This Privacy Policy explains how Defendis Technology Inc. (“Defendis,” “we,” “us,” or “our”) collects, uses, shares, retains, and transfers personal information when you interact with our websites, customer portals, mobile and desktop applications, APIs, SDKs, and related products or services (collectively, the “Services”). This Policy also covers Defendis SARL (Morocco) when acting as a data processor on behalf of Defendis Technology Inc.
By accessing or using the Services, you acknowledge that you have read and understood this Policy and agree to its terms. This Policy forms part of, and is incorporated by reference into, our Terms of Use. If you do not agree, please discontinue use of the Services.
This Policy applies to Defendis Technology Inc. (a Delaware, U.S., corporation) and its affiliate and subsidiary Defendis SARL (Morocco) when they process personal information in connection with the Services. This Policy applies to interactions with our websites, apps, platforms, APIs/SDKs, customer community, events (including webinars and conferences), sales and marketing activities, social media presences, and support channels.
Exclusions. This Policy does not apply to personal information collected in the context of employment (employees, contractors) or job applications. Where Defendis processes personal information solely on behalf of a customer under a written agreement (e.g., data processing addendum), the customer’s agreement controls to the extent of any conflict.
We collect personal information from the following sources:
The categories of personal information we may collect include: identifiers (name, email address, postal/billing address, phone number, IP address, account identifiers); professional information (employer, role/title, business contact details, professional affiliations); financial/commercial information (transactional records, subscription details; payment data); internet/network activity (device and operating system details, browser type, interaction data, pages or features used within our Services, URLs within our sites, app usage, event logs); device/telemetry data (device identifiers, diagnostics, performance and reliability data); approximate geolocation (based on IP); and communications/content you submit (e.g., support tickets, feedback forms).
In the course of providing cyber threat intelligence, Defendis may index or reference data posted by third parties to publicly available sources, including the dark web. Defendis does not control what third parties post to those sources and cannot predict the specific categories that may appear in them. We process such data only for legitimate security purposes, subject to safeguards and data minimisation..
3. Cookies and Tracking Technologies
We use cookies and similar technologies to authenticate users, remember preferences, secure the Services, and measure performance. Cookie categories include: (a) essential/functional; (b) analytics/performance; and (c) marketing/advertising. You can manage or disable cookies through your browser and, where available, through our Cookie Preference Center.
We use analytics and advertising services such as Google Analytics, Amplitude, and LinkedIn Ads, to understand usage and improve the Services. See each vendor’s privacy policy for details and opt‑out options.
4. Purposes of Processing and Legal Bases
We process personal information for the following purposes:
We process personal information only in ways that are compatible with and relevant to the purposes for which it was collected or otherwise authorised.
5. Information Sharing and Disclosures
We disclose personal information in the following circumstances.
6. International Data Transfers
We may transfer personal information to countries outside of your own. Where required, we rely on appropriate safeguards for cross-border transfers, such as the European Commission’s Standard Contractual Clauses (SCCs) incorporated into our service providers’ Data Processing Agreements (e.g., Google Cloud Platform, Supabase). We also implement technical measures, including encryption in transit and at rest, and access controls.
7. Retention
We retain personal information only for as long as necessary to fulfill the purposes described in this Policy or as required by law. Typical periods (subject to change based on business need and legal requirements) include: account and billing records (generally up to 7 years); security telemetry/logs (generally up to 90 days, longer if required for investigations or legal obligations); support records (generally up to 3 years after closure); and marketing contacts (generally up to 24 months of inactivity).
When setting retention, we consider applicable legal requirements, the nature and sensitivity of the data, the purposes of processing, potential risk from unauthorised use or disclosure, and whether the purpose can be achieved by other means. We may anonymise data for longer-term analytics or security research.
De‑identified and aggregated data may be retained for analytics and cybersecurity research.
8. Security
We implement technical and organisational measures designed to protect personal information, including encryption in transit and at rest, access controls, network segmentation, continuous monitoring and logging, multi-factor authentication, vulnerability management, and regular independent security testing. If we become aware of a data breach affecting personal information, we will notify affected individuals and/or regulators as required by law.
We encourage responsible reporting of security issues and publish a high‑level security overview. See Vulnerability Disclosure for our security posture and disclosure guidelines.
9. Children’s Privacy
The Services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you believe we have collected personal information from a child under 16, please contact us at legal@defendis.ai and we will take appropriate steps to delete such information.
For residents of the EEA/UK where a higher age of consent applies (between 13 and 16 depending on the country), we do not knowingly process personal information of children below the applicable age without verifiable consent from a parent or legal guardian.
10. Your Privacy Rights
Depending on your location, you may have rights to access, correct, delete, restrict, or object to the processing of your personal information, and to data portability.
These rights apply primarily to personal information that you have provided to us directly (for example, through your account, communications, or use of our Services) or that we process in connection with providing our Services.
When we process data that originates from publicly available or dark-web sources for cybersecurity or threat-intelligence purposes, your rights of access, correction, and deletion apply only to the data we control within our systems. We can confirm whether your personal information appears in our datasets; However, we cannot alter or delete information contained in the original external sources where it was publicly posted or disclosed by third parties.
EEA/UK/Swiss residents (GDPR/UK GDPR): rights of access, rectification, erasure, restriction, objection, and portability; the right to withdraw consent; and the right to lodge a complaint with a supervisory authority.
California residents (CCPA/CPRA): rights to know/access specific pieces and categories; delete; correct; opt out of sale/sharing; limit the use/disclosure of sensitive personal information; non-discrimination for exercising rights; and recognition of Global Privacy Control (GPC) signals.
UAE PDPL and Morocco Law 09-08: rights include access and rectification (and other rights as provided by local law).
11. Submitting Requests, Verification, and Appeals
To exercise your rights, contact legal@defendis.ai. We acknowledge requests within timelines required by law (typically within 10 business days for California residents) and respond within 30 days (GDPR/UK GDPR, extendable where permitted) or 45 days (CPRA, extendable where permitted). We may request additional information to verify your identity and authority. Authorised agents may submit requests on behalf of residents, subject to verification.
Appeals (US State Laws). If we deny your request, you may submit an appeal by replying to our decision email or by contacting legal@defendis.ai with the subject line “Privacy Request Appeal.” We will respond to appeals within 45 days, stating the reasons for our decision.
12. Non‑Discrimination (California)
We will not discriminate against you for exercising any of your rights under the CCPA/CPRA..
13. Automated Decision‑Making and Profiling
We do not make decisions based solely on automated processing that produce legal or similarly significant effects about individuals. We may use automated scoring and prioritisation to support security detections, with human review applied where appropriate.
14. De‑Identified, Aggregated, and “Collective Insights” Data
We may use de‑identified or aggregated data without reasonable means to identify an individual to improve and develop analytics and cybersecurity models, measure trends, enrich indicators, and enhance overall platform efficacy. In limited cases, de‑identified datasets may be accessed to comply with valid legal requests or to investigate security, safety, abuse, or violations of our Terms.
15. Changes to This Policy
We may update this Policy from time to time to reflect changes in our practices or applicable law. We will post the updated version with a new “Last updated” date. For material changes, we will provide advance notice (e.g., email or in‑app) in accordance with applicable law.
16. Contact Us
If you have any questions about our privacy practices or this Privacy Policy, or if you wish to submit a request to exercise your rights as detailed in this Privacy Policy, please contact us at:
