Data Protection & Privacy Policy
Last updated: March 2026
Document ID: TK-DP-001 | Version: 1.1 | Effective Date: March 2026
1. Purpose & Scope
ThreatKrew (“we”, “us”, “our”) is committed to protecting your privacy. This policy applies to all users of the ThreatKrew platform and website, and operates under a multi-jurisdiction framework: the Australian Privacy Act 1988 (including the Australian Privacy Principles), the EU General Data Protection Regulation (GDPR), and applicable United States state privacy laws including the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA). Where requirements differ, we apply the higher standard globally.
2. Information We Collect
Account data: Email address (required), name and company name (optional).
Assessment data: Architecture documents you upload, threat models we generate, clarification responses, and chat conversations about your assessments.
Usage data: Feature usage patterns and performance metrics (anonymised).
Payment data: Processed by Stripe (PCI DSS Level 1 compliant). We do not store credit card numbers. See Stripe’s privacy policy.
3. How We Use Your Information
We use your information to provide and improve the Service, communicate about your account, send product updates (with your consent), respond to support requests, and meet legal obligations. We do not sell your data, share it for marketing, or use it to train AI models.
4. AI Processing Transparency
ThreatKrew uses Amazon Bedrock with Anthropic Claude models for threat analysis. Key protections: Anthropic maintains zero-day data retention (your data is not stored after processing), no customer data is used for model training, and tenant isolation is enforced at all levels.
5. Data Storage & Security
Your data is stored in AWS Sydney (ap-southeast-2) by default. All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Assessment data and account information remain in the Sydney region.
6. Cross-Border Transfers
AI inference processing occurs via US-based Amazon Bedrock endpoints. For EU users, transfers are governed by EU Standard Contractual Clauses (SCCs) with supplementary Schrems II measures, including encryption, access controls, and contractual protections. See our Data Processing Addendum for details.
7. Data Retention
- Assessment data: Retained until you delete it, or 30 days after account termination (GDPR Art. 17 compliance)
- Account data: Deleted within 30 days of account deletion request
- Payment records: 7 years (Australian tax law requirements)
- AI processing logs: 90 days
- Security logs: 12 months
8. Your Rights
Under GDPR (EU users) and Australian Privacy Act:
- Access: Request a copy of your data
- Rectification: Correct inaccurate data
- Erasure: Delete your account and data (within 30 days)
- Portability: Export your data in standard machine-readable format (CSV)
- Objection: Opt out of marketing communications
- Restriction: Request that we limit processing of your data
To exercise these rights, contact privacy@threatkrew.io. We will respond within 30 days.
9. United States Privacy Rights
Applicability. This section applies to residents of US states with comprehensive privacy legislation, including California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Texas (TDPSA). ThreatKrew applies GDPR-equivalent protections to all users globally, which meets or exceeds the requirements of all current US state privacy laws.
Your rights under US state privacy laws. In addition to the rights listed in Section 8, US residents may have the right to: know what categories of personal information we collect and for what purpose, request deletion of personal information, opt out of the sale or sharing of personal information, and not be discriminated against for exercising privacy rights.
We do not sell your personal information. ThreatKrew does not sell, share, or rent personal information to third parties for monetary or other valuable consideration. We do not use personal information for targeted advertising or cross-context behavioural advertising.
Categories of information collected. As described in Section 2: identifiers (email, name), commercial information (subscription tier), internet activity (usage data), and professional information (company name, architecture documents). We collect this information directly from you when you create an account and use the Service.
How to exercise your rights. Contact privacy@threatkrew.io. We will verify your identity using information associated with your account and respond within 45 days (or 30 days where a shorter timeline applies under your state’s law). You may designate an authorised agent to make a request on your behalf.
Appeals. If we decline a privacy request, you may appeal by contacting privacy@threatkrew.io with the subject line “Privacy Appeal”. We will respond within 60 days. If you are not satisfied with our response, you may contact your state’s Attorney General.
10. Breach Notification
In the event of a data breach, we will notify affected users and relevant authorities within 72 hours, in accordance with GDPR, Australian Privacy Act, and applicable US state breach notification requirements.
11. Sub-processors
We use the following third-party services to deliver ThreatKrew:
| Service | Purpose | Data Shared | Compliance |
|---|---|---|---|
| AWS (Sydney) | Infrastructure, compute, storage | All service data | SOC 2 Type II, ISO 27001 |
| Amazon Bedrock (US) | AI threat analysis | Architecture documents (zero-day retention) | SOC 2, no model training |
| Stripe | Payment processing | Name, email, payment details | PCI DSS Level 1 |
We will provide 30 days’ notice of any sub-processor changes, with a 14-day objection window.
12. Cookies
We use essential cookies for session management and authentication only. Analytics data is anonymised. We do not use third-party tracking cookies. See our Cookie Policy for details.
13. Changes
We will notify you of material changes via email. Continued use after changes constitutes acceptance.
14. Contact
Email: privacy@threatkrew.io
Data Controller: ThreatKrew Pty Ltd
For EU-specific data processing matters, see our Data Processing Addendum.