Privacy Policy

This Privacy Policy explains how HailBytes collects, uses, discloses, and safeguards personal information when you visit our website or use our services, including HailBytes SAT and HailBytes ASM.

1. Information We Collect

1.1 Information You Provide

We collect information that you voluntarily provide to us when you:

• Register for an account
• Contact us through forms or email
• Subscribe to our newsletter
• Request a demo or book a consultation
• Deploy our products through AWS or Azure marketplaces

This may include: name, email address, company name, job title, phone number, billing information, and any other information you choose to provide.

1.2 Automatically Collected Information

When you access our website, we automatically collect certain information:

• Usage Data: Pages visited, time spent, clicks, scrolling behavior
• Device Information: Browser type, operating system, device type, screen resolution
• Location Data: Approximate geographic location based on IP address
• Cookies and Tracking: We use MixPanel analytics and may use cookies for analytics purposes

1.3 Product Usage Data

For self-hosted deployments of HailBytes SAT and HailBytes ASM on your infrastructure, your application data remains entirely under your control. We do not have access to your phishing campaigns, reconnaissance data, scan results, or any data processed by the applications unless you explicitly share it with us for support purposes.

Analytics and Troubleshooting: Mixpanel analytics for troubleshooting and product improvement are only collected if you explicitly opt-in during your first use of the application. This opt-in is entirely voluntary and helps us improve the product. You can change your analytics preferences at any time within the application settings.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our services
• Process transactions and send order confirmations
• Respond to your inquiries and provide customer support
• Send product updates, security alerts, and administrative messages
• Analyze usage patterns to improve user experience
• Detect, prevent, and address technical issues or fraudulent activity
• Comply with legal obligations and enforce our terms

3. Data Sharing and Disclosure

3.1 Service Providers

We may share your information with third-party service providers who perform services on our behalf:

• Analytics: MixPanel for usage analytics
• Cloud Infrastructure: AWS and Microsoft Azure for hosting
• Payment Processing: AWS Marketplace and Azure Marketplace billing systems
• Email Services: For transactional and marketing communications

These providers are contractually obligated to protect your data and use it only for the purposes we specify.

3.2 Legal Requirements

We may disclose your information if required by law or in response to valid legal requests (subpoenas, court orders, government investigations) or to protect our rights, property, or safety.

3.3 Business Transfers

If HailBytes is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you via email and/or a prominent notice on our website of any such change.

4. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: TLS 1.2+ for data in transit, AES-256 for data at rest
• Access Controls: Role-based access control (RBAC) and multi-factor authentication (MFA)
• Monitoring: 24/7 security monitoring and logging
• Compliance: SOC 2 and ISO 27001 framework-aligned practices
• Regular Audits: Third-party security assessments and penetration testing

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

5. Data Retention

We retain your personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. When you close your account or request deletion, we will delete or anonymize your data within 90 days, except where we must retain it for legal or legitimate business purposes.

6. Your Rights and Choices

Depending on your location, you may have the following rights:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information
• Portability: Request transfer of your data to another service
• Opt-Out: Unsubscribe from marketing emails (link provided in each email)
• Cookie Management: Disable cookies through your browser settings
• Do Not Track: We respect Do Not Track signals from browsers

To exercise these rights, contact us at privacy@hailbytes.com. We will respond within 30 days.

7. International Data Transfers

For HailBytes ASM and HailBytes SAT product data: there is no international transfer. Both products deploy inside your own AWS or Azure account in the region you choose (Brazilian customers typically pick sa-east-1 or brazilsouth; EU customers pick an EU/EEA region; US customers pick any US AWS or Azure region). Scanned-asset data, employee target lists, phishing-simulation results, and audit logs stay in that region and do not leave it. HailBytes never receives this data, so HailBytes is not a transfer destination for it. See the BYOC architecture statement for the technical detail.

For the limited operational data HailBytes does process (account information, support-portal contents, billing records, marketing-list contacts where consent applies): HailBytes operates from the United States. That information may be transferred to and processed in the United States and other countries where HailBytes' subprocessors operate (see the subprocessor list). By using our services, you consent to the transfer of that information to the United States and other countries.

For purchases routed through AWS Marketplace or Azure Marketplace: the hyperscaler is the reseller of record and the billing-data relationship is between the customer and the hyperscaler's local operating entity (for Brazilian customers, AWS Brasil or Microsoft do Brasil; for EU customers, the relevant local AWS or Microsoft entity). The customer's billing data, marketplace settlement metadata, and tax documents stay inside the hyperscaler's pipeline; HailBytes receives only the settlement metadata necessary to fulfill the subscription (customer name, subscription ID, term, and entitlement). See how to buy HailBytes for the procurement detail.

Transfer mechanisms: for EU/UK users, HailBytes uses Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914) for any operational data transferred outside the EEA, supplemented by the UK Addendum where applicable. For Brazilian users, HailBytes relies on contractual clauses aligned with ANPD Resolution CD/ANPD nº 19/2024. Several US subprocessors are also covered by the EU-U.S. Data Privacy Framework. Full detail in the HailBytes DPA.

8. GDPR Compliance (EU/UK Users)

If you are in the European Union or United Kingdom, you have additional rights under GDPR:

• Legal Basis: We process your data based on consent, contract performance, legal obligation, or legitimate interests
• Data Protection Officer: Contact our DPO at dpo@hailbytes.com
• Complaints: You have the right to lodge a complaint with your local supervisory authority
• Data Minimization: We collect only the minimum data necessary for our purposes

9. CCPA Compliance (California Users)

California residents have specific rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of data collection and sharing practices
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt-out of the "sale" of personal information (we do not sell your data)
• Non-Discrimination: We will not discriminate against you for exercising your rights

Contact us at privacy@hailbytes.com to exercise these rights.

10. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us, and we will delete such information.

11. Third-Party Links

Our website may contain links to third-party websites (AWS Marketplace, Azure Marketplace, social media). We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on this page with a new "Last Updated" date
• Sending an email notification to registered users
• Displaying a prominent notice on our website

Your continued use of our services after changes constitute acceptance of the updated policy.

13. Contact Us

If you have questions or concerns about this Privacy Policy, please contact us:

• Email: privacy@hailbytes.com
• Support: support@hailbytes.com
• DPO: dpo@hailbytes.com (GDPR inquiries)