Privacy Policy

Account information. When you register, we collect your name, work email address, company name, job title, and a password hash. We do not store passwords in plaintext.

Platform usage data. We collect logs of actions taken within the ShieldOps platform — alerts viewed, playbooks executed, dashboard interactions — to support your use of the product, for billing purposes, and to improve the service.

Security telemetry. Our EDR and SIEM integrations collect endpoint telemetry, network flow data, and log events from your infrastructure. This data is processed solely for the purpose of providing threat detection and response services to your organisation and is never used for ShieldOps's own commercial purposes.

Communications. If you contact us via email or our support portal, we retain those communications to resolve your enquiry and improve our support operations.

Cookies and analytics. Our website uses first-party analytics cookies to understand aggregate usage patterns. We do not use third-party advertising trackers. You can opt out via our cookie preference centre or your browser settings.

We use collected information to: provision and operate the ShieldOps platform; process and respond to security alerts on your behalf; issue invoices and manage your subscription; send product updates, security advisories, and support communications; comply with legal obligations; and protect the security and integrity of our infrastructure.

We do not sell your personal data to third parties. We do not use customer security telemetry to train machine learning models that benefit other customers without explicit written consent and appropriate data anonymisation.

Service providers. We share data with sub-processors who provide infrastructure (cloud hosting, email delivery, payment processing) under binding data processing agreements. A current list of sub-processors is maintained at https://shieldops.io/sub-processors and updated 30 days before any material changes.

Legal requirements. We may disclose information if required by law, court order, or government authority. Where permitted, we will notify the affected customer before disclosure.

Business transfers. In the event of a merger, acquisition, or asset sale, customer data may be transferred. We will notify affected customers via email and provide 30 days to export their data before any transfer.

Account data is retained for the duration of your subscription and for 90 days following termination to facilitate re-activation or data export. Security telemetry is retained per the retention tier in your subscription (default: 12 months; Enterprise: configurable up to 7 years). You may request deletion of personal data at any time by contacting legal@shieldops.io; we will process deletion requests within 30 days.

All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Access to customer data by ShieldOps personnel is governed by least-privilege controls and requires manager approval for any direct database access. All such access is logged and reviewed monthly. ShieldOps is designed to support [CUSTOMISE: your compliance commitments, e.g. SOC 2 Type II or ISO 27001]; audit reports are available on request under NDA.

Depending on your jurisdiction, you have the following rights in relation to your personal data. To exercise any of them, contact legal@shieldops.io with the subject line 'Data Subject Request'. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice).

• Right of access (Art 15 GDPR / UK GDPR). You may request a copy of the personal data we hold about you and information about how we process it.
• Right to rectification (Art 16). You may ask us to correct inaccurate personal data or complete incomplete data without undue delay.
• Right to erasure / 'right to be forgotten' (Art 17). You may request deletion of your personal data where it is no longer necessary for the purpose it was collected, where you have withdrawn consent, or where we have no legitimate grounds that override your interests.
• Right to restriction of processing (Art 18). You may ask us to suspend processing of your data — for example, while we verify its accuracy or assess an objection you have raised.
• Right to data portability (Art 20). Where processing is based on consent or contract and carried out by automated means, you may request your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and have it transmitted to another controller where technically feasible.
• Right to object (Art 21). You may object at any time to processing of your personal data based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
• Right not to be subject to automated decision-making (Art 22). You have the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects on you, unless you have given explicit consent or it is necessary for a contract.
• Right to withdraw consent (Art 7(3)). Where we process your data on the basis of consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Right to lodge a complaint with a supervisory authority. If you believe we have not handled your data in accordance with applicable law, you have the right to lodge a complaint with your local data protection authority. In the UK: the Information Commissioner's Office (ico.org.uk). In Ireland: the Data Protection Commission (dataprotection.ie). In your EEA member state: your national supervisory authority listed at edpb.europa.eu.

California residents have additional rights under the CCPA / CPRA, including the right to know, the right to opt out of the sale or sharing of personal information, and the right to non-discrimination for exercising privacy rights. See our GDPR Policy and CCPA disclosures for full details.

Global Privacy Control (GPC). We honour the Global Privacy Control signal. If your browser or extension sends a GPC signal when you visit our site, we treat it as an opt-out of the sale or sharing of your personal data, consistent with the California Consumer Privacy Act (CCPA / CPRA) as amended and applicable US state-privacy laws. No further action is required on your part.

Do Not Track (DNT). We also respect Do Not Track browser signals where technically feasible. When a DNT signal is detected, we limit analytics data collection to essential, non-identifying operational metrics.

Both signals are detected and applied automatically on the client. If you have questions about how these signals affect data processing, contact legal@shieldops.io.

ShieldOps is a business-to-business platform intended for use by organisations and their employees. We do not knowingly collect personal data from individuals under the age of 16. If you believe a minor has provided us with personal data, contact legal@shieldops.io and we will promptly delete it.

We may update this policy periodically. Material changes will be communicated via email to account administrators at least 14 days before the effective date. Continued use of the platform after that date constitutes acceptance of the updated policy. The history of policy changes is available at https://shieldops.io/privacy/changelog.