Legal

Privacy Policy

Effective [INSERT DATE] · Last updated [INSERT DATE]

Threat Loom, LLC, doing business as SecureLogic AI ("SecureLogic AI," "Company," "we," "our," or "us"), respects your privacy and is committed to protecting personal information.

This Privacy Policy explains how we collect, use, disclose, store, and protect information when you access or use our website, customer portal, applications, software, subscription services, professional services, newsletters, and related offerings (collectively, the "Services").

This Privacy Policy applies to information we collect from and about users of the Services. Capitalized terms not defined here have the meanings given to them in our Terms of Service.

PLEASE READ THIS PRIVACY POLICY CAREFULLY. IT EXPLAINS WHAT INFORMATION WE COLLECT, HOW WE USE AND SHARE IT, YOUR RIGHTS REGARDING YOUR PERSONAL INFORMATION, AND HOW TO CONTACT US.

1. Scope of This Privacy Policy

This Privacy Policy applies to personal information collected through:

The SecureLogic AI website and any related public-facing properties;
Customer Accounts and the SecureLogic AI customer portal;
Subscription Services, including the Intelligence Brief;
Professional Services, including Audit Sprint engagements and advisory work;
Marketing, sales, and support communications with SecureLogic AI;
Webinars, events, and other engagement activities operated by SecureLogic AI.

This Privacy Policy does not apply to third-party websites, applications, or services that may be linked from the Services. Third parties have their own privacy practices, which we encourage you to review.

2. Information We Collect

We collect personal information from several sources and through several methods. The categories and types of information we collect are described below.

2.1 Information You Provide Directly

We collect information you voluntarily provide, including:

Identification and contact information: name, business email address, business phone number (if provided), job title, company or organization name;
Account credentials: username, password (stored only as a cryptographic hash), multi-factor authentication settings, account recovery information;
Billing information: billing contact, plan selection, and metadata associated with subscriptions (full payment card information is collected and stored exclusively by our payment processor; we do not store complete payment card numbers);
Communications: messages, support inquiries, feedback, survey responses, and other communications you send to us;
Customer Content: documents, files, prompts, questionnaires, risk assessments, vendor information, policies, procedures, governance documentation, audio recordings, voice inputs, and other materials you submit through the Services.

2.2 Customer Content

Customer Content includes information you submit through the Services in the course of using SecureLogic AI's compliance, risk management, vendor assurance, and governance functionality. Customer Content may contain personal information about your employees, contractors, vendor contacts, and other individuals associated with your business activities.

You are responsible for ensuring that Customer Content does not contain Prohibited Data as defined in our Terms of Service, including Protected Health Information, Social Security Numbers, government-issued identifiers, biometric data, and other categories listed in the Terms of Service.

2.3 Information Collected Automatically

When you access the Services, we automatically collect certain technical and usage information, including:

Device and browser information: IP address, browser type and version, operating system, device type, screen resolution, language preferences;
Log and usage data: access timestamps, pages and features accessed, actions taken, referral URLs, error logs, and performance metrics;
Authentication and security events: login attempts (successful and failed), multi-factor authentication events, password changes, session activity, and security-relevant events recorded in immutable audit logs;
Cookies and similar technologies: as described in Section 11 (Cookies and Similar Technologies).

2.4 Information from Third-Party Sources

We may receive information about you from third-party sources, including:

Identity providers when you authenticate to the Services using a single sign-on (SSO) provider such as SAML-based corporate identity providers;
Our payment processor (Stripe) regarding the status of payments, subscription state, and related billing events;
Public sources, business contact databases, and professional networking services, when used for sales and marketing outreach;
Service providers and subprocessors that support operation of the Services, as described in Section 7 (Service Providers and Subprocessors).

2.5 Categories of Personal Information Collected

For purposes of applicable U.S. state privacy laws (including the California Consumer Privacy Act), we have collected the following categories of personal information in the preceding twelve (12) months:

Identifiers (e.g., name, email address, IP address, account identifiers);
Commercial information (e.g., subscription and billing records);
Internet or other electronic network activity (e.g., usage logs, access events);
Professional or employment information (e.g., job title, company);
Inferences drawn from the above to characterize usage patterns and preferences;
Content and information you submit as Customer Content, which may include personal information about individuals associated with your business activities.

