Huntress Labs Incorporated

Privacy Policy

Effective and Last Updated March 14, 2023

Here at Huntress Labs Incorporated, we take your privacy very seriously. Please read this Privacy Policy carefully as it contains important information on who we are, and how and why we collect, store, use, and share your personal data. It also explains your rights in relation to your personal data and how to contact us in the event you have a complaint.

This Privacy Policy describes the manner in which Huntress Labs Incorporated and its affiliates and subsidiaries (collectively “Huntress”, “Company,” “we” or “us” or “our”) collect, use, maintain, and disclose information from users of our products and services (e.g., Huntress Platform or Huntress Security Awareness Training available at huntress.io and Curricula mycurricula.com, and any subdomains, services, and information available thereon (together with associated and successor websites, services, and information available thereon, or any part thereof, the “Services”)). “You” and “Your” and “Customer” means the individual accessing or using our Services, or the company, or other legal entity on behalf of which such individual is accessing or using our Services, as applicable.

We process personal data on behalf of and under the instruction of our respective business customers, in accordance with this Privacy Policy and, if applicable, our Data Processing Addendum, available at www.huntress.com/legal. Our Services are designed for business customers and their representatives. We do not offer products or services for use by individuals for their personal, family or household purposes. Accordingly, we treat all personal data we collect as pertaining to individuals in their capacities as representatives of the relevant enterprise and not their individual capacities. With respect to such personal data, (1) Huntress is a data processor or subprocessor under the EU and UK General Data Protection Regulations (“GDPR”) and Swiss Data Protection Act (“European Data Protection Laws”) and a service provider under the California Consumer Privacy Act (“CCPA”), and (2) our business customers are the data controllers under European Data Protection Laws. This Privacy Policy describes how Huntress processes personal data as a data processor/subprocessor for the purpose of providing the Services to our customers pursuant to the applicable terms of service with those customers. As data controllers, Huntress’ customers are responsible for disclosing the rights of individuals with respect to their personal data and other information regarding the collection and use of that personal data, in accordance with the European Data Protection Laws, CCPA, and other laws requiring such disclosures.

This Privacy Policy does not relate to our non-Services websites (e.g., www.huntress.com, www.curricula.com), general marketing activities, or cases where Huntress is a data controller. For our Privacy Policy for those activities, and to see our cookie policy, see www.huntress.com/privacy-policy.

Personal Data We Collect About You

The personal data we collect about you depends on the particular products and services we provide to you. We may collect and use the following personal data about you:

• Your name and contact information, including email address and telephone number and company details
• Internet Protocol address
• Your billing information, transaction and payment card information
• Information about how you use our Services and websites
• Computer technical and diagnostic information

We collect and use this personal data for the purposes described in the section "How and why we use your personal data" below. If you do not provide personal data we ask for, it may delay or prevent us from providing products and services to you.

How Your Personal Data is Collected

We collect most of this personal data directly from you—through the setup and use of the Services. However, we may also collect information:

• From cookies on our website—for more information on our use of cookies, please see our website and marketing privacy policy https://www.huntress.com/privacy-policy
• Via our Services, as discussed herein

How and Why We Use Your Personal Data

Under data protection law, we can only use your personal data if we have a proper reason for doing so, such as:

• Where you have given consent
• To comply with our legal and regulatory obligations;
• For the performance of our contract with you or to take steps at your request before entering into a contract –or–
• For our legitimate interests or those of a third party

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own.

The table below explains how we may use (process) your personal data and our basis for doing so:

