Privacy Policy
- Legal
- Privacy Policy
At SpyCloud, our mission is to disrupt cybercrime and make the internet safer for everyone. This Privacy Policy explains how we handle personal information with integrity and purpose—so you can understand how we collect, use, and protect data to stop account takeover, identity theft, and online fraud before they cause harm.
SpyCloud Inc. (“SpyCloud,” “we,” “us,” or “our”) is headquartered in the United States and acts as the controller of personal information collected through our websites, products, and services that reference this Privacy Policy.
1. Personal Information We Collect
We collect information that identifies, relates to, describes, or could reasonably be linked to an individual (referred to in this policy as “personal information”). This includes:
Information you provide directly: When you fill out forms, subscribe to our services, register on our website, request support, or communicate with us, you may provide personal information such as your name, email address, phone number, company, or other identifiers.
Information collected automatically: We use cookies, log files, web beacons, device identifiers, and similar technologies to collect information such as IP addresses, browser types, geolocation data, referring pages, and interactions with our website. This includes tools from vendors such as Google Analytics and HubSpot. For more information, please see our Cookie Policy.
Information collected from third parties: We collect exposed or compromised personal information from public sources, including darknet and deep web forums, marketplaces, and dumpsites. This data is obtained exclusively for security and anti-fraud purposes, such as helping individuals and organizations detect and remediate account takeovers, prevent fraud, and respond to cybersecurity threats. Such information may include usernames, passwords (including plaintext and hashed), email addresses, phone numbers, IP addresses, device information, MAC addresses, system configurations, account metadata, browser and OS information, and activity artifacts derived from malware/infostealer logs and successful phishes.
We collect this data to defend those impacted. Our focus is detection, response, investigation, and defense against cybercrime.
2. How We Use Personal Information
We use personal information for the following purposes:
- To respond to inquiries and requests
- To deliver and improve our threat detection and remediation services
- To analyze usage and performance of our websites and offerings
- To monitor and protect the security of our systems and those of our customers
- To inform product development and threat intelligence research
- To conduct marketing and outreach (with the appropriate consent where required)
- To comply with legal obligations or enforce our terms
- To notify affected parties about exposed or compromised data
- To use artificial intelligence technologies to analyze data, generate reports, and support service functionality, as well as to develop and deploy AI-driven solutions for our customers in accordance with applicable data protection laws
We may also aggregate or anonymize personal information that we collect. We may use and disclose anonymized or aggregated information to any third parties at our discretion.
3. Disclosure of Personal Information
We may disclose personal information to:
- Our affiliates and subsidiaries
- Service providers who support our operations (e.g., IT, hosting, analytics)
- Enterprise customers and partners who use our products to detect and prevent fraud, account takeover, or data breaches
- Law enforcement or regulatory bodies when legally required or permitted
- Third parties in connection with a merger, acquisition, or sale of assets
- Vendors that provide advertising and advertising analytics services on our marketing websites
4. Your Information Rights and Choices
NOTE: If you are a resident of California, please see the “California Privacy Notice” section below for information about our privacy practices and California residents’ privacy rights under applicable law.
- Depending on your location and applicable data protection laws, you may have the following rights with respect to your “personal information”. Specifically, residents of certain US states (currently including Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah and Virginia), the European Economic Area (EEA), UK, Switzerland, and certain other international jurisdictions as applicable have the right to request: Confirmation that we process personal information about you
- Access: Learn what categories and specific pieces of personal information we hold about you
- Correction: Request correction of inaccurate personal information
- Deletion: Request deletion of personal information
- Opt you out of the processing of your personal information for purposes of profiling in furtherance of decisions that produce legal or similarly significant effects, if applicable.
In addition:
- Residents of the US states listed above may opt out of the “sale” of their personal information or the processing of their information for targeted advertising purposes. Please see “Notice of Right to Opt Out” below for more information.
- Connecticut, Oregon and Minnesota residents can request a list of the specific third parties, other than natural persons, to which we have disclosed information.
- EU/UK residents can object to the processing of information and to opt out of processing for direct marketing purposes.
- If you are a resident of Colorado, Connecticut, Iowa, Minnesota, Montana, Oregon, Tennessee, Texas, or Virginia, and we deny your information request, you have the right to appeal our denial.
The rights described above are subject to certain exceptions under applicable law. For instance, if your personal information was collected from a breached or illicit source for cybersecurity purposes we may not honor your deletion or opt-out requests, as certain legal exceptions permit us to retain and process such data for cybersecurity, fraud prevention, and public interest purposes. We may also retain personal information for our legal and compliance purposes, in addition to other exceptions provided for in applicable law.
We will ask you to provide us with information necessary to reasonably verify your identity before responding to your request. We will consider all requests and provide our response within the time period required by applicable law.