We do NOT knowingly collect the following categories: biometric information; precise geolocation data; characteristics of protected classifications under California or federal law (except as incidentally included by you in Customer Content); information about racial or ethnic origin, religious beliefs, union membership, or sex life or sexual orientation; genetic data; or other categories of sensitive personal information as defined under CPRA, except where you submit such information in violation of our Terms of Service.

3. How We Use Information

We use personal information for the following purposes:

3.1 Provide and Maintain the Services

To create and maintain Accounts; authenticate users; deliver Subscription Services, Professional Services, and Audit Sprint engagements; generate Deliverables; process payments; provide customer support; communicate about account, billing, and service matters; and ensure the Services function as intended.

3.2 Improve and Develop the Services

To analyze usage patterns, improve platform functionality and user experience, develop new features, troubleshoot issues, measure performance, and conduct research and development. Where feasible, we use aggregated or de-identified information for these purposes.

3.3 Security, Fraud Prevention, and Abuse Detection

To verify identities, authenticate Accounts, detect suspicious or unauthorized activity, investigate security incidents, prevent fraud, enforce the Terms of Service, and protect the rights, property, and safety of SecureLogic AI, our users, and the public.

3.4 Communications and Marketing

To send service-related communications (which may not be opted out of while your Account is active), respond to inquiries, and—where permitted by law and subject to your communications preferences—send marketing communications, product announcements, newsletters, and the Intelligence Brief. You may opt out of marketing communications at any time as described in Section 9 (Communications and Marketing Choices).

3.5 Legal Compliance and Enforcement

To comply with applicable laws, regulations, court orders, and other legal obligations; respond to lawful requests from public authorities; protect our legal rights; resolve disputes; enforce contractual obligations; and meet audit, tax, and recordkeeping requirements.

3.6 Business Operations

To manage business operations, conduct financial and operational reporting, engage with potential or actual business partners, and support corporate transactions such as mergers, acquisitions, or asset sales as described in Section 8 (Business Transfers).

4. Artificial Intelligence Processing

4.1 Use of AI in the Services

Certain features of the Services use artificial intelligence technologies to assist with document analysis, risk identification, governance assessments, compliance readiness activities, content generation, transcription, workflow automation, and operational efficiency. AI-generated outputs are provided as informational aids and are not substitutes for professional judgment.

4.2 Third-Party AI Providers

To provide AI-assisted functionality, we transmit certain information to third-party AI providers. As of the Effective Date, our AI providers include:

Anthropic, PBC — large language model services. Information transmitted may include text prompts and contextual information such as vendor names, risk titles, control descriptions, owner identifiers, treatment plans, and document content, used to generate AI-assisted responses, summaries, and Deliverables;
OpenAI, OpenAI Global, LLC — speech-to-text transcription services. Voice and audio inputs you submit through voice-enabled features are transmitted to OpenAI for transcription into text.

We select AI providers based on their data handling practices, including their commitments not to use Customer Content for training their foundation models and, where available, zero-retention configurations. AI provider arrangements may change from time to time. Current AI provider information is available upon request to privacy@securelogicai.com.

4.3 AI Model Training

SecureLogic AI does not use Customer Content to train its own proprietary artificial intelligence models. SecureLogic AI does not intentionally submit Customer Content for use as foundation model training data by third-party AI providers.

4.4 Automated Decision-Making

The Services produce automated outputs such as risk scores, posture scores, gap analyses, and AI-generated recommendations. These outputs are advisory in nature and are designed to inform human decision-making rather than replace it. The Services do not make automated decisions producing legal or similarly significant effects without human review.

4.5 Human Review

Authorized SecureLogic AI personnel may review submitted information, including Customer Content, when reasonably necessary to deliver Services, generate Deliverables, conduct assessments, provide support, investigate suspected violations of the Terms of Service, maintain security, or comply with legal obligations. Personnel access is subject to confidentiality obligations and role-based access controls.

