InfoDefenders Privacy Policy
Last updated: June 2026
Introduction
InfoDefenders LLC ("InfoDefenders," "we," "us," or "our") operates the InfoDefenders platform, available at app.infodefenders.com, the marketing website at infodefenders.com, and the InfoDefenders Tool Discovery Browser Extension (collectively, the "Service").
This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have regarding your information. It applies to all visitors to our marketing website, registered users of the platform, and individuals whose browsers have the Browser Extension installed by their organization.
An important distinction: InfoDefenders operates in two roles depending on whose data is involved:
- Data Controller — for information we collect directly about you (account registration, marketing website visits, payment information). We determine how and why this data is processed.
- Data Processor — for Customer Data submitted by organizations ("Customers") to the platform (incident reports, tool assessments, governance records). The Customer is the Data Controller of that data; we process it only on their behalf under a Data Processing Agreement.
If you are an employee whose organization has deployed our Browser Extension or added you to the platform, please contact your organization's administrator for information about how they use your data. We process that data under their instructions.
1. Information We Collect
1.1 Information You Provide Directly
Account and Organization Registration — When you create an account, we collect:
- Your name and email address
- Your organization name and industry
- Your chosen password (stored as a cryptographic hash — we never store your plaintext password)
- Your role within the organization
Profile and Team Management — When you update your profile or invite team members, we collect names and email addresses of invited users.
Payment Information — We use Stripe to process payments. When you subscribe to a paid plan, Stripe collects your payment card details directly. We do not store full card numbers or CVV codes. We receive from Stripe only a payment token, the last four digits of your card, card type, and expiration date. Stripe's privacy policy is available at stripe.com/privacy.
Support and Communications — If you contact us for support or by email, we collect the content of your communications and any information you provide.
1.2 Customer Data (Processed on Behalf of Customers)
When Customers use the platform, they may submit data that includes:
- AI tool incident reports, including details of incidents, affected parties, and remediation steps
- AI tool risk assessments, vendor information, and assessment responses
- Governance policies, controls, and evidence attachments
- Submission form responses from employees or third parties who report incidents
This data is Customer Data. We store and process it to provide the Service, but we do not use it for our own purposes, share it with third parties for their independent use, or sell it.
1.3 Browser Extension Data
The InfoDefenders Tool Discovery Browser Extension, when installed and configured by a Customer organization, collects:
- Hostname of visited AI tool domains from the configured watch list (e.g., "chatgpt.com")
- Timestamp of the visit
The Extension does not collect:
- Full URLs or URL paths
- Page titles or page content
- Form data, passwords, or credentials
- Personal identity information (name, email, user account)
- Any content from pages visited
- Browsing history outside the configured AI tool domain list
Extension data is transmitted to the Customer's InfoDefenders organization and is treated as Customer Data under Section 1.2.
1.4 Information Collected Automatically
Log Data — When you access the Service, our servers automatically record: IP address, browser type and version, operating system, referring URL, pages visited, time and date of visits, and error logs.
Cookies and Similar Technologies — We use cookies and similar technologies on our marketing website. See Section 5 (Cookies) for details.
Usage Data — We collect information about how you interact with the platform, such as features used, pages visited within the application, and actions taken. This helps us improve the Service.
1.5 AI Risk Assessment Agent Data
When a Customer uses the AI Risk Assessment Agent, we send selected Customer Data to Anthropic (our AI service provider) to generate draft risk assessment content. This may include:
- AI tool name, vendor name, and deployment context provided by the Customer
- Assessment questionnaire structure and any notes the Customer has entered
- Publicly available information retrieved via web search when the agent feature is used
Agent outputs are drafts intended for human review. Customers can avoid this processing by not using the AI Risk Assessment Agent and completing assessments manually.
2. How We Use Your Information
2.1 To Provide and Operate the Service
- Create and manage your account and organization
- Process subscription payments and send billing receipts
- Authenticate users and enforce session security
- Store, retrieve, and display Customer Data at your direction
- Send transactional emails (registration confirmation, trial expiration, subscription receipts, incident submission notifications)
2.2 To Communicate With You
- Respond to support requests and inquiries
- Send product updates, security notices, and changes to these policies
- Send marketing communications about InfoDefenders products and features (you may opt out at any time; see Section 7)
2.3 To Improve the Service
- Analyze usage patterns and feature adoption to improve the product
- Debug errors and diagnose technical issues
- Conduct internal research and development
2.4 Legal and Safety Purposes
- Comply with applicable laws, regulations, and legal process
- Enforce our Terms of Service
- Protect the rights, property, and safety of InfoDefenders, our Customers, and others
- Detect and prevent fraud, abuse, and security incidents
3. How We Share Your Information
We do not sell your personal information. We share information only as described below.
