ZeroThreat Wins Cybersecurity Excellence Award for Web App Security - Read More

Privacy Policy

Effective Date: April 29, 2026

1. Introduction & Scope

ZeroThreat (“ZeroThreat,” “ZeroThreat Inc,” “ZeroThreat.ai,” “we,” “us”) provides an AI-powered automated penetration testing platform for web applications and APIs. This Privacy Policy explains how we collect, use, share, and safeguard personal data in connection with:

  • Our marketing website at https://zerothreat.ai (the “Website”); and
  • Our SaaS application at https://app.zerothreat.ai (the “Platform”).

Together, the Website and Platform are referred to as the “Services.”

This Policy applies globally and addresses the EU/UK GDPR, California CCPA/CPRA and other U.S. state privacy laws, Canada's PIPEDA, Brazil's LGPD, India's DPDP Act 2023, Australia's Privacy Act, South Africa's POPIA, and other applicable laws. ZeroThreat operates in two distinct privacy roles — sometimes as a Controller and sometimes as a Processor — and Section 3 explains the difference.

2. Key Definitions

  • Personal Data — information relating to an identified or identifiable natural person.
  • Controller — the entity that decides why and how Personal Data is processed (also called “Business” under U.S. state law, “Data Fiduciary” under the DPDP Act).
  • Processor — an entity that processes Personal Data on behalf of, and under the instructions of, a Controller (also called “Service Provider” under the CCPA).
  • Customer — the organization (or individual) that has subscribed to or is evaluating the Platform.
  • Authorized User — an individual the Customer permits to access the Platform.
  • Scan Data — data submitted to or generated by the Platform for security scanning, including target URLs, API specifications, authentication credentials provided for authenticated scans, scan results, evidence captures, and AI-generated remediation guidance.
  • Sub-processor — a third party we engage to help process Personal Data on a Customer's behalf.

3. Our Two Roles: Controller vs. Processor

ZeroThreat is a Controller for Personal Data we collect for our own purposes — visitors to the Website, prospects, leads, free-trial signups, support contacts, event attendees, and job applicants.

ZeroThreat is a Processor when we handle data on behalf of and under the instructions of a Customer in connection with the Platform — including Scan Data, Authorized User information, and Personal Data of the Customer's own end users that may incidentally appear in scan results. The Customer is the Controller of this data; ZeroThreat processes it solely to deliver the Platform under the subscription agreement and Data Processing Addendum (DPA).

AspectAs Controller (Website / Marketing)As Processor (Platform / Scan Data)
Who decides purpose & means ZeroThreatThe Customer (we follow their instructions)
Typical data subjects Website visitors, leads, trial users, applicants Customer's authorized users; Customer's end users (one layer removed)
Legal basis Consent, contract, legitimate interests, legal obligation Customer's instructions under the subscription agreement and DPA
Retention Determined by ZeroThreat (Section 10)Determined by the Customer; default ZeroThreat retention applies if Customer is silent
Privacy rights requests Submit directly to ZeroThreat (Section 13) Submit to the Customer; ZeroThreat will assist

4. Personal Data We Collect as a Controller

4.1 Data You Provide

  • Identification & contact: name, business email, phone, job title, company, country.
  • Account & authentication: username, hashed password, multi-factor authentication factors.
  • Sales & support data: demo requests, quote requests, contact-form messages, support tickets, chat conversations (Zoho SalesIQ).
  • Marketing & event data: newsletter subscriptions, webinar registrations, survey responses.
  • Job applicant data: résumés, work history, references, voluntary diversity information (where lawful) — see Section 17.
  • Payment data: billing contact, billing address, tax IDs. Full card data is handled by our payment processors and is not stored on our systems.

4.2 Data Collected Automatically

When you visit the Website or use parts of the Platform we automatically collect device and browser data (IP address, device type, browser, OS), usage data (pages viewed, links clicked, session duration), approximate geolocation derived from IP, and cookie/tag identifiers. Tools used include Google Analytics 4, Google Ads, Microsoft Clarity, Microsoft Advertising, LinkedIn Insight Tag, Zoho PageSense, Zoho SalesIQ, and CookieScript.

4.3 Data from Third Parties

We may receive Personal Data from business-contact enrichment providers, advertising and analytics partners, channel partners, public sources, background-check providers (for job applicants only), and Single Sign-On / OAuth identity providers you choose to use.