5. Sources, Purposes, and Disclosures of Personal Information

5.1 Sources of Personal Information

We collect personal information from the following sources:

Directly from you (e.g., when you create an Account, submit Customer Content, contact support);
Automatically from your devices and browsers when you use the Services;
From identity providers when you use single sign-on (SSO);
From our payment processor and other service providers that support the Services;
From third-party business and professional information sources for sales and marketing outreach;
From other users (e.g., if a colleague invites you to join an Account).

5.2 Business and Commercial Purposes for Collection

We collect and use personal information for the business and commercial purposes described in Section 3 (How We Use Information), including: providing and improving the Services; communicating with users; processing payments; security and fraud prevention; legal compliance; and conducting business operations.

5.3 Categories of Third Parties to Whom We Disclose Personal Information

We disclose personal information to the following categories of third parties for business purposes:

Service providers and subprocessors (e.g., cloud hosting, payment processing, AI providers, email delivery, application monitoring) that process information on our behalf;
Identity providers, when you authenticate via SSO;
Professional advisors (e.g., attorneys, accountants, auditors, consultants) bound by confidentiality obligations;
Legal authorities and other parties, in response to lawful requests or to protect rights, property, or safety;
Acquirers or successors, in connection with corporate transactions as described in Section 8 (Business Transfers).

SecureLogic AI does not sell personal information for monetary consideration and does not share personal information for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA). We do not engage in targeted advertising based on personal information processed across non-affiliated businesses.

We have not sold or shared personal information of California residents or other U.S. state residents in the preceding twelve (12) months.

We disclose personal information only as described in this Privacy Policy and as reasonably necessary to operate the Services, fulfill customer requests, comply with legal obligations, or protect legitimate business interests. Specifically, we may disclose personal information:

To service providers and subprocessors as described in Section 7;
In response to subpoenas, court orders, or other legal process, or to comply with legal obligations;
To enforce our Terms of Service or other agreements;
To investigate, prevent, or take action regarding suspected illegal activity, fraud, or security threats;
To protect the rights, property, or safety of SecureLogic AI, our users, or others;
With your consent or at your direction;
In connection with corporate transactions as described in Section 8.

7. Service Providers and Subprocessors

We engage third-party service providers and subprocessors to support operation of the Services. The following table lists current subprocessors that may process personal information on our behalf. This list is updated from time to time.

Subprocessor	Service Provided	Data Processed	Location
Anthropic, PBC	Large language model AI services	Prompts and contextual data (vendor names, risk titles, control data, document content)	United States
OpenAI, OpenAI Global, LLC	Speech-to-text transcription	Voice and audio inputs	United States
Stripe, Inc.	Payment processing and subscription management	Billing contact information, subscription metadata, payment events	United States
Render Services, Inc.	Cloud application hosting and managed databases	All data processed by the Services (in transit and at rest)	United States (Virginia, Oregon)
Cloudflare, Inc.	Content delivery, object storage (R2), DDoS and security services	Uploaded files (e.g., vendor assurance documents), network traffic metadata	United States
Resend, Inc.	Transactional and marketing email delivery	Email addresses, subscriber name, email content (Intelligence Brief, account notices)	United States
Functional Software, Inc. d/b/a Sentry	Application error monitoring and observability	Error events and diagnostic context (with sensitive fields redacted)	United States

Each subprocessor is contractually obligated to process personal information only on our documented instructions and to maintain appropriate security safeguards. We review subprocessors periodically and update this list when subprocessor relationships change.

8. Business Transfers

In the event of a merger, acquisition, financing transaction, reorganization, bankruptcy, dissolution, or sale of all or a portion of our assets, personal information may be transferred to the acquiring party or successor as part of that transaction. In such cases, we will use reasonable efforts to ensure that personal information remains subject to a privacy policy substantially equivalent to this one, and we will provide notice to affected users where required by law.

9. Communications and Marketing Choices

We may send service-related communications, including account notifications, billing notices, security alerts, policy updates, and important product announcements. These communications are necessary to operate the Services and cannot be opted out of while your Account is active.

