Privacy Policy

Effective date: 2026-05-11

---

1. About this Policy

This Privacy Policy applies to:

• The website at www.threathunter.com, operated by THREATHUNTER TECHNOLOGIES PTE. LTD;
• All services provided through the website (including without limitation threat intelligence queries, Deep Report, Workspace and APIs); and
• Online and offline events organised or co-hosted by threathunter.com (webinars, conferences, etc.).

This Policy may be updated from time to time, and the most current version will always be available at www.threathunter.com/legal/privacy. We will not alter your rights under this Policy without your explicit consent. We will notify you of any material changes at least 30 days in advance, either by email or by a banner on the website.

2. Data Controller

The website and its services are operated by THREATHUNTER TECHNOLOGIES PTE. LTD ("Threat Hunter"), incorporated in the Republic of Singapore, with its registered office at:

176 Orchard Road #05-05, The Centrepoint, Singapore 238843

We act as the Data Controller for the personal data covered by this Policy and are responsible for its lawful processing. Threat Hunter also operates branch offices in Shenzhen, Beijing, Shanghai, Chongqing, and Hong Kong, but all data-processing activities described here are governed by and accountable to the Singapore entity.

3. Applicable Laws

We process personal data in compliance with the highest applicable standards, including but not limited to:

• The EU General Data Protection Regulation (EU GDPR, Regulation (EU) 2016/679);
• The UK General Data Protection Regulation and Data Protection Act 2018 (UK GDPR + DPA 2018);
• The Singapore Personal Data Protection Act (PDPA, Act 26 of 2012); and
• The California Consumer Privacy Act, as amended by the CPRA (Cal. Civ. Code § 1798.100 et seq.).

If a jurisdiction in which you reside affords stronger protection than the above, we will comply with that higher standard.

4. Personal Data We Process

The table below summarises the categories of personal data we process, the purpose, lawful basis, and retention period for each:

#	Purpose	Lawful basis	Data processed	Retention
1	Account creation and provision of the service (threat intelligence queries, report generation, Workspace)	Contract performance	Business email, name, company name, job title (optional)	Lifetime of the account + 1 year from last activity
2	Processing your in-product queries (chat) and the reports we generate from them	Contract performance	Your query content, conversation history, generated reports	1 year from last activity
3	Sending account and service notifications (sign-up OTP, security alerts, subscription status, followed-event updates)	Contract performance	Email address	Lifetime of the account
4	Sending product updates, newsletters, and marketing communications	Consent	Email address, name (optional)	Until you unsubscribe
5	Handling security incident reports and support requests	Contract performance / legitimate interest	Name, email, phone (optional), the information you submit	1 year
6	Recruitment	Consent / pre-contractual measures	The information you submit (résumé, contact details)	Until the hiring decision is made (unsuccessful candidates)
7	Site analytics and performance monitoring (only when you opt in to analytics cookies)	Consent	IP address (anonymised), browser type, pages visited, referrer	13 months (GA / PostHog default)

For details on how we use cookies, see our Cookie Policy.

5. AI / LLM Processing

Threat Hunter uses large language models (LLMs) to process the queries you submit. We commit to the following:

• We do not use your conversation content (including prompts and model responses) to train, fine-tune, or evaluate any AI model — neither our own models nor those of any third-party LLM provider.
• Our LLM services are provided by a third-party commercial API under a zero-data-retention configuration — the provider does not retain your conversation data for training or any other purpose. The current provider is listed in our Sub-processors list, and changes are notified under §8.
• You can export or delete your conversation history at any time through the Data Subject Rights portal in your account settings.

6. How We Collect Your Data

We collect personal data:

1. Directly from you — information you submit through sign-up forms, in-product input, or support requests; and
2. From your browser — where you have consented to cookies, browsing data is collected via cookies (see Cookie Policy).

We do not purchase your personal data from third-party data brokers or marketing databases.

Important note about threat intelligence data. As a threat intelligence product, our intelligence dataset is sourced from publicly accessible network resources (e.g. public Telegram channels, deep-web forums, data-leak collections) and may contain personally identifiable information about third parties (such as threat actors or victims of fraud). The processing of that intelligence data is not governed by this Privacy Policy — this Policy covers only the personal data we hold about you, as a customer. The processing of intelligence data is described in our Terms of Service §5 (Customer Responsibilities and Representations) and our Acceptable Use Policy.

7. Who We Share Your Personal Data With

We rely on third-party data processors to deliver certain parts of the service, and we have a written contract with each one to ensure they process your data only on our documented instructions. The categories of these processors are described in §8 below.

We may also disclose your personal data:

• To members of our corporate group (subsidiaries, ultimate parent company, and other entities under common control), strictly to the extent reasonably necessary for the purposes described in this Policy;
• Where we are legally required to do so — for example, under a court order, to establish, exercise or defend our legal rights (including disclosing information to third parties for fraud-prevention purposes), or to cooperate with supervisory authorities investigating complaints; and
• We do not share your personal data with any third party for that third party's (or any other third party's) direct marketing purposes without your explicit consent.

We may share anonymised or aggregated data (which no longer identifies you) with third parties for service-improvement or research purposes.

8. Sub-processor Categories

We use the following categories of third-party service providers to deliver our services (GDPR Art. 13(1)(e) — categories of recipients):

• Large language model (LLM) inference provider (USA) — processes your conversation queries and model responses under a zero-data-retention configuration.
• Cloud infrastructure provider (Singapore region) — hosts all business data.
• Payment processor (USA / EU) — processes subscription billing; payment card information is collected directly by the processor, we do not handle card numbers.
• Transactional email provider (USA) — delivers OTPs, security alerts, and account notifications.

