Privacy Policy
1. Overview and Scope
This Privacy Policy (this "Policy") describes how Scalable Cyber, Inc. ("Scalable Cyber," "we," "us," or "our") collects, uses, discloses, and protects data in connection with our websites, products, and services (collectively, the "Services").
The Services are offered to businesses and organizations on a subscription or software-as-a-service basis. They are not directed to, or available to, the general public or to consumers for personal, family, or household purposes. The Services are intended solely for use by our subscribers (each, a "Subscriber") and the individuals a Subscriber authorizes to access the Services on its behalf (each, an "Authorized User"). By accessing or using the Services, or by entering into a subscription or other agreement with us, you acknowledge the practices described in this Policy.
This Policy does not modify or supersede any agreement between us and a Subscriber governing access to or use of the Services, including any SaaS agreement, master services agreement, order form, or other written agreement between us and the Subscriber (collectively, the "Agreement"). In the event of any conflict between this Policy and the Agreement, the Agreement governs.
2. Client Data, Research Data and Roles
As used in this Policy, "Client Data" means all data, information, and materials that a Subscriber or its Authorized Users provide to us, or that we collect from a Subscriber's systems or environment, in connection with the Services. Certain Services process technical data about software and systems that a Subscriber submits or that the Services generate ("Research Data"), which is a category of Client Data. Research Data generally consists of technical, machine, and software-related information rather than information that identifies an individual.
To the extent Research Data incidentally contains personal information, we process it solely as a service provider or processor on behalf of, and at the direction of, the relevant Subscriber, and in accordance with the applicable Agreement. The Subscriber is responsible for the data it and its Authorized Users submit to or generate through the Services, including for obtaining any rights, consents, or authorizations required for us to process that data.
More generally, where we process personal information on behalf of a Subscriber through the Services, we do so in accordance with the Subscriber's instructions and the applicable Agreement, and the Subscriber is responsible for its use of the Services and its compliance with applicable laws. This Policy otherwise addresses information we collect about Subscribers and Authorized Users in connection with providing the Services.
3. Information We Collect
We collect the following categories of information:
- Account and Registration Information: Business contact and identification details we collect when a Subscriber establishes or administers an account or provisions Authorized Users, such as name, business email address, telephone number, employer, job title, and login credentials.
- Billing and Transactional Information: Information used to administer subscription and payments, such as billing contact, billing address, purchase history, and payment-processing references. Payment card details are handled by our third-party payment processor, Stripe, Inc. ("Stripe"), in accordance with Stripe's own terms and privacy policy, and are not retained by us except as needed to administer the account.
- Usage and Platform Activity Data: Information about how the Services are accessed and used, including features used, queries and tasks submitted, session activity, and configuration settings.
- Technical and Log Data: Device, network, and system information generated automatically when the Services are accessed, such as IP address, browser or client type, operating system, access timestamps, authentication events, and security and audit logs.
- Communications and Support Information: Information you provide to us when you contact us, request support, provide feedback, or otherwise correspond with us.
We do not knowingly direct the Services to, or knowingly collect information from, individuals under the age of 18.
4. Cookies and Similar Technologies
We and our service providers use cookies and similar technologies on our website and, where applicable, within the Services. These technologies include cookies, web beacons, pixels, tags, local storage, and software development kits (SDKs). We do not use cookies or similar technologies to deliver third-party targeted or interest-based advertising. We use them for the following purposes:
- Strictly Necessary: Technologies required to operate the Services, such as authenticating users, maintaining sessions, enabling access and core functionality, load balancing, and protecting security.
We do not currently use analytics or third-party cookies. If we begin to do so, we will update this Policy and, where required, provide opt-out choices.
Your Choices: Where required by applicable law, non-essential cookies are used only with your consent. You may manage cookies through your browser settings or any cookie management tools made available on our websites. Disabling strictly necessary cookies may affect functionality.
5. How We Use Information
We use the information described above for our legitimate business purposes, including but not limited to:
- Provide, operate, maintain, and secure the Services, including authentication and access control;
- Establish, administer, and bill subscriptions and accounts;
- Monitor, detect, investigate, and prevent security incidents, fraud, abuse, and violations of our agreements or policies;
- Provide customer support and respond to inquiries;
- Develop, test, evaluate, and improve the Services and our products, technologies, and models, and develop new offerings;
- Generate aggregated, de-identified, or anonymized analytics and statistics, which we may use and retain for any lawful purpose; and
- Comply with applicable law and enforce our agreements and legal rights.