5. How to Submit an Information Rights Request
To exercise your information rights, please submit your request through our dedicated data subject request portal powered by Osano: Privacy Inquiry.
We do not process information rights requests sent via email or phone. SpyCloud generally fulfills information rights requests free of charge. However, we may assess fees in cases of excessive or repetitive requests.
6. Notice of Right to Opt Out
NOTE: If you are a resident of California, please see the “California Privacy Notice” section below for information about your opt-out rights.
If you are a resident of one of the U.S. states listed in Section 5 above, you also have the right to opt out of the “sale” of your personal information or our processing of your information for online targeted advertising purposes.
We do not sell personal information in the traditional sense. However, licensing of threat intelligence data to partners may qualify as a “sale” of personal information ” under some state privacy laws. Our disclosure of data to third-party partners using advertising or advertising analytics technologies as described in our Cookie Policy may also be subject to these opt out rights. You can opt out of such disclosures by clicking the “Your Privacy Choices” link on our website footer. Where required by law, we recognize and honor Global Privacy Control (GPC) signals as a valid opt-out request for these disclosures.
We may ask you to provide us with information necessary to reasonably verify your identity before responding to your request. We will consider all requests and provide our response within the time period required by applicable law.
If you are a resident of Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, or Texas, you may designate an authorized agent to make an opt-out request on your behalf. Agents must submit a signed, written permission evidencing that the consumer has authorized them to make such requests, or a valid power of attorney for that consumer. We may also follow up with you to verify your identity before processing the authorized agent’s request as permitted by applicable law.
7. Data Security and Retention
We use technical, administrative, and organizational safeguards—including encryption, access controls, and monitoring—to protect personal information from unauthorized access, misuse, or disclosure. We retain personal information only as long as necessary for the purposes described in this Policy or as required by law.
8. Children’s Data
Our services are intended for business use and not directed to children under 16. We do not knowingly collect or process personal information from children. If we become aware that we have inadvertently collected such information, we will delete it promptly and ensure it is not included in our threat intelligence systems.
9. California Privacy Notice
If you are a California resident, the California Consumer Privacy Act (“CCPA”) requires us to provide you with the following additional information about: (1) the purpose for which we use each category of “personal information” (as defined in the CCPA) we collect; and (2) the categories of third parties to which we (a) disclose such personal information for a business purpose, (b) “share” personal information for “cross-context behavioral advertising,” and/or (c) “sell” such personal information. Please see the following chart containing this information:
Category of Personal Information | Purpose of Use | Categories of Third Parties to which personal information is disclosed | Categories of third parties to which personal information is sold/shared |
Identifiers | Provide the Services; Communicate with you; Marketing and advertising; Personalize the Services; Improve the Services; Business Operations; With your consent | Affiliated entities; Service providers; Online advertising partners; Entities for legal purposes; Entities for business transactions | Online advertising partners |
Transaction history | Provide the Services; Marketing and advertising; Personalize the Services; Improve the Services; Business Operations; Recognize a user across multiple touchpoints; With your consent | Affiliated entities; Service providers; Entities for legal purposes; Entities for business transactions | We do not share/sell |
Customer service interaction information | Communicate with you; Improve the Services; Business Operations; With your consent | Affiliated entities; Service providers; Entities for legal purposes; Entities for business transactions | We do not share/sell |
Internet or other electronic network activity information | Communicate with you; Marketing and advertising; Personalize the Services; Improve the Services; Business Operations; With your consent | Affiliated entities; Service providers; Online advertising partners; Connected third-party services; Entities for legal purposes; Entities for business transactions | Online advertising partners |
Exposed or compromised Information collected through intelligence gathering | To deliver and improve our threat detection and remediation services; security and anti-fraud purposes | Customers; Entities for legal purposes; Entities for business transactions | Customers |
For more information about each category, purpose of use, and the third parties to which we disclose information, please see “Personal Information We Collect,” “How We Use Personal Information,” and “Disclosure of Your Personal Information” above.
Your Information Rights
California residents have the right to request that we:
- Provide information about the categories of sources of the personal information we collect and disclose about you; the business or commercial purpose for collecting or selling or sharing your personal information; and the categories of third parties to whom we disclose personal information (each to the extent applicable). This information is provided in this Privacy Policy.
- Access: Learn what categories and specific pieces of personal information we hold about you.
- Correction: Request correction of inaccurate personal information.
- Deletion: Request deletion of personal information.
As provided in applicable law, you also have the right to not be discriminated against for exercising your rights.
The rights described above are subject to certain exceptions under applicable law. For instance, if your personal information was collected from a breached or illicit source for cybersecurity purposes, we may not honor your deletion or opt-out requests, as certain legal exceptions permit us to retain and process such data for cybersecurity, fraud prevention, and public interest purposes. We may also retain personal information for our legal and compliance purposes, in addition to other exceptions provided for in applicable law.
