Global Privacy Policy

Last Updated: May, 2026

01Introduction

This Global Privacy Policy ("Policy") is issued on behalf of the ThreatModeler group of companies.

When we mention "ThreatModeler", "we", "us", or "our" in this Policy, we are referring to the relevant company within the ThreatModeler group responsible for processing your data. For the purposes of this global policy and the centralized services we provide, ThreatModeler Software, Inc., is the primary Data Controller or Business that determines the purposes and means of processing your personal data.

Our affiliates and subsidiaries ("Affiliates") are part of our global organization and may access, process, or collect data on our behalf or for their local operational needs, in accordance with the purposes described in this Policy. This is managed through an intra-group data sharing framework.

This Policy describes how ThreatModeler, acting as a Data Controller or Business, collects, uses, discloses, and otherwise processes your personal data. It also explains the rights you have as a Data Subject or Consumer regarding your personal data.

Please read this Policy carefully. If you do not agree with it, we advise you not to access our websites, use our Services, or interact with any other aspect of our business. For any questions, you can contact our Data Protection Officer at legal@threatmodeler.com.

02Scope of this Privacy Policy

This Policy applies to the processing of personal data we collect as a Data Controller or Business when you:

Visit or interact with our websites, applications, and digital properties where this policy is posted or linked (collectively, our "Websites").
Apply for a job with us.
Sign up for and use our free "Community Edition."
Register for and participate in our online or in-person events, webinars, training, or contests.
Engage with our communities, such as "Threat Modeling Connect."
Interact with us as an authorized user of our customers' accounts for our Enterprise Services.
Engage with us in a professional context, such as through email, phone, or at industry events.
Receive marketing communications from us.

This Policy does not apply to the data that our customers and their users upload, create, or manage within our B2B enterprise SaaS platform ("Customer Data"). In this context, our customer is the Data Controller, and ThreatModeler acts as a Data Processor. Our processing of Customer Data is governed by the service agreement and the Data Processing Addendum (DPA) executed with our customer.

This Policy applies only to the limited personal data we collect about our customers' authorized users for account administration and service delivery purposes, as detailed in Section 4.

This Policy does not apply to our employees or independent contractors, who are covered by a separate internal privacy notice.

03How We Collect Your Personal Data

We collect personal data from various sources:

A. Personal Data You Provide Directly to Us

You provide us with personal data when you create an account, request a demo, register for an event, fill out a form, contact our support, or otherwise communicate directly with us.

B. Personal Data We Collect Automatically

When you interact with our Websites and Services, we automatically collect technical information using tools like cookies. This includes device information, IP address, and usage data. For detailed information, please refer to our Cookie Policy.

C. Personal Data We Obtain from Third-Party Sources

We may obtain personal data from other sources to enhance our records and for business development purposes. These sources include:

Data Enrichment Providers: B2B data providers who supply us with professional information such as company, job title, and contact details.
Publicly Available Sources: Professional networking platforms (e.g., LinkedIn) and public corporate websites.
Business & Event Partners: Third parties with whom we co-host events or collaborate on marketing activities.

We only use data from third-party sources that confirm they are legally permitted to share this information with us.

04Personal Data We Process and Our Lawful Basis

The table below details our data processing activities, the data involved, our legal justification ("Lawful Basis"), and how long we retain the data.

Processing Activity / Purpose

Categories of Personal Data

Lawful Basis (GDPR)

Retention Period

Enterprise Service Account Management
Create and manage accounts, provide support, ensure service security.

Identity & Contact Data; Professional Data; Account Data; Usage Data

Performance of contract; Legitimate interest

Duration of contract, then blocked 5 years before deletion

Community Edition
Provide access to our free tool per Community Terms.

Identity & Contact Data; Device & Location Data; Platform & User-Generated Content

Performance of contract; Legitimate interest

While subscribed; then blocked 5 years

Academy & Training
Provide access to training platforms, events, and sessions.

Identity, Contact & Professional Data; Learning & Progress Data; Image & Voice (recorded sessions)

Performance of contract; Consent for recordings

While account active, then blocked 5 years

Recruitment
Evaluate and process employment applications.

Identity & Contact Data; CV/resume; Interview notes

Legitimate interest; Pre-contractual measures

Duration of application; limited retention if not hired

Inquiries, Demos & Content Requests
Respond to forms, schedule demos, provide resources.

Identity, Contact & Professional Data; Content of request

Pre-contractual measures; Legitimate interest

Time to handle request, then blocked 5 years

Business Development
Contact professionals, assess opportunities, negotiate contracts.

Identity, Contact & Professional Data; Communication Records; Signature

Legitimate interest

While relationship active, then blocked 5 years

Marketing & Advertising
Send newsletters and promotions.

Identity, Contact & Professional Data; Interaction Data; Inferred Data

Consent or Legitimate Interest (as required by law)

Until opt-out; contact details moved to suppression list indefinitely

Community Surveys
Gather feedback to improve user experience.

Identity, Contact & Professional Data; Survey responses

Consent (voluntary)

Analysis period, then anonymized or deleted

Hackathons & Contests
Manage participation and prize fulfillment.

Identity, Contact & Professional Data

Performance of contract (contest terms)

Contest duration plus fulfillment, then blocked 5 years

Support Platform
Resolve issues and enhance services.

Contact and account details; Support request content and communications

Performance of contract

Time necessary to resolve the issue

Interactive Features & Social Media
Engage with community on third-party platforms.