9.2 Marketing Communications

With your consent or where permitted by law, we may send marketing communications, product announcements, newsletters, and the Intelligence Brief. You may opt out of marketing communications at any time by:

Clicking the "unsubscribe" link included in marketing emails;
Adjusting communications preferences within your Account settings;
Contacting us at privacy@securelogicai.com.

Even after opting out of marketing communications, you may continue to receive service-related communications as described in Section 9.1.

10. Data Retention

We retain personal information for as long as reasonably necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, enforce agreements, and maintain business records. Specific retention periods vary by category of information:

10.1 Account Information

Account information (including name, email, authentication credentials, and account configuration) is retained for the duration of the Account plus a reasonable period thereafter for business, legal, and security purposes. Following Account termination, Account information may be retained in active systems for up to thirty (30) days and in backup or archival systems for additional periods consistent with our standard backup retention schedule.

10.2 Customer Content

Customer Content is retained for the duration of the applicable Subscription Services or Professional Services and as further described in our Terms of Service. Following Account termination, Customers may request retrieval of eligible Customer Content for up to thirty (30) days. Thereafter, Customer Content may be deleted, archived, anonymized, or otherwise disposed of in accordance with our retention practices.

10.3 Billing and Transactional Records

Billing records and transactional information are retained for at least seven (7) years following the applicable transaction to comply with tax, accounting, and financial recordkeeping obligations.

10.4 Security and Audit Logs

Security audit logs, including authentication events and IP addresses associated with security events, are retained for twelve (12) months from the date of the event, or longer where required for security investigations, legal obligations, or dispute resolution.

10.5 Communications and Support Records

Email communications, support tickets, and similar records are retained for up to three (3) years from the date of the communication.

10.6 Marketing and Subscriber Information

Marketing subscriber information (e.g., Intelligence Brief subscriber lists) is retained until the subscriber unsubscribes or requests deletion.

10.7 Aggregated and De-Identified Information

Aggregated, anonymized, and de-identified information that no longer identifies an individual may be retained and used indefinitely for analytics, benchmarking, research, service improvement, and product development.

11. Cookies and Similar Technologies

We use cookies and similar technologies (collectively, "Cookies") to operate the Services and to provide functionality. The Services use Cookies in the following categories:

11.1 Strictly Necessary Cookies

Strictly necessary Cookies are required for the Services to function. These include Cookies used for authentication, session management, security, and load balancing. Strictly necessary Cookies cannot be disabled through the Services.

11.2 Functional Cookies

Functional Cookies remember choices you make (such as language and display preferences) to provide a more personalized experience. Functional Cookies are optional and may be controlled through browser settings.

11.3 Analytics Cookies

If and when analytics Cookies are used, they help us understand how users interact with the Services so that we can improve them. As of the Effective Date of this Privacy Policy, the Services do not use third-party analytics Cookies (such as Google Analytics).

11.4 Marketing Cookies

As of the Effective Date of this Privacy Policy, the Services do not use third-party marketing or advertising Cookies for cross-context behavioral advertising.

11.5 Managing Cookies

Most web browsers allow you to control Cookies through browser settings. You may also opt out of certain Cookies through any Cookie preference center we provide. Disabling strictly necessary Cookies may impair core Services functionality, including the ability to authenticate.

11.6 Do Not Track Signals

Some browsers offer a "Do Not Track" signal. Because there is no industry-wide standard for how to interpret these signals, we do not currently respond to browser-based Do Not Track signals.

11.7 Global Privacy Control (GPC)

Where required by applicable law, we treat the Global Privacy Control (GPC) signal as a request to opt out of the sale or sharing of personal information. Because we do not sell or share personal information as those terms are defined under applicable law, the GPC signal does not change our practices, but we honor the underlying intent.

12. Security

We maintain administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. Security measures we employ include:

Multi-Factor Authentication (MFA) required for all Accounts;
Industry-standard encryption of data in transit (TLS);
Cryptographic hashing of passwords using industry-standard algorithms;
Encrypted storage of multi-factor authentication secrets;
Role-based access controls and least-privilege access principles;
Logging, monitoring, and immutable audit trails for security-relevant events;
Documented incident response and security review procedures;
Vendor and subprocessor due diligence and contractual security obligations.