How to Submit an Information Rights Request
To exercise your information rights, please submit your request through our dedicated data subject request portal powered by Osano: Privacy Inquiry. You may also call us at (512) 387-8158. SpyCloud generally fulfills information rights requests free of charge. However, we may assess fees in cases of excessive or repetitive requests.
We will ask you to provide us with information necessary to reasonably verify your identity before responding to your request. We will consider all requests and provide our response within the time period required by applicable law.
You have the right to designate an authorized agent to make requests on your behalf. Agents must submit a signed, written permission evidencing that the consumer has authorized them to make such requests, or a valid power of attorney for that consumer. We may also follow up with you to verify your identity before processing the authorized agent’s request as permitted by applicable law.
Notice of Right to Opt Out of Sale and Sharing for Cross-Context Behavioral Advertising
California residents also have the right to opt out of the “sale” of your personal information or our “sharing” of personal information for cross-context behavioral advertising purposes.
We do not sell personal information in the traditional sense. However, licensing of threat intelligence data to partners may qualify as a “sale” of personal information under California law. Our disclosure of data to third-party partners using advertising or advertising analytics technologies as described in our Cookie Policy may also be subject to these opt out rights. You can opt out of such disclosures by clicking the “Your Privacy Choices” link on our website footer. Where required by law, we recognize and honor Global Privacy Control (GPC) signals as a valid opt-out request for these disclosures.
You may designate an authorized agent to make an opt out request. Agents must submit a signed, written permission evidencing that the consumer has authorized them to make opt-out requests, or a valid power of attorney for that consumer.
Other California Rights
Sensitive data. The CCPA also allows you to limit the use or disclosure of your “sensitive personal information” (as defined in the CCPA) if your sensitive personal information is used for certain purposes. Please note that we do not use or disclose sensitive personal information other than for business purposes for which you cannot opt out under the CCPA.
Retention of your personal information. Please see the “Data Security and Retention” section above.
Notice concerning Do Not Track. Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. Some web browsers offer users a “Do Not Track” privacy preference setting in the web browser. We do not currently recognize or respond to browser- initiated Do Not Track signals. Learn more about Do Not Track.
California “Shine the Light” Notice. The California “Shine the Light” law gives residents of California the right under certain circumstances to opt out of the disclosure of certain categories of personal information (as defined in the Shine the Light law) with third parties for their direct marketing purposes, or in the alternative, that we provide a cost-free means for consumers to opt out of any such disclosure. We do not currently disclose your personal information to third parties for their own direct marketing purposes.
You may view our annual CCPA metrics here.
We do not knowingly sell or share the personal information of consumers under 16 years of age.
10. Supplemental Notice for Residents of the EEA and United Kingdom
If you are located in the European Economic Area (EEA) or the United Kingdom (UK), you are entitled to additional rights under applicable data protection laws, including the General Data Protection Regulation (GDPR) and UK GDPR.
Controller Identity: SpyCloud Inc. is the data controller for personal data collected as described in this Privacy Policy.
Legal Basis for Processing: We rely on our legitimate interests in preventing fraud, securing networks and information, and detecting identity-based threats to process exposed personal data collected from breach sources. Where applicable, we may also rely on contractual necessity or compliance with legal obligations. We may process other personal data, such as data from our business customers or third parties that send us inquiries and feedback, to a) perform our obligations under our agreements, b) for our legitimate interests, such as to secure our services and enforce our Terms of Service, c) to comply with our legal obligations, and d) for other purposes with your consent.
Right to Object: You have the right to object at any time to our processing of your personal data where we rely on legitimate interest as our legal basis. If you exercise this right, we will cease processing your personal data unless we demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or where the processing is necessary for the establishment, exercise, or defense of legal claims.
International Data Transfers: SpyCloud is based in the United States. If we transfer your personal data outside of the EEA/UK, we do so using appropriate safeguards such as standard contractual clauses approved by the European Commission or the UK Information Commissioner’s Office.
Your Rights: In addition to the rights listed in Section 4 of this Privacy Policy, you have the right to lodge a complaint with your local data protection authority. A list of EEA data protection authorities is available here. UK residents may contact the Information Commissioner’s Office (ICO) at https://ico.org.uk/.
11. Use Restrictions and Fair Credit Reporting Act (FCRA) Disclaimer
SpyCloud is not a consumer reporting agency as defined under the Fair Credit Reporting Act (FCRA), and our products and services are not intended to be used, and may not be used, in whole or in part, for the purpose of determining eligibility for credit, insurance, employment, housing, or any other purpose that would require compliance with the FCRA or similar laws. Any such use is strictly prohibited.
12. Updates and Contact Information
We may update this Privacy Policy from time to time. The latest version will always be available at spycloud.com/privacy-policy.
If you have questions or concerns about our privacy practices, we invite you to reach out using our contact us at privacy@spycloud.com.