What we may use your personal data for	Our basis
To provide products and Services to you Update our customer records Communicate with you about changes to our terms or policies or changes to the products or other important notices	To perform our contract with you or to take steps at your request before entering into a contract
To prevent and detect fraud against you or Huntress To enforce legal right or defend or undertake legal proceedings Ensuring business policies are adhered to, e.g., policies covering security and internet use Ensuring the confidentiality of commercially sensitive information Preventing unauthorized access and modifications to systems Protecting the security of systems and data used to provide the  goods and services Operational reasons, such as improving efficiency, training and quality control Statistical analysis to help us manage our business, e.g., in relation to providing cybersecurity services and training Updating customer records Marketing our services to: Existing and former customers Third parties who have previously expressed an interest in our services Third parties with whom we have had no previous dealings Communications with you not related to marketing, including about changes to our terms or policies or changes to the products or other important notices (other than those addressed above) Sharing your personal data with members of our group and third parties that will or may take control or ownership of some or all of our business (and professional advisors acting on our or their behalf) in connection with a significant corporate transaction or restructuring	These activities constitute our legitimate interests. We do not use your personal data for these activities where our interests are overridden by the impact on you (unless you consent or we are otherwise required or permitted to by law). To that end, our interests include such activities that: minimize fraud that could be damaging for you and/or us; protect trade secrets and other commercially sensitive or valuable information; protect systems and data and to prevent and detect criminal activity that could be damaging for you and/or us or third-parties; protect our business, interests and rights; help us be as efficient as we can and to make sure we are following our own internal procedures so we can deliver the best service to you at the best price; make sure that we can keep in touch with our customers about existing orders and new products; help us promote our business to existing and former customers; and to protect, realize or grow the value in our business and assets.
To prevent and detect fraud against you or Huntress To enforce legal right or defend or undertake legal proceedings Ensuring the confidentiality of commercially sensitive information Preventing unauthorized access and modifications to systems Protecting the security of systems and data used to provide the  goods and services	To comply with our legal and regulatory obligations
With your consent	Where we rely on your consent you have the right to withdraw it any time in the manner indicated when you consent or as indicated below or in the Services

Whenever we share personal data, we take all reasonable steps to ensure that it is treated securely and in accordance with this Privacy Policy. This may include without limitation aggregating or de-identifying information so that it is not intended to be used by the third party to identify you.

How and Why We Use Your Personal Data—Marketing

We may use your personal data to send you updates (by email, text message, telephone, or mail) about our products and services, including exclusive offers, promotions, or new products and services.

We have a legitimate interest in processing your personal data for promotional purposes (see above “How and Why We Use Your Personal Data”). This means we do not usually need your consent to send you marketing information. If we change our marketing approach in the future so that consent is needed, we will ask for this consent separately and clearly.

You have the right to opt out of receiving marketing communications at any time by:

• Contacting us at privacy@huntress.com 
• Using the unsubscribe link or following the instructions in communications

We may ask you to confirm or update your marketing preferences if you ask us to provide further products and services in the future, or if there are changes in the law, regulation, or the structure of our business.

We will always treat your personal data with the utmost respect and never sell it to other organizations outside the Huntress Labs Incorporated and subsidiaries group for marketing purposes.

How and Why We Use Your Personal Data—To Create Anonymous, Aggregated, or De-Identified Data

Huntress may create anonymous, aggregated, or de-identified data from your personal data and other individuals whose personal data we collect. We make personal data into anonymous, aggregated, or de-identified data by removing or not utilizing information that makes the data personally identifiable to you. We may use this anonymous, aggregated, or de-identified data and share it with third parties for our lawful business purposes, including to provide the Service, analyze and improve the Service, analyze and report on security risks, and promote our business. For example, in order to promote awareness, detection, and prevention of Internet security risks, Huntress may create and share anonymous, aggregated, or de-identified information (related to, e.g., potential or actual security incidents, malware, security threat data, diagnostic and usage related data, contextual data, threat detections, and indicators of compromise) with research organizations and other security software vendors and professionals via publications, blog posts, or social media, and provided no Customer identifying information is shared without written permission of Customer. Huntress may also make use of statistics derived from the information processed to track and publish reports on security risk trends.

Who We Share Your Personal Data With

We share personal data with:

• Companies within the Huntress Labs Incorporated group
• Third parties we use to help deliver our products and services to you, e.g., payment service providers, warehouses, data analytics, and communication delivery companies
• Other third parties we use to help us run our business, e.g., marketing agencies or website hosts
• Third parties approved by you, e.g., social media sites you choose to link your account to or third party payment providers

We only allow our service providers to handle your personal data if we are satisfied they take appropriate measures to protect your personal data. We also impose contractual obligations on service providers to ensure they can only use your personal data to provide services to us and to you.