Identity, Contact & Professional Data you make public; Content directed at us

Legitimate interest

Per marketing and business development policies if imported

Data Subject Requests
Manage and fulfill data protection rights.

Data necessary to verify identity and locate information

Legal obligation

Time to process request, then typically 5 years

Website Analytics & Improvement
Understand interactions and improve functionality.

Technical Data; Usage Data

Legitimate interest; Consent for non-essential cookies

Per Cookie Policy

Legal & Security Compliance
Comply with legal obligations, protect systems and users.

All relevant data as required by the specific legal or security event

Legal obligation; Legitimate interest

As required by applicable law or for the legal process duration

05How We Share and Disclose Your Personal Data

Our commitment is to limit data sharing to what is necessary for our operations and to do so with the utmost respect for your privacy. We do not "sell" your personal data for monetary consideration. However, as defined by laws like the CCPA/CPRA, we may "share" it with third parties for cross-context behavioral advertising.

We may disclose or share your personal data with the following categories of third parties:

5.1. ThreatModeler Group Affiliates
We share personal data within our corporate group for internal administrative purposes, operational delivery, customer support, sales, and marketing. This sharing is governed by internal data sharing agreements including robust data protection safeguards.

5.2. Service Providers and Sub-processors
We engage trusted third-party vendors to perform services on our behalf, including cloud hosting (e.g., AWS, Azure), CRM systems (e.g., Salesforce), marketing and analytics platforms (e.g., HubSpot, Google Analytics), communication and support tools, payment processors, and recruitment platforms. These providers are contractually bound to protect your data and prohibited from using it for any other purpose.

5.3. Business and Event Partners
If you register for a co-sponsored event, we may share registration data with that partner. We will provide clear notice at the point of registration and obtain your consent where required by law.

5.4. Advertising Partners
We may share data collected via cookies with third-party advertising networks for personalized advertising. You can opt-out at any time via our Cookie Settings.

5.5. Professional Advisors
We may share information with lawyers, auditors, and insurers bound by confidentiality obligations.

5.6. Business Transactions
We may disclose personal data as part of a merger, acquisition, financing, joint venture, reorganization, divestiture, or sale of company assets.

5.7. Law Enforcement and Public Authorities
We may be required to disclose personal data to comply with a subpoena, court order, or other lawful request, or to protect our rights, property, or safety, or those of others. We will only do so when we have a good-faith belief that the disclosure is legally required and necessary.

06International Data Transfers

As a global company, your personal data will be processed in the United States and other countries where our Affiliates and service providers operate, such as Spain and the UK. We are committed to ensuring all cross-border data transfers comply with applicable law.

For data transferred from jurisdictions with specific transfer restrictions (such as the EEA, UK, and Switzerland), we rely on the following legally-recognized transfer mechanisms:

Intra-group Data Sharing Agreement: All transfers between ThreatModeler Group Affiliates are governed by a comprehensive internal agreement incorporating Standard Contractual Clauses (SCCs).
Adequacy Decisions: We may transfer data to service providers in countries deemed to provide adequate data protection by the European Commission.
Standard Contractual Clauses (SCCs): For transfers to providers in countries without an adequacy decision, we execute SCCs to contractually ensure the protection of your data.

We supplement these mechanisms with appropriate technical and organizational safeguards to provide a level of protection equivalent to that in your home jurisdiction.

07Data Security

We take the security of your data seriously. We have implemented appropriate technical and organizational measures designed to protect your personal data from accidental or unlawful destruction, loss, alteration, or unauthorized access. These measures include data encryption, access controls, regular security audits, and secure software development practices.

08Your Privacy Rights and How to Exercise Them

We are committed to honoring your data protection rights, which may vary depending on your jurisdiction. You have the right to:

Access and Know: Request a copy of the personal data we hold about you and information on how we process it.
Correct (Rectify): Ask us to correct any inaccurate personal data.
Delete (Erase): Request the deletion of your personal data, subject to our legal obligations and other exceptions.
Object and Opt-Out: Object to processing based on our legitimate interests; opt-out of direct marketing at any time; direct us not to "share" or "sell" your personal information for cross-context behavioral advertising.
Restrict Processing: Ask us to temporarily limit the processing of your personal data in certain situations.
Data Portability: Receive a copy of your data in a structured, machine-readable format.

How to Exercise Your Rights

You or your authorized agent can submit a request by emailing us at legal@threatmodeler.com. For your protection, we will need to verify your identity before fulfilling your request. We will respond within the timeframes required by law and will not discriminate against you for exercising your rights.

Right to Lodge a Complaint

You have the right to lodge a complaint with a competent data protection authority. Key authorities include:

Spain: The Spanish Data Protection Agency (AEPD) or your local data protection authority.
United Kingdom: The Information Commissioner's Office (ICO).
United States: The California Privacy Protection Agency (CPPA) and the Federal Trade Commission (FTC).

09Updates to this Privacy Policy

We may modify this Policy at any time. We will post the revised Policy and update the "Last Updated" date. For material changes, we will use commercially reasonable efforts to provide a more prominent notice. Your continued interaction with us after such changes constitutes your acceptance of the new Policy.

10Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact our Data Protection Officer:

Email: legal@threatmodeler.com

Postal Address:

ThreatModeler Software, Inc.
Attn: Legal Department
1 Evertrust Plaza, Suite 802
Jersey City, NJ 07302, USA