3.1 Service Providers (Sub-processors)
We share information with trusted third-party service providers who process data on our behalf to operate the Service:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe | Payment processing | Billing contact info, payment tokens | United States |
| Resend | Transactional email delivery | Email address, email content | United States |
| Hetzner Online | Cloud infrastructure and hosting | All platform data (encrypted at rest) | United States |
| Anthropic | AI Risk Assessment Agent | Tool and vendor context, assessment inputs, web search queries | United States |
| Sentry | Error monitoring and diagnostics | Error logs, request metadata, stack traces | United States |
| Amazon Web Services (S3) | Optional file storage (org logos and avatars) | Uploaded image files | United States |
| Cloudflare | DNS, WAF, and TLS edge services | IP address, request metadata | United States |
| Google Tag Manager | Marketing site tag management | Cookie and page interaction data (with consent) | United States |
| Google Analytics | Marketing site usage analytics | Anonymized/pseudonymized usage data (with consent) | United States |
We maintain data processing agreements with each sub-processor. An up-to-date list of sub-processors is available at infodefenders.com/legal/subprocessors.
3.2 Customer Organizations
If you are a User added to a Customer's organization, your name, email, and activity within that organization may be visible to Admins of that organization.
3.3 Legal Requirements
We may disclose information if we believe in good faith that disclosure is required: (a) to comply with applicable law or legal process; (b) to respond to a valid request from law enforcement or government authority; or (c) to protect the rights, property, or safety of InfoDefenders, our Customers, or the public. Where permitted, we will notify affected Customers before disclosing their data.
3.4 Business Transfers
If InfoDefenders is acquired, merges with another company, or sells all or substantially all of its assets, Customer Data and personal information may be transferred as part of that transaction. We will provide notice before personal information is transferred and becomes subject to a different privacy policy.
3.5 With Your Consent
We may share information for other purposes with your explicit consent.
4. Data Retention
| Data Type | Retention Period |
|---|---|
| Account and User data | Duration of active account + 30 days after termination |
| Customer Data (incidents, assessments, governance) | Duration of active subscription + 30 days after termination |
| Payment records | 7 years as required by tax/financial record-keeping law |
| Log data | 90 days rolling |
| Browser Extension events | Retained as Customer Data; subject to Customer's retention decisions |
| Marketing communications | Until opt-out + 30 days processing lag |
| Support correspondence | 3 years from last contact |
After applicable retention periods, we delete or anonymize personal information. Data retained in encrypted backups is subject to our backup rotation schedule and will be overwritten in the ordinary course.
5. Cookies
5.1 Marketing Website
Our marketing website (infodefenders.com) uses the following categories of cookies. For full details, see our Cookie Notice.
- Strictly necessary cookies — Required for the website to function (session management, security). These cannot be disabled.
- Analytics cookies — Help us understand how visitors use the site (pages visited, time on site). We use Google Tag Manager and Google Analytics 4, which load only after you accept analytics cookies in our consent banner.
- Preference cookies — Remember your cookie consent choice.
We implement Google Consent Mode v2. Analytics storage is denied by default until you accept cookies in the banner. We do not use advertising or tracking cookies, and we do not share cookie data with advertising networks.
5.2 Application
The InfoDefenders application uses strictly necessary session cookies for authentication and security. These are required for the application to function and cannot be disabled while using the Service.
5.3 Cookie Consent
On your first visit to our marketing website, we present a cookie consent banner. Analytics cookies are not set until you accept. You can update your preferences at any time via the cookie settings link in the footer or on our Cookie Notice page.
5.4 Google Fonts
Our marketing website uses Google Fonts, which loads font files from Google's servers. This causes your browser to make a request to Google, which may involve the transmission of your IP address to Google. We use the following fonts: Sora, DM Sans, and DM Mono. You can review Google's privacy policy at policies.google.com/privacy.
