Last Updated: June 30, 2026

Privacy Policy

1. Overview and Scope

This Privacy Policy (this "Policy") describes how Scalable Cyber, Inc. ("Scalable Cyber," "we," "us," or "our") collects, uses, discloses, and protects data in connection with our websites, products, and services (collectively, the "Services").

The Services are offered to businesses and organizations on a subscription or software-as-a-service basis. They are not directed to, or available to, the general public or to consumers for personal, family, or household purposes. The Services are intended solely for use by our subscribers (each, a "Subscriber") and the individuals a Subscriber authorizes to access the Services on its behalf (each, an "Authorized User"). By accessing or using the Services, or by entering into a subscription or other agreement with us, you acknowledge the practices described in this Policy.

This Policy does not modify or supersede any agreement between us and a Subscriber governing access to or use of the Services, including any SaaS agreement, master services agreement, order form, or other written agreement between us and the Subscriber (collectively, the "Agreement"). In the event of any conflict between this Policy and the Agreement, the Agreement governs.

2. Client Data, Research Data and Roles

As used in this Policy, "Client Data" means all data, information, and materials that a Subscriber or its Authorized Users provide to us, or that we collect from a Subscriber's systems or environment, in connection with the Services. Certain Services process technical data about software and systems that a Subscriber submits or that the Services generate ("Research Data"), which is a category of Client Data. Research Data generally consists of technical, machine, and software-related information rather than information that identifies an individual.

To the extent Research Data incidentally contains personal information, we process it solely as a service provider or processor on behalf of, and at the direction of, the relevant Subscriber, and in accordance with the applicable Agreement. The Subscriber is responsible for the data it and its Authorized Users submit to or generate through the Services, including for obtaining any rights, consents, or authorizations required for us to process that data.

More generally, where we process personal information on behalf of a Subscriber through the Services, we do so in accordance with the Subscriber's instructions and the applicable Agreement, and the Subscriber is responsible for its use of the Services and its compliance with applicable laws. This Policy otherwise addresses information we collect about Subscribers and Authorized Users in connection with providing the Services.

3. Information We Collect

We collect the following categories of information:

We do not knowingly direct the Services to, or knowingly collect information from, individuals under the age of 18.

4. Cookies and Similar Technologies

We and our service providers use cookies and similar technologies on our website and, where applicable, within the Services. These technologies include cookies, web beacons, pixels, tags, local storage, and software development kits (SDKs). We do not use cookies or similar technologies to deliver third-party targeted or interest-based advertising. We use them for the following purposes:

We do not currently use analytics or third-party cookies. If we begin to do so, we will update this Policy and, where required, provide opt-out choices.

Your Choices: Where required by applicable law, non-essential cookies are used only with your consent. You may manage cookies through your browser settings or any cookie management tools made available on our websites. Disabling strictly necessary cookies may affect functionality.

5. How We Use Information

We use the information described above for our legitimate business purposes, including but not limited to:

To the extent we use AI agents or models to develop, train, test, evaluate, or improve the Services, we use only Client Data, Research Data, usage data, or other Service-related information that has been aggregated, de-identified, or anonymized so that it does not identify a Subscriber, Authorized User, or other individual. We do not use identifiable Client Data, Research Data, or Subscriber or Authorized User personal information to train, fine-tune, or develop any machine-learning models, except as permitted by the applicable Agreement (for example, to create models for a Subscriber using that Subscriber's own data). We will not attempt to re-identify aggregated, de-identified, or anonymized data, or disclose it in any form that identifies a Subscriber, Authorized User, or other individual.

6. How We Share Information

We do not sell information about Subscribers or Authorized Users. We share information only as follows:

7. Data Security

We maintain reasonable administrative, technical, and organizational safeguards designed to protect information against unauthorized access, use, alteration, disclosure, or destruction, taking into account the nature of the Services. However, no method of transmission or storage is completely secure, and we cannot and do not guarantee absolute security. Subscribers and Authorized Users are responsible for maintaining the confidentiality of their credentials and for the security of the systems and accounts they use to access the Services.

8. Data Retention

We retain information for as long as needed to provide the Services, maintain and administer accounts, and fulfill the purposes described in this Policy, and thereafter as necessary to comply with our legal obligations, resolve disputes, enforce our agreements, and maintain business and security records. Actual retention periods vary based on the type of information and our operational, legal, and security requirements. We may retain aggregated, de-identified, or anonymized information indefinitely. Retention of Research Data is governed by the applicable Agreement.

9. Your Rights and Choices

Depending on applicable law, individuals may have certain rights regarding their personal data, including the right to access, correct, delete, or restrict the processing of their information, and to receive a copy in a portable format.

Because the Services are provided in a business-to-business context, we generally process personal data on behalf of our Subscribers. Accordingly, if an individual's information has been submitted to the Services by or on behalf of a Subscriber, such individual should direct their request to that Subscriber (i.e., individual's account organization or account administrator).

We will provide reasonable assistance to Subscribers in responding to such requests, as required by applicable law or our Subscriber Agreements.

In limited cases where we act as a data controller (for example, for account administration, billing, or direct interactions with you), requests may be submitted to contact@scalable-cyber.com.

10. International Data Transfers

Data may be transferred to and processed in countries other than where you reside. Where required by law, we implement appropriate safeguards to protect information, such as contractual protections and other legally recognized transfer mechanisms.

11. U.S. and International Privacy Rights

Depending on the location of a Subscriber or Authorized User, certain privacy laws may apply to personal information processed through the Services, including the California Consumer Privacy Act (CCPA/CPRA), other U.S. state privacy laws, and the EU/UK General Data Protection Regulation (GDPR). These laws may grant individual rights such as the right to access, correct, delete, or restrict the processing of their personal information, and in some cases, opt out of certain processing activities.

Where we process personal information on behalf of a Subscriber, we act as a service provider, processor, or contractor, and the Subscriber acts as the business or controller. In some cases, individuals should direct any requests to exercise their rights to the relevant Subscriber that controls their information.

We will provide reasonable assistance to Subscribers in responding to such requests, as required by applicable law or our Subscriber Agreements. In limited circumstances where we act as a controller (for example, for account administration, billing, or direct interactions) individuals may contact us using the information below.

12. Changes to This Policy

We may update this Policy from time to time. When we do, we will update the "Last Updated" date above. Your continued use of the Services after an update constitutes acceptance of the revised Policy.

13. Contact Us

If you have questions about this Policy or our data practices, please contact us at: contact@scalable-cyber.com.