5. Personal Data We Process as a Processor

This Section applies when we act on behalf of a Customer. The Customer is the Controller; we process this data solely to deliver the Platform under the subscription agreement and DPA.

  • Account & Authorized User data: Organization details, billing entity, user names and business emails, role/permission assignments, MFA settings, session and audit logs.
  • Scan target data: Target URLs, IP addresses, API specifications (OpenAPI, Swagger, Postman, GraphQL), and authentication credentials the Customer supplies for authenticated scanning. We strongly recommend Customers use dedicated, non-production test accounts.
  • Scan results: Vulnerability findings, severity classifications, sample HTTP requests/responses, screenshots, and AI-generated remediation guidance. Because the Platform tests the Customer's own applications, scan output may incidentally contain Personal Data of the Customer's end users — the Customer is responsible for the lawful basis and notice for this data.
  • Telemetry & platform usage: Feature usage, scan counts, performance metrics, error logs, and audit events used to operate, secure, troubleshoot, and improve the Platform.

6. How We Use Personal Data

6.1 As a Controller

We use Personal Data to operate and secure the Services; respond to inquiries and provide support; provision and bill subscriptions; send transactional and (with your preferences) marketing communications; personalize the Website; run advertising campaigns on Google, Microsoft, and LinkedIn; recruit job applicants; comply with legal obligations and exercise or defend legal claims; and produce aggregated, de-identified analytics.

6.2 As a Processor

We use Personal Data only on the Customer's documented instructions to deliver the Platform, authenticate users, maintain security and audit logs, provide support, and assist with privacy-rights requests. We do not use Customer Scan Data, Account Data, or other Customer-submitted data for our own independent purposes — see Section 7 (AI commitment).

7. Legal Bases & AI/Machine Learning

7.1 Legal Bases (GDPR, UK GDPR, and comparable laws)

Where applicable law requires an identified legal basis, we rely on: (a) performance of a contract — to deliver the Platform and process payments; (b) consent — for non-essential cookies, certain marketing, and optional features (you may withdraw consent at any time); (c) legitimate interests — to operate, secure, and improve the Services, conduct B2B marketing, and prevent fraud; and (d) legal obligation — to meet tax, accounting, employment, and information-security requirements. Where we act as Processor, the legal basis is determined by the Customer.

7.2 AI / Machine Learning

ZeroThreat uses AI to detect, classify, and explain vulnerabilities and to generate remediation guidance. We commit that:

  • Non-training commitment: We do not use Customer Scan Data, Account Data, Authorized User credentials, or other Personal Data we process as a Processor to train, fine-tune, or improve any general-purpose, foundational, or shared AI/ML model — whether developed by ZeroThreat or by a third party — without the Customer's prior written consent.
  • AI sub-processors: Where we use third-party large language model providers (such as OpenAI, Anthropic, Microsoft Azure OpenAI, Google Vertex AI, or Amazon Bedrock) to deliver AI features, they are engaged as Sub-processors under contracts that prohibit using Customer data to train their own models.
  • Human oversight: AI-generated guidance is informational support and is not a substitute for professional judgment. We do not use AI to make decisions producing legal or similarly significant effects on individuals (GDPR Art. 22).

8. How We Share Personal Data

  • Sub-processors: Cloud hosting (AWS, Azure, GCP), email and CRM, support tooling, analytics, payment processors, identity/security tooling, and AI/LLM providers.
  • Service providers (as Controller): Vendors helping us run the Website, marketing, sales, recruiting, and back-office operations under contractual data-protection terms.
  • Advertising partners: Google, Microsoft, and LinkedIn for analytics and targeted advertising. Some of this may constitute “sale” or “sharing” under U.S. state laws — see Section 13.
  • Customer-directed integrations: When the Customer enables them, we share data with Jira, GitHub, GitLab, Azure Boards, Slack, Microsoft Teams, CI/CD pipelines, SIEM/SOAR, and SSO providers.
  • Legal & regulatory: Where compelled by law, court order, or to protect rights, property, and safety. Where Customer data is involved, we will notify the Customer unless legally prohibited.
  • Business transfers: In the event of a merger, acquisition, financing, or sale, subject to confidentiality obligations and applicable law.
  • With your consent: For any other purpose with your consent or at your direction.

