Privacy Policy

ADVISOR by Threatwise™ is built using data minimization principles. By default:

• Chat content is not intentionally retained by Threatwise beyond the active session, except as described below.
• Conversation transcripts are not stored unless you explicitly enable optional memory features or voluntarily submit content through consultation channels.
• We do not use user chat content or inputs to train proprietary AI models owned by Threatwise.

We collect only the information reasonably necessary to operate accounts, process payments, provide the Service, maintain system integrity, and comply with legal obligations.

A. Account Information - When you create an account, we collect: name, email address, organization (if provided), subscription tier, and authentication credentials (managed securely via providers such as Auth0).

B. Payment Information - Payments are processed by Stripe. We do not store full credit card numbers or sensitive payment credentials. Stripe processes payment data in accordance with its own privacy policy and PCI DSS standards.

C. Usage and Technical Data - We may automatically collect limited technical information, including IP address, browser and device information, session timestamps, error logs, and API usage metrics. This information is used to maintain security, prevent abuse, ensure service reliability, and comply with applicable law.

D. Chat Content and Inputs - Chat content and other inputs are processed in real time to generate responses. Such content is not intentionally retained by Threatwise after the session unless:

• You enable an optional memory feature
• You voluntarily submit materials through a consultation or support feature
• Retention is required for abuse investigation, security monitoring, legal compliance, or dispute resolution

If optional memory is enabled, chat history is stored securely until you delete it or the account is terminated, subject to applicable retention requirements.

Threatwise does not actively monitor or review chat content except when voluntarily submitted, required for abuse or security investigations, or required by law.

We use collected information to:

• Provide, operate, and maintain the Service
• Authenticate users and manage accounts
• Process payments and subscriptions
• Detect, prevent, and investigate abuse or security incidents
• Improve system performance and reliability
• Comply with legal obligations

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use user chat content to train proprietary AI models. Service improvements are based, where feasible, on aggregated or anonymized data.

We rely on trusted third-party providers to operate the Service, including:

• Stripe - payment processing
• Auth0 - authentication and user management
• MongoDB Atlas - encrypted application data storage and vector search for the approved reference library
• CraftMyPDF - PDF generation for user-triggered report exports
• AI infrastructure providers - response generation and embeddings
• Hosting and cloud providers (e.g., Vercel or equivalent)

These providers are subject to data protection obligations and agreements with us designed to safeguard information. They may process data only as necessary to provide their services. We may update subprocessors in the ordinary course of business. A current list is available upon request.

We retain:

• Account information while the account is active, plus a reasonable period thereafter
• Payment records as required by tax and financial regulations
• Technical logs typically for 30–90 days
• Optional memory data until deleted by you or account termination

Upon account deletion, we will delete or anonymize personal data consistent with legal, regulatory, security, or dispute-resolution obligations.

We implement reasonable administrative, technical, and organizational safeguards designed to protect personal information, including encryption in transit and, where appropriate, at rest.

No system can guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials. In the event of a confirmed data breach affecting personal information, we will provide notice as required by applicable law.

The Service is operated from the United States. Your data may be processed in the United States or other countries where our subprocessors operate.

For users in the EEA, UK, or similar jurisdictions, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs) where required by law.

Depending on your jurisdiction, you may have rights to:

• Access personal information
• Correct inaccurate data
• Request deletion
• Restrict or object to certain processing
• Data portability (where applicable)
• Withdraw consent where processing is based on consent

To exercise these rights, contact legal@threatwiseglobal.com. We may require identity verification before processing your request.

California Residents (CCPA/CPRA) - California residents may request disclosure of categories of personal information collected, deletion of personal information, confirmation that we do not sell or share personal information, limitation of use of sensitive personal information, and non-discrimination for exercising privacy rights.

We do not sell or share personal information. To submit a verifiable consumer request or exercise any CCPA rights, please email legal@threatwiseglobal.com.

EEA and UK Users (GDPR / UK GDPR) - You have the rights listed above, including the right not to be subject to solely automated decisions producing legal or similarly significant effects. The Service does not make solely automated decisions with legal or significant effects without human involvement.

We rely primarily on contractual necessity and legitimate interests as lawful bases for processing, as described in this Policy. For questions or to exercise rights, contact legal@threatwiseglobal.com.

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected such data, we will take appropriate steps to delete it.

We use essential cookies and similar technologies for authentication, security, and core functionality. We do not use tracking cookies for cross-site behavioral advertising. You may manage cookie preferences through your browser settings.

We may update this Privacy Policy from time to time. Material changes will be reflected by updating the Last Updated date and, where appropriate, providing notice through the Service or by email.

Continued use of the Service after changes constitutes acceptance of the updated Policy.

If you have questions about this Privacy Policy or our data practices, please contact: legal@threatwiseglobal.com