We or the third parties mentioned above occasionally also share personal data with:

• Our external auditors, e.g., in relation to the audit of our accounts, in which case the recipient of the information will be bound by confidentiality obligations
• Our and their professional advisors (such as lawyers and other advisors), in which case the recipient of the information will be bound by confidentiality obligations
• Law enforcement agencies, courts, tribunals, and regulatory bodies to comply with our legal and regulatory obligations or on-going investigations, or in a good-faith belief that such action is necessary to investigate or protect the health and safety of or against harmful activities to Huntress or its customers, associates, property or to third-parties
• Other parties that have or may acquire control or ownership of our business (and our or their professional advisers) in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency—usually, information will be anonymised but this may not always be possible. The recipient of any of your personal data will be bound by confidentiality obligations

We will not share your personal data with any other third party.

Who We Share Your Personal Data With—Subprocessors

More details about who we share your personal data with and why are set out in our Subprocessors List, available at www.huntress.com/legal. If you would like more information about who we share our data with and why, please contact us (see "How to contact us" below).

Where Is Your Personal Data Held

Personal data may be held at our offices and those of our group companies, third party agencies, service providers, representatives and agents as described above (see above: "Who We Share Your Personal Data With"). Some of these third parties may be based outside your region. For more information, including on how we safeguard your personal data when this occurs, see below: "Transferring Your Personal Data Out of the UK and EEA".

How Long Your Personal Data Will Be Kept

We will not keep your personal data for longer than we need it for the purpose for which it is used. Following the end of the relevant retention period, we will delete or anonymise your personal data.

Transferring Your Personal Data Out of the UK and EEA

Your personal data may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country, and in some cases, may not be as protective. Specifically, our servers, service providers, and subprocessors are primarily located in the U.S., and we may process your information in jurisdictions where our affiliates/partners and service providers / subprocessors are located. See our Subprocessor List for details. However, we have taken appropriate safeguards to require that your personal data will remain protected in accordance with this Privacy Policy. These safeguards include ensuring we have data protection agreements between us and our service providers and subprocessors to whom we transfer the personal data, which require these companies to protect personal data they process from the EEA, UK, or Switzerland in accordance with applicable data protection law. Huntress offers a Data Processing Addendum with European Commission approved standard contractual clauses, to meet the adequacy and security requirements for our customers that operate in the EEA, UK, or Switzerland, and other international transfers of personal data.

If you would like further information about data transferred outside the UK/EEA, please contact us (see "How to Contact Us" below).

Your Rights

You have the following rights, which you can exercise free of charge:

Access	The right to be provided with a copy of your personal data (the right of access)
Rectification	The right to require us to correct any mistakes in your personal data
Erasure (also known as the right to be forgotten)	The right to require us to delete your personal data—in certain situations
Restriction of processing	The right to require us to restrict processing of your personal data—in certain circumstances, e.g., if you contest the accuracy of the data
Data portability	The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations
To object	The right to object: • at any time to your personal data being processed for direct marketing • in certain other situations to our continued processing of your personal data, e.g., processing carried out for the purpose of our legitimate interests unless there are compelling legitimate grounds for the processing to continue or the processing is required for the establishment, exercise or defense of legal claims
Not to be subject to automated individual decision-making	The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you
Right to withdraw consents	If you have provided us with a consent to use your personal data you have a right to withdraw that consent easily at any time You may withdraw consents by contacting Huntress Privacy at privacy@huntress.com Withdrawing a consent will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn

If you would like to exercise any of those rights, please:

• Contact Huntress Privacy at privacy@huntress.com or at the mailing address below in the “How to Contact Us” section.
• Provide enough information to identify yourself (e.g,, your full name, email address(es), and company name) and any additional identity information we may reasonably request from you
• Let us know what right you want to exercise and the information to which your request relates

Whether or not we are required to fulfill any request you make will depend on a number of factors (e.g., why and how we are processing your personal data), if we reject any request you may make (whether in whole or in part) we will let you know our grounds for doing so at the time, subject to any legal restrictions.