9. International Data Transfers

ZeroThreat is headquartered in the United States and processes data in the U.S. and other countries where we, our Sub-processors, or our Customers operate. For transfers from the EEA, UK, and Switzerland we rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Agreement (IDTA) or UK Addendum, and (where applicable) certifications under the EU-U.S., UK, and Swiss Data Privacy Frameworks. We implement supplementary technical and organizational measures (encryption, access controls, government-request review). For transfers from Brazil, Canada, India, Australia, and South Africa we rely on the transfer mechanisms recognized under each local law.

10. Data Retention

10.1 As Controller

  • Marketing leads & prospects: up to 24 months from last meaningful interaction.
  • Newsletter subscribers: until you unsubscribe (suppression record retained indefinitely to honor opt-out).
  • Free-trial accounts that don't convert: trial data deleted within 30 days of trial expiration.
  • Customer billing & contractual records: duration of the contract plus 7 years for tax/accounting obligations.
  • Support tickets: 3 years after the last interaction.
  • Job applicants: up to 12 months after the application is closed (longer with consent).
  • Security & audit logs: 12–24 months.

10.2 As Processor (Customer-Controlled)

Retention is determined by the Customer. By default: scan data and findings are retained for the duration of the subscription; on termination, data is retained for 30 days to permit export, then deleted from production within 60 days and from backups within ~90 days, except where retention is required by law. Customers may delete specific scan data, projects, or accounts at any time via the Platform or by contacting us at netadmin@zerothreat.ai. Aggregated and de-identified data may be retained indefinitely.

11. Security Measures

ZeroThreat maintains an information-security program aligned with ISO/IEC 27001, SOC 2 (Security, Availability, Confidentiality), and — where applicable — HIPAA and PCI DSS. Controls include:

  • Encryption: TLS 1.2+ in transit; AES-256 at rest in production databases, object storage, and backups; encrypted key management.
  • Multi-tenant isolation: logical separation of Customer environments at every layer.
  • Credential handling: Customer-supplied scan credentials are encrypted at rest, redacted from logs and AI prompts, and never displayed in plain text after configuration.
  • Identity & access: least-privilege RBAC, mandatory MFA, SSO, just-in-time production access, quarterly access reviews.
  • Network & SDLC security: WAF, DDoS protection, IDS, code review, SAST/DAST, dependency and secrets scanning, threat modeling.
  • Independent testing: third-party penetration tests at least annually.
  • Personnel & vendor: background screening (where lawful), confidentiality agreements, mandatory annual security training, due diligence on Sub-processors.
  • Continuity: redundant infrastructure, geographically distributed backups, documented RTO/RPO targets, annual DR testing.

No system is perfectly secure, but we work continuously to improve and validate our controls.

12. Data Breach Notification

  • As Controller: if a breach is likely to risk individuals' rights and freedoms, we notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware (GDPR Art. 33). High-risk breaches are also notified to affected individuals.
  • As Processor: we notify the affected Customer without undue delay and in any event no later than 48 hours after confirming the breach (unless a shorter period is specified in the relevant DPA), and provide the information needed for the Customer to meet its own obligations.
  • Other jurisdictions: we comply with PIPEDA's "real risk of significant harm" standard, the LGPD, the DPDP Act, and applicable U.S. state breach-notification laws.

13. Your Privacy Rights

Where we act as Processor (Section 3), we forward rights requests to the relevant Customer and assist them in responding. To exercise any right, contact us at the addresses in Section 18. We will verify your identity and respond within the timeframes required by applicable law.

13.1 EEA, UK, and Switzerland (GDPR / UK GDPR)

You have the rights of: access, rectification, erasure, restriction, data portability, objection (including an absolute right to object to direct marketing), withdrawal of consent, and the right not to be subject to solely automated decisions producing legal effects (Art. 22). We respond within one month (extendable by two further months for complex requests). You may also lodge a complaint with your local supervisory authority or with the UK ICO.

13.2 United States — California (CCPA / CPRA)

California residents have the rights to know, delete, correct, opt out of “sale” or “sharing” for cross-context behavioral advertising, limit the use of Sensitive Personal Information, and not be retaliated against for exercising rights. We respond to verifiable requests within 45 days (extendable by another 45 days when reasonably necessary).

