CipherOwl Privacy
Effective Date: March 4, 2026
Last Updated: March 4, 2026
1. Introduction
CipherOwl, Inc. ("CipherOwl," "Company," "we," "us," or "our") is a Delaware corporation that operates a cybersecurity platform providing threat intelligence, security monitoring, and related services through both a web-based SaaS application and developer APIs (collectively, the "Services"). This Privacy Policy describes how we handle information when you access or use our Services, visit our website, or otherwise interact with us.
We minimize the collection of personal information. Our Services are designed to operate with minimal personally identifiable information. We do not require names, email addresses, phone numbers, or physical addresses to use our platform. However, certain data we collect — such as API key identifiers, IP-derived geolocation, and user-submitted content — may be indirectly associated with identifiable individuals or organizations. We also use Google Analytics to understand how users interact with our platform, as described below.
By using our Services, you acknowledge that you have read and understood this Privacy Policy.
2. Information We Collect
We do not require or request personal information such as names, email addresses, phone numbers, or physical addresses to use our Services. However, some data we collect may be indirectly linkable to individuals or organizations.
2.1 Google Analytics Data
We use Google Analytics to collect anonymized usage data, including traffic data (page views, session duration, bounce rate, and user flow), device and browser data (browser type and version, operating system, screen resolution, and device category), geographic data (approximate location derived from IP address at city/region level, anonymized before storage), referral data (how users arrived at our site), and interaction data (clicks, scrolls, and engagement events). Google Analytics uses cookies to distinguish unique users and sessions. We have enabled IP anonymization and do not use Google Analytics advertising features.
2.2 API Usage Data
When you interact with our developer APIs, we collect non-personal operational data including request volumes, endpoint usage, response times, error rates, and API key identifiers for authentication and rate-limiting purposes.
2.3 Security and Threat Data
Submitted Samples: Files, URLs, IP addresses, domains, or other indicators of compromise you submit for analysis. Note that submitted content may contain or be linked to personal information. You are responsible for ensuring that any data you submit complies with your own privacy obligations.
Scan Results: Outputs generated by our threat detection and analysis engines.
Network Telemetry: If you use our monitoring agents or integrations, we may collect network traffic metadata, system event logs, and alert data from your environment as necessary to provide the Services. This telemetry may incidentally include identifiable network information.
2.4 AI Interaction Data
Our Services incorporate artificial intelligence features. When you interact with AI-powered features (e.g., chat-based threat analysis, natural language queries, or automated recommendations), we collect the content of those interactions, including prompts, queries, and responses. We de-identify this data before using it to train and improve our AI models.
Key points about AI data usage:
- Raw AI conversation data is collected to provide the Service and is retained in identifiable form only as long as necessary for service delivery.
- Before any use in model training, AI conversation data is de-identified.
- De-identified AI data may be used to improve model accuracy, relevance, and safety.
- You should avoid including sensitive, proprietary, or confidential information in AI interactions, as de-identified conversation data may be used for training purposes.
2.5 Information from Third Parties
Threat Intelligence Feeds: We aggregate data from publicly available sources and licensed threat intelligence providers to enhance our Services.
3. How We Use Collected Data
We use the information we collect for the following purposes:
- Service Delivery: To operate, maintain, and improve the Services, including threat detection, analysis, and alerting.
- API Platform: To authenticate API requests, enforce rate limits, and monitor usage.
- AI Model Training: To train and improve our AI models using de-identified interaction data, as described in Section 2.4.
- Security: To detect and prevent fraud, abuse, and security incidents affecting our platform and users.
- Product Improvement: To understand usage trends and improve the reliability, features, and effectiveness of our Services.
- Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable government requests.
- Aggregate Insights: To generate anonymized and aggregated threat intelligence that benefits the broader cybersecurity community.
4. How We Share Collected Data
We do not sell any data we collect. We may share collected data in the following circumstances:
- Google Analytics (Google LLC): Anonymized usage data is processed by Google Analytics under Google's data processing terms. We do not share personally identifiable information with Google.
- Threat Intelligence Community: Anonymized and aggregated threat data may be shared with industry partners, CERTs, and the cybersecurity community to advance collective defense.
- Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, collected data may be transferred as part of the transaction. We will notify users of any such change.
- Legal Requirements: When required by law, subpoena, court order, or government regulation, or when we believe disclosure is necessary to protect our rights or the safety of others.
5. Data Retention
We retain collected data only as long as necessary for the purposes described in this policy.
- Google Analytics Data: Retained for 14 months per our Google Analytics configuration.
- API Logs: Retained for 12 months for operational, debugging, and product improvement purposes.
- Threat Analysis Data: Submitted samples and scan results are retained for up to 24 months, unless you request earlier deletion.
- AI Interaction Data: Raw (identifiable) interaction data is retained for up to 30 days, after which it is de-identified. De-identified AI data used for model training is retained indefinitely.
- Telemetry Data: Retained for up to 12 months.
When data is no longer needed, we securely delete or anonymize it in accordance with our data management policies.
6. Data Security
We implement industry-standard technical and organizational measures to protect collected data, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
- Role-based access controls and principle of least privilege for internal systems.
- Regular security assessments, penetration testing, and vulnerability management.
- Incident response procedures and breach notification protocols.
- SOC 2 Type II and SOC 3 certified infrastructure and operations. Our SOC 3 report is publicly available upon request.
No method of transmission or storage is completely secure. While we strive to protect all collected data, we cannot guarantee its absolute security.
7. Cookies and Tracking Technologies
We use the following categories of cookies:
- Strictly Necessary: Required for platform operation (e.g., session management, authentication).
- Functional: Enable enhanced functionality and personalization (e.g., language preferences, dashboard layouts).
- Analytics (Google Analytics 4): Sets cookies (e.g.,
_ga,_ga_<container-id>) to distinguish unique users and sessions, measure site usage, and generate traffic reports. These cookies do not contain personally identifiable information.
We do not use advertising, remarketing, or behavioral tracking cookies. We honor Do Not Track (DNT) browser signals by disabling analytics cookies when detected. You can opt out of Google Analytics entirely using the Google Analytics Opt-Out Add-on.
8. Your Rights and Choices
- Opt Out of Google Analytics: Install the Google Analytics Opt-Out Browser Add-on or adjust your browser's cookie settings.
- Cookie Management: Control or delete cookies through your browser settings. Disabling cookies may affect certain functionality.
- Threat Data Deletion: Request deletion of submitted samples or indicators by contacting us.
- AI Training Opt-Out: Request that your AI interaction data not be used for model training by contacting us. Note that de-identified data already incorporated into trained models cannot be extracted or deleted.
- Do Not Track: We honor DNT browser signals by disabling analytics tracking when detected.
To exercise any of these choices or for questions, contact us at privacy@cipherowl.com.
9. Children's Privacy
Our Services are not directed to individuals under the age of 16. We do not knowingly collect data from children under 16. If we become aware that a child under 16 has submitted data through our Services, we will take steps to delete it promptly. Contact us at privacy@cipherowl.com if you believe a child has provided data through our platform.
10. Third-Party Links and Integrations
Our Services may contain links to third-party websites or integrate with third-party tools and platforms (e.g., SIEM systems, ticketing platforms). This Privacy Policy does not apply to those third-party services. We encourage you to review their privacy policies before providing them with your information.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy with a revised "Last Updated" date. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the revised policy.
12. Contact Us
CipherOwl, Inc.
A Delaware corporation
Email: privacy@cipherowl.com
This Privacy Policy is provided for informational purposes and does not constitute legal advice. We recommend consulting with a qualified attorney to ensure compliance with all applicable privacy laws and regulations.