governed by this Policy, but instead is governed by the privacy policies of those websites. We are not responsible for the information practices of such websites.
Security of Your Personal Information
We have implemented reasonable precautions to protect the information we collect from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. Please be aware that despite our efforts, no data security measures can guarantee security.
You should take steps to protect against unauthorized access to your password, phone, and computer by, among other things, signing off after using a shared computer, choosing a robust password that nobody else knows or can easily guess, and keeping your log-in and password private. We are not responsible for any lost, stolen, or compromised passwords or for any activity on your account via unauthorized password activity.
Promotional Emails
We may send periodic promotional emails to you. You may opt-out of promotional emails by following the opt-out instructions contained in the email. Please note that it may take up to 10 business days for us to process opt-out requests. If you opt-out of receiving promotional emails, we may still send you emails about your transactions or any services you have requested or received from us.
Children Under 13
Our Services are not designed for children under 13. If we discover that a child under 13 has provided us with personal information, we will delete such information from our systems.
Contact Us
If you have questions about the privacy aspects of our Services or would like to make a complaint, please contact us at privacy@snapattack.com.
Changes to this Policy
This Policy is current as of the Effective Date set forth above. We may change this Policy from time to time, so please be sure to check back periodically. We will post any changes to this Policy on our Site. If we make any changes to this Policy that materially affect our practices with regard to the personal information we have previously collected from you, we will endeavor to provide you with notice in advance of such change by highlighting the change on our Site.