Notwithstanding these measures, no method of transmission, storage, or security control can guarantee absolute security. If you believe your Account or any information related to the Services has been compromised, please contact us immediately at security@securelogicai.com.

13. Your Rights and Choices

Depending on your location and applicable law, you may have certain rights regarding personal information we hold about you. This section provides an overview of these rights; specific rights for residents of California, other U.S. states, and the European Economic Area or United Kingdom are described in Sections 14 and 15.

13.1 Common Rights

Subject to applicable law and exceptions, you generally have the right to:

Access the personal information we hold about you and obtain a copy in a usable format;
Correct inaccurate or incomplete personal information;
Delete personal information, subject to legitimate retention exceptions;
Restrict or object to certain processing of personal information;
Receive personal information in a structured, commonly used, machine-readable format (data portability);
Withdraw consent at any time, where processing is based on consent (this does not affect the lawfulness of processing prior to withdrawal);
Lodge a complaint with a privacy regulator or supervisory authority.

13.2 How to Exercise Your Rights

To exercise your rights, please contact us at privacy@securelogicai.com or use any privacy request mechanism we provide through the Services. We will respond to verifiable requests as described in Section 13.3.

13.3 Verification and Response Times

To protect your privacy, we may need to verify your identity before fulfilling a privacy rights request. We may request information sufficient to verify your identity in relation to the request.

We will respond to verifiable requests within the timeframes required by applicable law, generally:

Within forty-five (45) days for requests under U.S. state privacy laws (including the CCPA/CPRA), subject to a one-time extension of up to forty-five (45) additional days where reasonably necessary;
Within thirty (30) days for requests under the GDPR or UK GDPR, subject to a permitted extension of up to two (2) additional months for complex requests.

13.4 No Discrimination

We will not discriminate against you for exercising your privacy rights. We will not deny Services, charge different prices, or provide a different level of quality solely because you exercised a privacy right, except as permitted by applicable law (for example, where the difference is reasonably related to the value of the data to the Services).

13.5 Authorized Agents

You may designate an authorized agent to make a privacy rights request on your behalf. We may require the authorized agent to provide proof of your written authorization and to verify their own identity.

13.6 Customer Content and Account Owner Requests

If personal information about you is contained within Customer Content submitted by a SecureLogic AI Customer (for example, your employer or a vendor you work with), the Customer is the controller of that information. Privacy rights requests regarding Customer Content should generally be directed to the applicable Customer. We will reasonably cooperate with our Customers in responding to such requests.

14. U.S. State-Specific Privacy Rights

This section describes privacy rights for residents of U.S. states that have enacted comprehensive privacy laws. Where state law provides rights that overlap with the common rights described in Section 13, that section also applies.

14.1 California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"), provides you with the following rights:

Right to Know: the right to know what categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties to whom we disclose;
Right to Delete: the right to request that we delete personal information we have collected from you, subject to certain exceptions;
Right to Correct: the right to request that we correct inaccurate personal information;
Right to Opt Out of Sale or Sharing: the right to opt out of the sale or sharing of your personal information (we do not sell or share personal information as those terms are defined under the CCPA);
Right to Limit Use of Sensitive Personal Information: the right to limit our use and disclosure of sensitive personal information to certain permitted purposes (we do not knowingly collect sensitive personal information for use beyond permitted purposes);
Right to Non-Discrimination: the right not to be discriminated against for exercising any of these rights.

To exercise your CCPA rights, contact privacy@securelogicai.com. The disclosures required by the CCPA are provided throughout this Privacy Policy, including in Sections 2, 3, 5, 7, and 10.

14.2 Virginia Residents (VCDPA)

If you are a Virginia resident, the Virginia Consumer Data Protection Act ("VCDPA") provides rights to access, correct, delete, and obtain a portable copy of personal data, and to opt out of targeted advertising, sale, and profiling in furtherance of decisions producing legal or similarly significant effects. We do not engage in targeted advertising or sale of personal data, and our automated processing does not result in legal or similarly significant decisions about Virginia residents without human involvement.

14.3 Colorado Residents (CPA)

If you are a Colorado resident, the Colorado Privacy Act ("CPA") provides rights similar to those described under VCDPA. To exercise these rights, contact privacy@securelogicai.com.

