Privacy Policy

ThreatVec ("we", "us") is a security product operated by Great Falls Ventures LLC, a Delaware limited liability company. This policy explains what data ThreatVec collects when you use the ThreatVec web application at app.threatvec.com, the ThreatVec Shadow AI browser extension, our SDK, and our marketing site at threatvec.com.

If you have questions, write to privacy@threatvec.com or use our support page.

1. Who this policy applies to

This policy applies to:

• End users at our customers' organizations whose AI activity is monitored by ThreatVec.
• Administrators at customer organizations who sign in to the ThreatVec web application.
• Visitors to our marketing site.

If you are an end user, the organization that deployed ThreatVec is the data controller for any personal data we process on their behalf — they decide what gets collected and what is done with it. ThreatVec is the data processor. Ask your security team for their internal policy.

2. What we collect — and what we explicitly don't

The browser extension (ThreatVec Shadow AI)

When installed by your organization, the extension scans the content of AI service prompts in your browser, on your device, using regex patterns. The matching happens entirely client-side. What leaves your browser depends on the policy your security team configured:

The extension stores your organization's API key and per-site policy decisions locally via the browser's chrome.storage API. This data does not leave your device.

The ThreatVec web application + SDK

When your organization signs up and deploys ThreatVec, we process:

• Account data: administrator email addresses (encrypted at rest with AES-256-GCM), organization name, billing identifiers.
• Agent identifiers: hostnames and agent names of devices where your team has installed ThreatVec.
• Security signals: metadata about AI activity — model called, token counts, PII types detected, timestamps. User identifiers in signals are pseudonymized via HMAC-SHA256 using a per-organization salt; we cannot reverse them.
• Posture scores: numerical computations across the above signals.

We do not process: LLM prompt content, LLM completion content, raw employee activity records, medical records, or financial transaction data.

The marketing site

We collect minimal server-side analytics on threatvec.com: aggregate page views, referrers, and browser type from our web server logs. We do not load any third-party analytics or advertising trackers on this site (no Google Analytics, no Plausible, no Meta pixel, no LinkedIn Insight tag).

Help widget (consent-gated): our marketing site can load the Zendesk web widget (static.zdassets.com) so visitors can chat with us without leaving the page. The widget sets first-party cookies in the threatvec.com origin to remember your conversation; it does not set advertising or cross-site tracking cookies. The widget is not loaded by default: on your first visit we show a banner asking whether you want to enable chat. If you decline, no Zendesk script is fetched and no Zendesk cookies are set. You can change this choice at any time using the Manage cookies link in the footer.

Your consent choice itself is stored in a single first-party cookie (tv-cookie-consent, 1-year lifetime) so we don't show you the banner on every page load. This is a strictly-necessary cookie under ePrivacy Article 5(3) and does not require its own consent.

3. Why we collect what we collect

We use this data only to:

• Provide the security service your organization purchased (the core product).
• Authenticate users and protect against unauthorized access.
• Investigate and resolve operational incidents, on documented request from your organization.
• Comply with legal obligations.

We do not use your data to train machine learning models, target advertising, or any other purpose unrelated to delivering the security service.

4. Who we share data with

We share data only with:

• Sub-processors that operate the infrastructure ThreatVec runs on:
  • Hostinger (server hosting — Boston, MA primary; Frankfurt, Germany regional Postgres for EU customer telemetry)
  • Clerk (authentication)
  • Stripe (payment processing — only for paying customers)
  • Resend (outbound transactional email)
  • ImprovMX (inbound email forwarding — relays support email into Zendesk; based in France)
  • Zendesk (inbound customer support tickets)
  • Anthropic (LLM analysis for non-customer-data narratives — see ADR-001 in our public repository)
  • DeepSeek (LLM analysis for non-customer-data only — customer-submitted content is never routed to DeepSeek)
  Each sub-processor is contractually bound to handle data only on our documented instructions.
• Legal authorities, if we receive a binding legal order. We will challenge any order we believe is overbroad.

We do not sell, rent, or trade personal data.

5. Where your data is stored

ThreatVec's application tier is hosted in the United States (Hostinger Boston). For data subjects in the EU/EEA, every API request still terminates at the Boston app tier — a controller-to-processor transfer governed by the EU-US Data Privacy Framework and Standard Contractual Clauses with each US sub-processor.

EU customer telemetry at rest is stored in the EU. Since 2026-05-14 (Sprint 21c), signal events, shadow events, and telemetry for EU-tagged organizations are written to a Hostinger Frankfurt regional Postgres within the EEA — no cross-border transfer for at-rest storage. Authentication and organization metadata for all customers stays on the US primary so identity lookups remain on the fast path. Choose your data region during signup; we will give 30 days notice before changing where any customer's data is stored.

6. How long we keep data

• Active account data: as long as your organization remains a customer.
• Signal events: 365 days by default; configurable shorter on request.
• Audit logs: 7 years for SOC 2 / compliance evidence.
• After account deletion: all data permanently deleted within 30 days, except where law requires longer retention.

7. Your rights

If you are covered by GDPR (EU/EEA/UK), CCPA (California), or similar legislation, you can:

• Access the data we hold about you.
• Correct inaccurate data.
• Delete your data (subject to legal retention).
• Export a copy in a portable format.
• Object to processing or restrict it.

To exercise any of these rights, email privacy@threatvec.com. We respond within 30 days. If you're an end user at a customer organization, we will route your request to your organization (the data controller) and notify you.

You can lodge a complaint with your local data protection authority. EU/EEA: see your country's DPA. UK: the ICO. California: the CPPA.

8. Security

We use industry-standard technical and organizational measures:

• TLS 1.2+ for all data in transit, AES-256-GCM for sensitive data at rest.
• Multi-factor authentication for all administrative access.
• Continuous source-code scanning for credential leaks and security regressions.
• Annual penetration testing.
• Incident response plan with notification within 72 hours of confirmed breach.

Our security architecture is documented in our SOC 2 evidence package, available on request — contact security@threatvec.com.

9. Children

ThreatVec is a B2B security product not intended for use by children under 16. We do not knowingly collect data from children.

10. Changes to this policy

We will post any material changes to this page and update the "Last updated" date at the top. Substantive changes will also be notified by email to the administrator email on file for each customer organization.

11. Contact

Great Falls Ventures LLC (operating as ThreatVec)
Data protection inquiries: privacy@threatvec.com
General support: app.threatvec.com/support
Enterprise DPA: app.threatvec.com/docs/dpa