6. Data Security
We implement commercially reasonable technical and organizational security measures, including:
- Encryption of data in transit using TLS
- Encryption of data at rest
- Access controls limiting employee access to Customer Data
- Regular automated backups with off-site storage
- Multi-factor authentication options for admin accounts
- Organizational isolation ensuring one Customer cannot access another's data
No security measure is perfect. In the event of a data breach that affects your personal information, we will notify affected parties as required by applicable law.
7. Your Rights and Choices
7.1 Access, Correction, and Deletion
You may access or update your account information at any time through the Settings page in the application. To request deletion of your personal information, contact us at [email protected]. We will process deletion requests within 30 days, subject to any legal retention obligations.
Note for Users in Customer Organizations: If you are a User in a Customer's organization, requests to delete data submitted by your organization (e.g., incident reports you authored) must be directed to your organization's Admin, as that data is Customer Data controlled by the Customer, not by InfoDefenders.
7.2 Marketing Opt-Out
You may opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email or by contacting [email protected]. You will continue to receive transactional emails necessary for the operation of your account.
7.3 Rights Under GDPR (EEA, UK, and Switzerland)
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the GDPR and applicable data protection law:
- Right of access — Request a copy of the personal data we hold about you.
- Right to rectification — Request correction of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — Request deletion of your personal data, subject to legal exceptions.
- Right to restrict processing — Request that we limit how we use your data in certain circumstances.
- Right to data portability — Receive your data in a structured, machine-readable format.
- Right to object — Object to processing based on legitimate interests or for direct marketing.
- Rights related to automated decision-making — We do not make solely automated decisions that produce legal or similarly significant effects on individuals.
To exercise these rights, contact us at [email protected]. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority (in the EU, the relevant data protection authority for your country; in the UK, the ICO).
Legal Bases for Processing (GDPR)
| Processing Activity | Legal Basis |
|---|---|
| Providing the Service to Customers | Contract performance (Art. 6(1)(b)) |
| Sending transactional emails | Contract performance (Art. 6(1)(b)) |
| Processing payments | Contract performance (Art. 6(1)(b)) |
| Security and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Improving the Service | Legitimate interests (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
International Transfers
Some of our sub-processors are located outside the EEA (notably Stripe and Resend in the United States). We ensure that transfers are protected by appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission or other valid transfer mechanisms under Chapter V of the GDPR.
7.4 Rights Under the CCPA (California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA provides you with additional rights:
- Right to know — Request disclosure of the categories and specific pieces of personal information we have collected, the purposes for collection, and the categories of third parties with whom we share it.
- Right to delete — Request deletion of your personal information, subject to certain exceptions.
- Right to correct — Request correction of inaccurate personal information.
- Right to opt out of sale or sharing — We do not sell or share personal information as defined under the CCPA.
- Right to non-discrimination — We will not discriminate against you for exercising your CCPA rights.
To submit a CCPA request, contact us at [email protected]. We will respond within 45 days.
Categories of Personal Information Collected (CCPA)
| Category | Collected? | Purpose |
|---|---|---|
| Identifiers (name, email, IP address) | Yes | Account operation, security |
| Commercial information (subscription, billing) | Yes | Payment processing, account management |
| Internet activity (usage logs, cookies) | Yes | Service improvement, security |
| Professional/employment information (org name, role) | Yes | Account operation |
| Sensitive personal information | No | — |
We do not sell personal information to third parties. We do not use or disclose sensitive personal information for purposes other than those permitted by the CCPA.
8. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe we have inadvertently collected such information, contact us at [email protected].
9. Third-Party Links
The Service may contain links to third-party websites or services. This Privacy Policy does not apply to those sites. We encourage you to review the privacy policies of any third-party sites you visit.
10. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (to the address on file) and by posting the updated policy at infodefenders.com/privacy with a new "Last updated" date at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
11. Contact Us
For privacy-related questions, requests, or complaints, contact our privacy team at:
InfoDefenders, LLC
12. Data Processing Agreement
For Customers that are subject to GDPR or other data protection laws requiring a formal data processing agreement, our standard DPA is available at infodefenders.com/legal/dpa. The DPA governs InfoDefenders's processing of personal data on behalf of Customer organizations and includes the sub-processor list, security measures, and Standard Contractual Clauses for international transfers.