Threat Landscape Product Privacy Policy

Last Updated: 2026-05-12

This Product Privacy Policy explains how Ecliptica Labs AB, a company incorporated under the laws of Sweden with its principal place of business at Box 6351, 102 35 Stockholm, Sweden, corporate registration number 5591448443 ("Ecliptica Labs", "we", "us", or "our"), processes personal data in connection with logged-in use of Threat Landscape Platform, Threat Landscape Copilot, Threat Landscape API, and related account, administration, support, and security functions (collectively, the "Product Services").

This Product Privacy Policy supplements, but does not replace, any applicable Order Form, Master Subscription Agreement, Data Processing Agreement (DPA), or other contract entered into with a customer organization. Where we process Customer Data on behalf of a customer organization under an applicable DPA, the DPA and governing contract documents control to the extent of any conflict.

1. Roles and Scope

Depending on context, Ecliptica Labs may act in different privacy roles in connection with the Product Services:

- as a controller for account creation, subscription administration, support, security, abuse prevention, and certain operational records; and
- as a processor for Customer Data or other data submitted by or on behalf of a customer organization where an applicable DPA or contract provides that role allocation.

This Product Privacy Policy is intended to give authorized users and customer organizations a practical overview of how personal data may be handled within the Product Services.

2. Personal Data We Process

We may process the following categories of personal data in connection with the Product Services:

- account and identity data, such as names, business email addresses, job titles, usernames, and access roles;
- authentication data, such as password hashes, session information, and login events;
- billing and administration data, such as subscription tier, billing contact details, VAT information, and order status, especially where a self-serve subscription is purchased through LemonSqueezy;
- technical and security data, such as IP addresses, device or browser identifiers, audit logs, connection metadata, and security event logs;
- product usage data, such as saved filters, queries, API requests, workspace settings, and support interactions; and
- customer-submitted content, including any incidental personal data a user chooses to submit through search fields, product inputs, API payloads, Copilot prompts, support requests, or similar features.

Although the Product Services are not intended for the submission of unnecessary personal data, users may choose to submit personal data through free-text fields or other inputs. If that occurs, the information may be processed as part of Customer Data or other operational records, subject to the applicable contract and this Product Privacy Policy.

3. Purposes of Processing

We process personal data in connection with the Product Services for the following purposes:

- creating and administering user accounts;
- authenticating users and maintaining secure sessions;
- delivering Threat Landscape Platform, Threat Landscape Copilot, and Threat Landscape API functionality;
- storing user-requested product settings, such as saved filters and other workspace preferences;
- administering subscriptions, account status, and support requests;
- preventing fraud, abuse, and unauthorized activity;
- monitoring, maintaining, and improving product security, resilience, and reliability; and
- complying with legal, tax, regulatory, and contractual obligations.

If a customer does not order or enable Threat Landscape Copilot, we do not intend to send that customer's Product Services data to Google Cloud (Gemini) or another LLM provider for Copilot functionality.

4. Legal Bases

Where Ecliptica Labs acts as a controller, our processing is based on one or more of the following legal grounds:

- contractual necessity under Art. 6(1)(b) GDPR, to provide the Product Services and administer subscriptions;
- legitimate interests under Art. 6(1)(f) GDPR, including product security, abuse prevention, account administration, support, and maintaining user-requested settings such as saved filters; and
- legal obligations under Art. 6(1)(c) GDPR, including compliance, accounting, and dispute-handling requirements.

Where Ecliptica Labs acts as a processor, we process personal data on documented instructions from the relevant customer organization as described in the applicable DPA or contract.

5. Service Providers and Subprocessors

We use service providers and subprocessors in connection with the Product Services, including:

- Supabase, for authentication and database hosting;
- Cloudflare, for proxying, network protection, and security;
- Google Cloud (Gemini), for Threat Landscape Copilot functionality where Copilot is ordered or enabled; and
- LemonSqueezy, for self-serve billing and merchant-of-record services where applicable.

Further details about subprocessors and transfer mechanisms may be set out in the applicable DPA.

6. International Transfers

Where personal data is transferred outside the European Economic Area ("EEA"), we rely on appropriate safeguards, such as Standard Contractual Clauses (SCCs) or another lawful transfer mechanism, where applicable.

7. Retention

We retain account and authentication data for the duration of the applicable subscription and generally delete or deactivate it within ninety (90) days after termination, unless a longer retention period is required for security, backup, legal, or dispute-resolution reasons.

Customer-submitted content, audit logs, support records, saved filters, and other product records may be retained for the duration of the subscription and for a limited period thereafter as necessary for backup integrity, contractual compliance, support continuity, security investigations, or legal obligations.

8. Your Rights

Under GDPR, data subjects may have the right to access, correct, delete, restrict, object to, or port personal data, subject to applicable limitations.

If a request relates to Customer Data processed on behalf of a customer organization, the requesting user may need to contact their employer or the relevant customer organization first. We will assist customer organizations in responding to such requests where required by the applicable DPA or law.

You may also have the right to lodge a complaint with a supervisory authority, including Integritetsskyddsmyndigheten (IMY) in Sweden.

Requests may be submitted using the contact details in Section 11.

9. Security

We implement appropriate technical and organizational measures designed to protect personal data in the Product Services, including measures such as access controls, secure password handling, encryption where appropriate, and security monitoring. No system can guarantee absolute security.

10. Changes to This Policy

We may update this Product Privacy Policy from time to time. The updated version will be posted with a revised "Last Updated" date.

11. Contact Information

For questions about this Product Privacy Policy, contact:

Ecliptica Labs AB
Box 6351
102 35 Stockholm, Sweden