To the extent we use AI agents or models to develop, train, test, evaluate, or improve the Services, we use only Client Data, Research Data, usage data, or other Service-related information that has been aggregated, de-identified, or anonymized so that it does not identify a Subscriber, Authorized User, or other individual. We do not use identifiable Client Data, Research Data, or Subscriber or Authorized User personal information to train, fine-tune, or develop any machine-learning models, except as permitted by the applicable Agreement (for example, to create models for a Subscriber using that Subscriber's own data). We will not attempt to re-identify aggregated, de-identified, or anonymized data, or disclose it in any form that identifies a Subscriber, Authorized User, or other individual.
6. How We Share Information
We do not sell information about Subscribers or Authorized Users. We share information only as follows:
- Service Providers: With vendors and contractors that perform services on our behalf (such as hosting, infrastructure, payment processing, analytics, and support), subject to the obligations to protect the information and use it only to provide services to us.
- With our Corporate Group: With our affiliates and account administrators that support the provision of the Services.
- With the Subscriber: With the Subscriber whose account an Authorized User is associated with, including the Subscriber's administrators.
- Legal and Protective Disclosures: When we believe disclosure is necessary or appropriate to comply with applicable law, regulation, legal process, or governmental request; to enforce our agreements; or to protect the rights, property, security of Scalable Cyber, our Subscribers, or others.
- Business Transfers: In connection with, or during negotiation of, any merger, acquisition, financing reorganization, or sale of assets, or in the event of insolvency, in which information is among the assets transferred.
7. Data Security
We maintain reasonable administrative, technical, and organizational safeguards designed to protect information against unauthorized access, use, alteration, disclosure, or destruction, taking into account the nature of the Services. However, no method of transmission or storage is completely secure, and we cannot and do not guarantee absolute security. Subscribers and Authorized Users are responsible for maintaining the confidentiality of their credentials and for the security of the systems and accounts they use to access the Services.
8. Data Retention
We retain information for as long as needed to provide the Services, maintain and administer accounts, and fulfill the purposes described in this Policy, and thereafter as necessary to comply with our legal obligations, resolve disputes, enforce our agreements, and maintain business and security records. Actual retention periods vary based on the type of information and our operational, legal, and security requirements. We may retain aggregated, de-identified, or anonymized information indefinitely. Retention of Research Data is governed by the applicable Agreement.
9. Your Rights and Choices
Depending on applicable law, individuals may have certain rights regarding their personal data, including the right to access, correct, delete, or restrict the processing of their information, and to receive a copy in a portable format.
Because the Services are provided in a business-to-business context, we generally process personal data on behalf of our Subscribers. Accordingly, if an individual's information has been submitted to the Services by or on behalf of a Subscriber, such individual should direct their request to that Subscriber (i.e., individual's account organization or account administrator).
We will provide reasonable assistance to Subscribers in responding to such requests, as required by applicable law or our Subscriber Agreements.
In limited cases where we act as a data controller (for example, for account administration, billing, or direct interactions with you), requests may be submitted to contact@scalable-cyber.com.
10. International Data Transfers
Data may be transferred to and processed in countries other than where you reside. Where required by law, we implement appropriate safeguards to protect information, such as contractual protections and other legally recognized transfer mechanisms.
11. U.S. and International Privacy Rights
Depending on the location of a Subscriber or Authorized User, certain privacy laws may apply to personal information processed through the Services, including the California Consumer Privacy Act (CCPA/CPRA), other U.S. state privacy laws, and the EU/UK General Data Protection Regulation (GDPR). These laws may grant individual rights such as the right to access, correct, delete, or restrict the processing of their personal information, and in some cases, opt out of certain processing activities.
Where we process personal information on behalf of a Subscriber, we act as a service provider, processor, or contractor, and the Subscriber acts as the business or controller. In some cases, individuals should direct any requests to exercise their rights to the relevant Subscriber that controls their information.
We will provide reasonable assistance to Subscribers in responding to such requests, as required by applicable law or our Subscriber Agreements. In limited circumstances where we act as a controller (for example, for account administration, billing, or direct interactions) individuals may contact us using the information below.
12. Changes to This Policy
We may update this Policy from time to time. When we do, we will update the "Last Updated" date above. Your continued use of the Services after an update constitutes acceptance of the revised Policy.
13. Contact Us
If you have questions about this Policy or our data practices, please contact us at: contact@scalable-cyber.com.