Privacy Notice

Last updated: July 9, 2026

1. Who we are

This Privacy Notice is issued by Threat Helm vCISO ("Threat Helm vCISO", "we", "us", "our"), the operator of the ThreatHelm platform available at threathelm.com. Threat Helm vCISO is the data controller for personal data described in this notice.

2. Categories of personal data we collect

  • Account data — name, work email, hashed login credentials.
  • Organization context — business name, industry, size, systems, and other information you provide about your organization to power risk and gap analysis.
  • Support communications — messages you send us via chat or email.
  • Usage & telemetry — pages viewed, features used, timestamps, error logs.
  • Device & connection data — IP address, browser type, operating system, device identifiers.

Payment card details are collected and processed directly by our Merchant of Record, Paddle. Threat Helm vCISO does not receive or store card numbers.

3. Purposes and legal bases

  • Creating and maintaining your account — performance of contract.
  • Providing the ThreatHelm service, including generating risk registers, gap analysis, and posture — performance of contract.
  • Security, fraud prevention, and abuse detection — legitimate interests.
  • Product improvement and analytics — legitimate interests.
  • Customer support — performance of contract.
  • Marketing communications where you have opted in — consent.
  • Meeting legal, tax, and accounting obligations — legal obligation.

4. Who we share data with

  • Service providers / subprocessors — cloud hosting, database, authentication, analytics, and support tooling providers acting on our instructions.
  • Merchant of Record (Paddle) — Paddle.com Market Ltd. handles the sale, subscription management, payments, tax compliance, and invoicing for our products.
  • Professional advisers — legal, accounting, and audit advisers under confidentiality obligations.
  • Authorities — where required by law, court order, or to protect rights, safety, and property.

5. International transfers

Personal data may be transferred to and processed in countries outside your own, including the United States and the European Economic Area. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions.

6. Data retention

We retain personal data for as long as necessary to provide the service and to meet legal, tax, and accounting obligations. When data is no longer needed, we delete or anonymise it. Account and organization data is deleted within 90 days of account closure, except where longer retention is required by law.

7. Your rights

Subject to applicable law, you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, and to withdraw consent at any time. EEA/UK residents may also lodge a complaint with a supervisory authority. To exercise these rights, contact us using the details below. We aim to respond within one month.

8. Security

We use appropriate technical and organisational measures — including encryption in transit, access controls, tenant isolation via Row Level Security, and least-privilege service access — to protect personal data against unauthorised access, alteration, disclosure, or destruction.

9. Cookies

We use essential cookies required to run the service (session, authentication) and limited analytics cookies to understand usage. You can manage cookies through your browser settings; disabling essential cookies may prevent you from using parts of the service.

10. Contact

Questions about this Privacy Notice or your personal data: contact Threat Helm vCISO via the in-app support chat or the contact channel listed on threathelm.com.