Last updated: April 2026
Account data: Name, email, password (hashed), organisation name. Usage data: Exercise completions, scores, performance metrics. Integration data: SIEM/XDR API credentials (encrypted), alert metadata (titles, severities — not full event payloads). Technical data: IP address, browser type, access timestamps.
To provide the Service: generating exercises, tracking performance, producing reports and certificates. To improve the platform: aggregated, anonymised analytics. To communicate: service emails, weekly reports (opt-out available). We never sell your data to third parties.
When you connect security tools, we access alert metadata only (titles, severities, timestamps). We do not store raw event data. Credentials are encrypted at rest using AES-256. Alert data is used solely to generate exercise scenarios and is not shared with other clients or third parties.
Exercise scenarios are generated using Anthropic's Claude API. Your company profile, tool stack, and alert metadata may be included in AI prompts to personalise scenarios. Anthropic does not use API inputs to train models. No personally identifiable information is sent to the AI.
Account data: retained while your account is active + 30 days after deletion. Exercise data: retained for the duration of your subscription. Certificates: 1 year from issuance. SIEM credentials: deleted immediately when you disconnect a connector.
All data encrypted in transit (TLS 1.3) and at rest. Hosted on Vercel (SOC 2 Type II) and Neon PostgreSQL (SOC 2 Type II). Passwords hashed with bcrypt (12 rounds). MFA available via TOTP.
Under UK GDPR, you have the right to: access your data, rectify inaccuracies, request deletion, restrict processing, data portability, and object to processing. Contact support@threatcast.io to exercise these rights.
We use essential cookies for authentication (NextAuth session token). We do not use advertising or tracking cookies. No third-party analytics cookies.
Data is processed in the EU/US via Vercel and Neon. Anthropic API calls are processed in the US under their data processing agreement.
Data Controller: ThreatCast Ltd, Glasgow, Scotland. Email: privacy@threatcast.io. ICO registration: [pending].