Legal

Privacy Policy

Effective Date
23 February 2026
Last Updated
23 February 2026
// 01

Introduction

CrowsNest Systems, Inc. ("CrowsNest," "we," "our," or "us") is a cybersecurity software company providing governance, risk, and compliance automation platforms for enterprise customers.

We are committed to protecting personal data and complying with:

  • The EU General Data Protection Regulation (EU) 2016/679 ("GDPR")
  • The UK GDPR
  • The US-EU Data Privacy Framework (DPF)
  • The Swiss-US Data Privacy Framework
  • Applicable U.S. federal and state privacy laws

This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when:

  • you visit our website
  • you engage with us as a customer or prospect
  • you use our products
  • you interact with us in a professional capacity

// 02

Roles and Scope of Processing

CrowsNest operates in two distinct roles:

2.1 Controller

We act as a data controller when we process personal data for:

  • website visitors
  • marketing communications
  • event participation
  • business contact management
  • recruitment activities

2.2 Processor

We act as a data processor when we process personal data on behalf of our enterprise customers in connection with our cybersecurity automation platform. In those cases:

  • we process data solely pursuant to a Data Processing Agreement (DPA)
  • customers determine the purposes and means of processing
  • we implement appropriate technical and organizational safeguards
// 03

Categories of Personal Data We Collect

3.1 Website & Marketing Data (Controller)

  • Name
  • Business email address
  • Company name
  • Job title
  • Phone number (if provided)
  • IP address
  • Browser/device information
  • Cookie identifiers

3.2 Customer & Account Data (Controller)

  • Account administrator details
  • Contract and billing contact information
  • Business communications

3.3 Product Data (Processor)

Depending on customer configuration, our platform may process:

  • usernames
  • corporate email addresses
  • access logs
  • system identifiers
  • role/permission mappings
  • security telemetry metadata

Our platform is not designed to intentionally collect:

  • sensitive personal data
  • biometric data
  • health data
  • consumer behavioral profiling data
// 04

Legal Bases for Processing (GDPR)

Where GDPR applies, we rely on the following legal bases:

  • Article 6(1)(b) – Performance of a contract
  • Article 6(1)(f) – Legitimate interests
  • Article 6(1)(a) – Consent (where required)
  • Article 6(1)(c) – Legal obligation

Legitimate interests include:

  • improving our services
  • securing our systems
  • preventing fraud
  • business development activities
// 05

Data Privacy Framework (DPF) Participation

CrowsNest Systems, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. CrowsNest Systems, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) and the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and Switzerland in reliance on the EU-U.S. DPF and the Swiss-U.S. DPF.

If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the applicable Principles shall govern.

CrowsNest Systems, Inc. is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

CrowsNest currently relies on the EU-U.S. DPF and Swiss-U.S. DPF for personal data other than human resources data. CrowsNest does not rely on the DPF for human resources data transferred in the context of the employment relationship.

In accordance with the DPF Principles:

  • We provide individuals with the opportunity to access personal data about them.
  • We will take reasonable steps to correct, amend, or delete personal data that is inaccurate or processed in violation of the DPF Principles.
  • We remain responsible and liable under the DPF Principles if third parties that we engage to process personal data on our behalf do so in a manner inconsistent with the Principles, unless we prove we are not responsible for the event giving rise to the damage.

For more information about the Data Privacy Framework program, please visit: https://www.dataprivacyframework.gov/

// 06

International Data Transfers

CrowsNest is headquartered in the United States. Personal data may be transferred to and processed in:

  • the United States
  • the European Union
  • other jurisdictions where our subprocessors operate

We ensure lawful transfer mechanisms through:

  • Data Privacy Framework certification
  • Standard Contractual Clauses (SCCs) where required
  • Contractual Data Processing Agreements
// 07

Data Sharing & Onward Transfers

We may share personal data with:

  • cloud infrastructure providers
  • hosting providers
  • security service providers
  • analytics providers
  • payment processors
  • professional advisors (legal, accounting)

All subprocessors:

  • are bound by written agreements
  • must implement appropriate security safeguards
  • must only process data consistent with our obligations

We remain liable under the DPF Principles for onward transfers. We do not sell personal data.