If you require the specific identity of each sub-processor (legal entity, registered office, DPA link) for vendor risk diligence, please email privacy@threathunter.com and we will share the complete sub-processor list within two business days. We will notify you at least 30 days in advance before adding or replacing any sub-processor (via the dedicated subscription page or email).

9. International Data Transfers

Our production environment is hosted in Singapore (operated by an enterprise public-cloud provider).

If you are located in the EU, the UK, or another jurisdiction with cross-border-transfer restrictions, your data will be transferred from your home jurisdiction to Singapore. We rely on the following transfer mechanisms:

• EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), as the legal basis for transfers out of the EU;
• The UK International Data Transfer Addendum (IDTA), applicable to UK data; and
• The Data Processing Agreement (DPA) we sign with each sub-processor incorporates the corresponding SCCs / IDTA.

If you would like a copy of the SCCs / IDTA we use, please email privacy@threathunter.com.

10. Security Measures

We have implemented appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, misuse and alteration:

• Layered access controls — infrastructure segmented by zone, environment, and service, with least-privilege defaults;
• Proactive intelligence-based controls — informed by our own threat intelligence;
• Information security management across all assets and business processes;
• Network security — segmentation, encrypted protocols, firewalls, TLS 1.2+;
• 24/7 incident management with end-to-end threat-hunting capabilities;
• Vulnerability and patch management across all systems;
• Encryption — data at rest (AES-256) and in transit (TLS 1.2+); credentials hashed with bcrypt / argon2 and sensitive secrets stored in a Secret Manager.

11. Cookies

We use cookies to improve your browsing experience and the security of our service. See our Cookie Policy for the categories, purposes, retention periods, and the controls available to you.

12. Your Rights

Subject to applicable data-protection laws, you have the following rights:

1. Right of access — to receive a copy of the personal data we hold about you;
2. Right to rectification — to have inaccurate or incomplete information corrected;
3. Right to erasure ("right to be forgotten") — to request deletion of your personal data;
4. Right to restriction of processing — to ask us to limit how we process your data;
5. Right to object — to processing that we base on our legitimate interests;
6. Right to data portability — to receive the data you provided in a machine-readable format or have it transmitted to another controller;
7. Right to withdraw consent — where we process on the basis of consent, you may withdraw it at any time (without affecting processing carried out before withdrawal);
8. Right to be informed — about how we process your personal data; and
9. Right to lodge a complaint with the relevant supervisory authority:
   • EU: the data-protection authority of your member state;
   • UK: the Information Commissioner's Office (ICO) — ico.org.uk;
   • Singapore: the Personal Data Protection Commission (PDPC) — pdpc.gov.sg;
   • California: the California Privacy Protection Agency (CPPA) — cppa.ca.gov.

How to exercise your rights:

• Use the self-service controls in your account: Settings → Privacy & Data Controls (export, deletion, withdraw marketing); or
• Email privacy@threathunter.com with the subject "DSR Request — [access / deletion / etc.]".

We will respond within 30 days (the statutory deadline under GDPR / PDPA). Complex requests may be extended by up to 60 days, in which case we will notify you in advance.

13. Customer Responsibilities

By the nature of threat intelligence queries, your queries may concern third-party individuals (suspected fraudsters, victims, or other related parties). You are responsible for ensuring that, whenever you submit a query involving an identifiable individual, you have a lawful purpose and a legitimate basis for doing so — for example, investigating fraud against your company, brand protection, or fulfilling regulatory obligations.

See Terms of Service §5 and the Acceptable Use Policy for the full obligations.

14. Children's Privacy

Our products and services are not intended for children (under 16, or the higher age applicable in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have inadvertently collected children's data, please email privacy@threathunter.com and we will delete it immediately.

15. Third-Party Links

Our website may include links to third-party sites. We are not responsible for the privacy policies and practices of those sites, and we recommend that you review their policies before interacting with them.

16. Keeping Your Information Up to Date

If any personal data we hold about you needs to be corrected or updated, please update it directly through your account settings or email privacy@threathunter.com.

17. Data Breach Notification

In the event of a personal data breach affecting you:

• Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you by email or in-product banner within 72 hours of becoming aware of it;
• We will also notify the relevant supervisory authority in accordance with our legal obligations; and
• The notification will describe the nature of the breach, its likely impact, the measures we have taken or propose to take, and contact details for further information.

18. Updates to This Policy

This Policy may be updated from time to time. We will:

• Display a notice at the top of the website for material changes (held for at least 30 days);
• Notify all active customers by email for material changes; and
• Require re-consent on the next login for material changes (comparing the version you accepted against the current version).

"Material changes" include adding new processing purposes, expanding data-sharing categories, adding sub-processors, or changing cross-border-transfer mechanisms. Minor edits (typo fixes, link updates) are not separately notified.

Historical versions are available on request from privacy@threathunter.com.

19. Contact Us

Purpose	Contact
General privacy enquiries	privacy@threathunter.com
Data Subject Rights (DSR) requests	Settings → Privacy & Data Controls, or privacy@threathunter.com
Security incidents / vulnerability disclosure	security@threathunter.com
General support	support@threathunter.com
Postal address	THREATHUNTER TECHNOLOGIES PTE. LTD, 176 Orchard Road #05-05, The Centrepoint, Singapore 238843

If you are an EU / UK / California resident and prefer to communicate in your local language, please mention this in your email and we will make reasonable efforts to accommodate.