14.4 Connecticut Residents (CTDPA)

If you are a Connecticut resident, the Connecticut Data Privacy Act ("CTDPA") provides rights similar to those described under VCDPA. To exercise these rights, contact privacy@securelogicai.com.

14.5 Utah Residents (UCPA)

If you are a Utah resident, the Utah Consumer Privacy Act ("UCPA") provides rights similar to those described under VCDPA, with certain differences. To exercise these rights, contact privacy@securelogicai.com.

14.6 Texas Residents (TDPSA)

If you are a Texas resident, the Texas Data Privacy and Security Act ("TDPSA") provides rights similar to those described under VCDPA. To exercise these rights, contact privacy@securelogicai.com.

14.7 Oregon Residents (OCPA)

If you are an Oregon resident, the Oregon Consumer Privacy Act ("OCPA") provides rights similar to those described under VCDPA. To exercise these rights, contact privacy@securelogicai.com.

14.8 Other U.S. States

Additional U.S. states have enacted or are enacting comprehensive privacy laws. If you reside in a state with such a law, we will honor applicable rights as required by that law. To exercise rights or inquire about applicable state law protections, contact privacy@securelogicai.com.

14.9 "Shine the Light" Disclosure (California)

California Civil Code Section 1798.83 permits California residents to request information regarding our disclosures of personal information to third parties for the third parties' direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

15. European Economic Area and United Kingdom Residents

If you are located in the European Economic Area ("EEA"), the United Kingdom, or Switzerland, the General Data Protection Regulation ("GDPR") and similar laws may apply to our processing of your personal data.

15.1 Controller and Processor Roles

With respect to personal data of individuals who interact with us directly (such as visitors to our website, marketing subscribers, and Customer Account holders), SecureLogic AI acts as the controller. With respect to personal data contained within Customer Content submitted by Customers, SecureLogic AI generally acts as a processor on behalf of the Customer, who is the controller.

15.2 Lawful Basis for Processing

We process personal data only where we have a lawful basis to do so under the GDPR. Our lawful bases include:

Performance of a contract with you or steps taken at your request prior to entering into a contract (e.g., providing the Services, processing payments);
Compliance with a legal obligation (e.g., tax recordkeeping, responding to lawful government requests);
Legitimate interests pursued by us or a third party, where not overridden by your rights and freedoms (e.g., securing the Services, improving the Services, conducting marketing to business contacts);
Consent, where required (e.g., for certain marketing communications or optional cookies).

Subject to applicable law, GDPR provides you with the following rights:

Right of access: to obtain confirmation of whether we process your personal data and a copy of that data;
Right to rectification: to correct inaccurate or incomplete personal data;
Right to erasure (right to be forgotten): to request deletion of personal data in certain circumstances;
Right to restrict processing: to limit our processing of personal data in certain circumstances;
Right to data portability: to receive personal data in a structured, commonly used, machine-readable format and to transmit it to another controller;
Right to object: to object to processing based on legitimate interests, including for direct marketing;
Right not to be subject to automated decision-making producing legal or similarly significant effects, except where permitted;
Right to withdraw consent at any time where processing is based on consent (without affecting the lawfulness of prior processing);
Right to lodge a complaint with the supervisory authority in your country of residence.

15.4 International Data Transfers

SecureLogic AI is established in the United States, and personal data we process is generally transferred to and stored in the United States. Where we transfer personal data of EEA, UK, or Swiss residents to the United States or other jurisdictions outside the EEA, UK, or Switzerland, we rely on appropriate safeguards as required by applicable law, which may include Standard Contractual Clauses approved by the European Commission and the UK International Data Transfer Addendum, supplementary measures as appropriate, or other lawful transfer mechanisms.

Copies of the safeguards we rely on may be requested by contacting privacy@securelogicai.com.

15.5 EU Representative and UK Representative

To the extent required by Article 27 of the GDPR or the UK GDPR, we will appoint a representative in the European Union and the United Kingdom. Information about our representative(s), if and when appointed, will be made available in this Privacy Policy or upon request to privacy@securelogicai.com.