// 08

Data Security

We implement appropriate technical and organizational measures, including:

  • Encryption in transit (TLS 1.2+ / 1.3)
  • Encryption at rest (where applicable)
  • Access controls and RBAC
  • Audit logging
  • Secure software development lifecycle (SDLC)
  • Vulnerability management
  • Incident response procedures

Security controls are regularly reviewed and tested.

// 09

Data Retention

We retain personal data only as long as necessary for:

  • contractual obligations
  • legal requirements
  • legitimate business purposes

When data is no longer required, it is securely deleted or anonymized.

Processor data is retained in accordance with customer instructions.

// 10

Individual Rights (GDPR)

If you are located in the EU/EEA, you have the right to:

  • access your personal data
  • rectify inaccurate data ("right to be forgotten")
  • erase data
  • restrict processing
  • data portability
  • object to processing
  • withdraw consent

Requests may be submitted to: privacy@crowsnestsecurity.com

If unsatisfied, you may lodge a complaint with your local supervisory authority. Individuals whose personal data is transferred to the United States in reliance on the EU-U.S. DPF or Swiss-U.S. DPF also have the right to access, correct, amend, or delete that data where inaccurate or processed in violation of the DPF Principles.

// 11

Disclosures Required by Law

CrowsNest Systems, Inc. may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

We will only disclose personal information where required to do so by applicable law, regulation, subpoena, court order, or other valid legal process. Where legally permitted, we will take reasonable steps to notify the affected individual prior to such disclosure.

CrowsNest will assess each request to ensure that any disclosure is legally required and proportionate, and we will not disclose personal information in response to informal or non-binding requests.

// 12

Dispute Resolution

In compliance with the EU-U.S. DPF and the Swiss-U.S. DPF, CrowsNest Systems, Inc. commits to resolve complaints about our collection or use of personal data transferred in reliance on the DPF.

Individuals with inquiries or complaints should first contact us at: privacy@crowsnestsecurity.com

If a complaint cannot be resolved through our internal process, CrowsNest Systems, Inc. has agreed to participate in the independent dispute resolution procedures provided by:

JAMS

https://www.jamsadr.com/DPF-Dispute-Resolution

The services of JAMS are provided free of charge to individuals for the purpose of resolving DPF-related complaints.

Under certain conditions, individuals may invoke binding arbitration to address residual complaints not resolved by other mechanisms.

// 13

Choice

CrowsNest Systems, Inc. provides individuals with the opportunity to choose (opt out) whether their personal data is:

  • 1. disclosed to a third party not acting as an agent on our behalf, or
  • 2. used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individual.

Individuals may exercise this choice at any time by contacting us at:

privacy@crowsnestsecurity.com.

CrowsNest will provide individuals with clear, conspicuous, and readily available mechanisms to exercise their opt-out rights. Opt-out requests will be honored prior to any onward disclosure of personal data to a non-agent third party or prior to use of the data for a materially different purpose.

>We do not sell personal data.

// 14

Cookies and Tracking Technologies

We use cookies and similar technologies for:

  • essential website functionality
  • security
  • analytics
  • performance monitoring

Users may manage cookie preferences through browser settings. Where required by law, we obtain consent before deploying non-essential cookies.

// 15

Children's Data

Our services are directed to enterprises and not to individuals under 16. We do not knowingly collect personal data from children.

// 16

Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be:

  • posted on our website
  • communicated to customers where required
// 17

Contact Information

CrowsNest Systems, Inc.

131 Continental Dr, Suite 305
Newark, DE 19713, US

Email: privacy@crowsnestsecurity.com

Website: www.crowsnestsecurity.com

EU Representative

Robert Erenberg-Andersen

Email: robert@crowsnestsecurity.com