Keeping Your Personal Data Secure

We have appropriate security measures in place to prevent personal data from being accidentally lost, used or accessed in an unauthorized way. We limit access to your personal data to those who have a genuine business need to access it. Those processing your personal data will do so only in an authorized manner and are subject to a duty of confidentiality.  We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Huntress is committed to protecting the security of the information it collects and processes. The information is stored on computer servers with limited and controlled access. Huntress operates secure data networks protected by industry-standard firewall and password protection systems. Huntress uses a wide range of security technologies and procedures to protect information from threats such as unauthorized access, use, or disclosure. Our security policies are periodically reviewed and enhanced as necessary, your data is encrypted at rest and in transit, and only authorized individuals have access to the data that we process.

More information about our security practices can be found in our Security Addendum, available at www.huntress.com/legal.

If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.

How to Complain

Please contact us if you have any queries or concerns about our use of your personal data (see below "How to Contact Us"). We hope we will be able to resolve any issues you may have.

You also have the right to lodge a complaint with:

• For users in the European Economic Area – the contact information for the data protection regulator in your place of residence can be found here: https://edpb.europa.eu/about-edpb/board/members_en
• For users in the UK – the contact information for the UK data protection regulator is below:

The Information Commissioner’s Office

Water Lane, Wycliffe House

Wilmslow - Cheshire SK9 5AF

Tel. +44 303 123 1113

Website: https://ico.org.uk/make-a-complaint/ 

• For users in Switzerland – the contact information the Swiss data protection regulator can be found here: https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html

Information for California Residents

This section provides additional details about the personal data, or “personal information,” we collect about California consumers and the rights afforded to them under the California Consumer Privacy Act or “CCPA,” as amended by the California Privacy Rights Act or “CPRA”.

California law requires that we detail the categories of personal information that we collect and disclose for certain “business purposes,” such as to service providers that assist us with securing our services or marketing our products, and to such other entities as described in earlier sections of Privacy Policy. In addition to the information provided above in the “Personal Data We Collect About You” section, we may collect the following categories of personal information from you, your employer, data analytics providers, and third-party services providers for our business purposes:

• Identifiers/contact information;
• Commercial information;
• Internet or electronic network activity information;
• Financial information;
• Geolocation information;
• Professional or employment-related information;
• Audio and visual data;
• In limited circumstances where allowed by law, information that may be protected under California or United States law; and
• Inferences drawn from any of the above categories.

We collect this information for the business and commercial purposes described in the “How and Why We Process Your Personal Data” section above. We share this information as described in the “Who We Share Your Personal Data With” section above. Huntress does not sell (as such term is defined in the CCPA or otherwise) the personal information we collect (and will not sell it without providing a right to opt out). We may also share personal information (in the form of identifiers and internet activity information) with third party advertisers for purposes of targeting advertisements on non-Huntress websites, applications, and services. In addition, we may allow third parties to collect personal information from our sites or services if those third parties are authorized service providers who have agreed to our contractual limitations as to their retention, use, and disclosure of such personal information, or if you use our sites or services to interact with third parties or direct us to disclose your personal information to third parties.

Subject to certain limitations, the CCPA provides California consumers the right to request to know more details about the categories or specific pieces of personal information we collect (including how we use, disclose, or may sell this information), to delete their personal information, to opt out of any “sales”, to know and opt out of sharing of personal information for delivering advertisements on non-Huntress websites, and to not be discriminated against for exercising these rights.

California consumers may make a request pursuant to their rights under the CCPA by contacting us at privacy@huntress.com. We will verify your request using the information associated with your account, including email address. Government identification may be required. Consumers can also designate an authorized agent to exercise these rights on their behalf. Authorized agents must submit proof of authorization.

Changes to This Privacy Policy

We may change this privacy notice from time to time – when we do we will inform you via our website.

How to Contact Us

You can contact us by mail or email if you have any questions about this privacy policy or the information we hold about you, to exercise a right under data protection law or to make a complaint.

Our contact details are shown below:

Huntress Labs Incorporated

6021 University Blvd, Ste 450
Ellicott City, MD 21043

privacy@huntress.com