Privacy Policy

How we collect, use, and protect your personal data.

Last updated: 2026-03-18

1. Data Controller

Black Cat Security, a Individual registered at RCS Paris 123 456 789, with its registered office at 123 Rue Example, 75001 Paris, France, is the data controller for the processing of personal data described in this Privacy Policy. Black Cat Security is established in the European Union.

For any questions regarding data protection, you may contact our Data Protection Officer at dpo@blackcatsecurity.fr.

2. Data We Collect

We collect and process the following categories of personal data in connection with the provision of our services:

Account data: your name, email address, organization name, and role within your organization, collected during registration and account management.
Usage data: information about how you use our service, including feature usage, interaction logs, and session activity, collected to improve our platform.
Technical data: IP address, browser type and version, device information, operating system, and referral URLs, collected automatically when you visit our website or use our service.
Payment data: billing information processed by our Merchant of Record, Paddle. We do not store credit card numbers or bank account details on our servers. Paddle handles all payment processing in accordance with PCI DSS requirements.

3. Purposes and Legal Bases

We process your personal data for the following purposes, each associated with a specific legal basis under the GDPR:

Purpose	Data Categories	Legal Basis
Account management	Account data	Performance of contract (Art. 6(1)(b))
Service delivery	Account data, Usage data, Technical data	Performance of contract (Art. 6(1)(b))
Security monitoring	Technical data, Usage data	Legitimate interest (Art. 6(1)(f))
Customer support	Account data, Usage data	Performance of contract (Art. 6(1)(b))
Analytics and improvement	Usage data, Technical data	Legitimate interest (Art. 6(1)(f))
Marketing communications	Account data	Consent (Art. 6(1)(a))
Billing and invoicing	Account data, Payment data	Performance of contract via Paddle (Art. 6(1)(b))

Where we rely on legitimate interest, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms.

4. Cookies and Tracking Technologies

We use cookies and similar technologies to operate our website and service. Currently, we use only essential cookies required for the proper functioning of the website and for managing your cookie consent preferences. For complete information about the cookies we use, please refer to our Cookie Policy.

5. Data Sharing and Sub-processors

We share personal data with a limited number of trusted third-party service providers who assist us in operating our platform. Each sub-processor is bound by contractual obligations to protect your data and to process it only in accordance with our instructions.

Sub-processor	Purpose	Location
Cloudflare, Inc.	CDN, hosting, and DDoS protection	USA / EU
Paddle.com Market Ltd	Merchant of Record — billing, payments, invoicing, VAT	United Kingdom

Paddle acts as our Merchant of Record and independently controls payment data for billing and tax compliance purposes. We do not sell your personal data to third parties.

6. International Data Transfers

When your personal data is transferred outside the European Economic Area (EEA), we ensure that adequate safeguards are in place. These include transfers to countries benefiting from an adequacy decision by the European Commission, or the use of Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c) of the GDPR.

You may request a copy of the applicable safeguards by contacting us at dpo@blackcatsecurity.fr.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. The following retention periods apply:

Account data: retained for the duration of the contractual relationship plus 3 years after termination for the management of potential claims.
Usage logs: retained for 12 months from the date of collection.
Billing and invoicing records: retained for 10 years in accordance with French tax and commercial law (Code général des impôts, article L102 B du Livre des procédures fiscales).
Support tickets: retained for 3 years following resolution.

At the end of the applicable retention period, your data is securely deleted or anonymized.

8. Your Rights

Under the GDPR and applicable French data protection legislation, you have the following rights with respect to your personal data:

Right of access: obtain confirmation of whether we process your data and request a copy of it.
Right to rectification: request correction of inaccurate or incomplete data.
Right to erasure ("right to be forgotten"): request deletion of your data where the processing is no longer necessary or you withdraw consent.
Right to data portability: receive your data in a structured, commonly used, machine-readable format.
Right to object: object to processing based on legitimate interest, including for direct marketing purposes.
Right to restriction: request that we limit the processing of your data in certain circumstances.

If you believe that your rights have not been respected, you have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés) at www.cnil.fr.

9. How to Exercise Your Rights

You may exercise any of the rights described above by contacting our Data Protection Officer at dpo@blackcatsecurity.fr. Please include sufficient information to identify yourself and specify the right(s) you wish to exercise.

We will respond to your request within 30 days of receipt. In exceptional circumstances, this period may be extended by a further two months, in which case we will inform you within the initial 30-day period.

10. Automated Decision-Making

Our service performs automated security risk scoring of SaaS configurations. This scoring prioritizes remediation recommendations but does not produce legal effects or similarly significant effects on individuals. The automated assessments are designed to assist security teams in identifying and addressing potential vulnerabilities in their SaaS environments.

11. Children's Privacy

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that data as soon as reasonably possible. If you believe that a child under 16 has provided us with personal data, please contact us at dpo@blackcatsecurity.fr.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. Material changes will be notified to you by email at least 30 days in advance of taking effect. We encourage you to review this page periodically for the latest information on our privacy practices.