We have collected the following CCPA categories in the last 12 months: identifiers; customer records; commercial information; internet/network activity; approximate geolocation; professional/employment information; education information; inferences; and Sensitive Personal Information limited to account log-in credentials used to provide the Platform. We share identifiers and internet/network-activity information with advertising partners (Google, Microsoft, LinkedIn) for cross-context behavioral advertising. We do not sell Personal Information for monetary consideration and do not knowingly sell or share data of consumers under 16.

You may opt out via the “Your Privacy Choices” / “Do Not Sell or Share My Personal Information” link on our Website, our cookie banner (CookieScript), or by emailing privacy@zerothreat.ai. We honor Global Privacy Control (GPC) signals as a valid opt-out.

13.3 Other U.S. State Privacy Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa, Delaware, New Jersey, New Hampshire, Tennessee, Florida, Maryland, Minnesota, Nebraska, Kentucky, and other states with applicable privacy laws have rights to confirm processing, access, correct, delete, obtain a portable copy, opt out of targeted advertising, sale, and profiling that produces legal effects, and (where required) appeal denials. We honor universal opt-out signals (such as GPC) where required and obtain opt-in consent before processing categories defined as “sensitive” under those laws.

13.4 Other Regions

  • Canada (PIPEDA / provincial laws): rights to access, challenge accuracy, withdraw consent, and complain to the OPC or provincial commissioner.
  • Brazil (LGPD): rights under Article 18 including access, correction, anonymization/deletion, portability, and information about sharing. We respond within 15 days. Complaints may be lodged with the ANPD.
  • India (DPDP Act 2023): rights to confirmation, summary of processing, correction, completion, updating, erasure, and grievance redressal. Consent may be withdrawn at any time. Our Grievance Officer is reachable at privacy@zerothreat.ai.
  • Australia (Privacy Act / APPs): rights to access and seek correction; complaints may be referred to the OAIC.
  • South Africa (POPIA): rights to notification, access, correction, deletion, and objection; complaints may be referred to the Information Regulator.
  • Other regions: if you are in a jurisdiction not listed above, contact privacy@zerothreat.ai and we will honor applicable rights.

14. Cookies & Tracking Technologies

We use cookies and similar technologies on the Website and parts of the Platform for session management, authentication, preferences, analytics, advertising, and consent management. Categories include strictly necessary, functional, performance/analytics, and targeting/advertising. You can manage non-essential cookies through our consent banner or your browser settings. We honor Global Privacy Control where required by law.

15. Children's Privacy

The Services are intended for business customers and their authorized employees and agents. They are not directed to children under 16, and we do not knowingly collect Personal Data from children under 16. If you believe a child has provided data to us, contact privacy@zerothreat.ai and we will investigate and delete it as required by law.

16. Third-Party Links & Integrations

The Services may link to or integrate with third-party services chosen by Customers — including Jira, GitHub, GitLab, Azure Boards, Slack, Microsoft Teams, CI/CD platforms, SSO/identity providers, and SIEM/SOAR tools. We are not responsible for the privacy practices of those third parties; please review their privacy policies.

17. Job Applicants & HR Data

If you apply for a position with ZeroThreat, we collect and process Personal Data necessary to evaluate your application (identification, work history, education, references, right-to-work documentation, interview notes, and — where lawful and voluntary — diversity information). We rely on legitimate interests to assess applications, on consent for optional information, and on legal obligation for verifications. Unsuccessful applicant records are retained for up to 12 months (longer with consent). If you reside in the EEA/UK, California, or other jurisdictions granting applicant rights, the rights described in Section 13 apply to your application data.

18. Changes to This Privacy Policy

We may update this Policy from time to time to reflect changes in our practices, technologies, or legal requirements. The “Last Updated” date indicates when it was last revised. For material changes, we will provide reasonable advance notice through the Website, the Platform, or by email to active Customers. Your continued use of the Services after the effective date constitutes acceptance, except where we are required by law to obtain fresh consent.

19. Contact Us

For privacy questions, requests, complaints, or to exercise any right described in this Policy, please

contact us:

Privacy Team (preferred):privacy@zerothreat.ai

General Inquiries: hello@zerothreat.ai

Postal Mail:

ZeroThreat Inc

108 W. 13th Street,

Suite 100, Wilmington,

DE 19801-1145,

USA