16. Children's Privacy

The Services are intended for business and professional use and are directed solely to users who are at least eighteen (18) years of age. We do not knowingly direct the Services to, or knowingly collect personal information from, children under the age of thirteen (13) within the meaning of the Children's Online Privacy Protection Act ("COPPA"), or children under the age of sixteen (16) where applicable under the GDPR or UK GDPR.

If we become aware that we have inadvertently collected personal information from a child without verifiable parental consent (or, where applicable, without verifiable consent appropriate to the child's age under applicable law), we will take reasonable steps to delete the information as soon as practicable. If you believe we have collected personal information from a child, please contact us at privacy@securelogicai.com.

17. No Health Data or Other Prohibited Data

Consistent with our Terms of Service, the Services are not intended or configured to collect, process, store, analyze, or manage:

Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act ("HIPAA");
Sensitive Personal Information, including Social Security Numbers, government-issued identifiers, financial account numbers (other than via our payment processor), biometric data, precise geolocation, or special-category data as defined under Article 9 of the GDPR;
Student education records subject to the Family Educational Rights and Privacy Act ("FERPA");
Information of children under the age of thirteen (13) (or, where applicable, sixteen (16)) within the meaning of COPPA or the GDPR-K provisions;
Classified information or controlled unclassified information subject to government secrecy requirements;
Other categories of Prohibited Data identified in our Terms of Service.

SecureLogic AI does not currently offer Business Associate Agreements ("BAAs") and is not configured or certified to act as a HIPAA Business Associate. By using the Services, you represent and warrant that you will not submit Prohibited Data to the Services.

If you become aware that Prohibited Data has been submitted to the Services, please contact security@securelogicai.com immediately.

18. Aggregated and De-Identified Information

We may create aggregated, anonymized, de-identified, statistical, benchmark, or analytical information derived from personal information and Customer Content. Such information does not identify and cannot reasonably be linked to an individual. We may use and disclose aggregated or de-identified information for any lawful purpose, including research, analytics, service improvement, benchmarking, security enhancement, product development, and operational reporting.

Where we maintain de-identified information, we commit to: (a) take reasonable measures to ensure that the information cannot be associated with an individual; (b) publicly commit to maintain and use the information only in de-identified form and not to attempt to re-identify the information, except as permitted by law (e.g., to test re-identification risk); and (c) contractually obligate any recipient of de-identified information to comply with these requirements.

19. Data Storage Location

Personal information and Customer Content are stored and processed within the United States. Specific Services and subprocessors operate from data center regions in the United States (including the U.S. East and U.S. West regions). We do not currently offer data residency outside the United States.

If you access the Services from outside the United States, please be aware that information you provide may be transferred to, processed in, and stored in the United States, where data protection laws may differ from those of your country. By using the Services, you acknowledge this cross-border transfer where applicable, subject to the safeguards described in Section 15 (International Data Transfers) where applicable.

20. Third-Party Links and Services

The Services may contain links to third-party websites, applications, or services that are not operated by SecureLogic AI. We are not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party websites, applications, or services you access through the Services.

21. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will provide notice by:

Updating the "Last Updated" date at the top of this Privacy Policy;
Posting a notice within the Services;
Sending an email to the address associated with your Account, where appropriate;
Other reasonable means of notice.

Updated versions of this Privacy Policy become effective upon publication unless otherwise stated. Your continued use of the Services following the effective date of the updated Privacy Policy constitutes your acceptance of the changes.

22. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Threat Loom, LLC Doing business as: SecureLogic AI 44 Apple Street, First Floor Tinton Falls, New Jersey 07724 United States

Privacy inquiries: privacy@securelogicai.com
General inquiries: legal@securelogicai.com
Security inquiries: security@securelogicai.com

For privacy requests, please include sufficient detail to allow us to verify your identity and respond to your request. We may follow up to request additional information necessary to fulfill the request.

23. Effective Date

This Privacy Policy is effective as of the Effective Date identified at the top of this document and remains in effect until replaced by a revised version. Prior versions of this Privacy Policy are archived and may be requested by contacting privacy@securelogicai.com.