Privacy Policy

How we collect, use, and protect your personal data.

Last updated: 2026-04-18

1. Data Controller

Black Cat Security, a Individual registered at RCS Paris 123 456 789, with its registered office at 123 Rue Example, 75001 Paris, France, is the data controller for the processing of personal data described in this Privacy Policy. Black Cat Security is established in the European Union.

For any questions regarding data protection, you may contact our Data Protection Officer at privacy@blackcatsecurity.fr.

2. Data We Collect

We collect and process the following categories of personal data in connection with the provision of our services:

Account data: your name, email address, organization name, and role within your organization, collected during registration and account management.
Usage data: information about how you use our service, including feature usage, interaction logs, and session activity, collected to improve our platform.
Technical data: IP address, browser type and version, device information, operating system, and referral URLs, collected automatically when you visit our website or use our service.
Payment data: billing information processed by our Merchant of Record, Paddle. We do not store credit card numbers or bank account details on our servers. Paddle handles all payment processing in accordance with PCI DSS requirements.

3. Purposes and Legal Bases

We process your personal data for the following purposes, each associated with a specific legal basis under the GDPR:

Purpose	Data Categories	Legal Basis
Account management	Account data	Performance of contract (Art. 6(1)(b))
Service delivery	Account data, Usage data, Technical data	Performance of contract (Art. 6(1)(b))
Security monitoring	Technical data, Usage data	Legitimate interest (Art. 6(1)(f))
Customer support	Account data, Usage data	Performance of contract (Art. 6(1)(b))
Analytics and improvement	Usage data, Technical data	Legitimate interest (Art. 6(1)(f))
Marketing communications (B2C)	Account data	Consent (Art. 6(1)(a))
B2B commercial prospection by email to a professional address relating to the recipient's professional function	Account data	Legitimate interest (Art. 6(1)(f)), per CNIL guidance on B2B prospection
Billing and invoicing	Account data, Payment data	Performance of contract via Paddle (Art. 6(1)(b))

Where we rely on legitimate interest, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms.

4. Cookies and Tracking Technologies

We use cookies and similar technologies to operate our website and service. Currently, we use only essential cookies required for the proper functioning of the website and for managing your cookie consent preferences. For complete information about the cookies we use, please refer to our Cookie Policy.

5. Data Sharing and Sub-processors

We share personal data with a limited number of trusted third-party service providers who assist us in operating our platform. Each sub-processor is bound by contractual obligations to protect your data and to process it only in accordance with our instructions.

Sub-processor	Purpose	Location
Cloudflare, Inc.	CDN, hosting, edge compute, DDoS protection	USA (DPF) + EU edge
Paddle.com Market Ltd	Merchant of Record — billing, payments, VAT	United Kingdom (adequacy)
Functional Software, Inc. (Sentry)	Error monitoring	USA (DPF)
Ory Corp	Identity & authentication (Kratos)	Germany (EEA)

The complete and current list, including dates added, is published at /sub-processors.

Paddle acts as our Merchant of Record and independently controls payment data for billing and tax compliance purposes. We do not sell your personal data to third parties.

Where transfer mechanisms above reference adequacy decisions or the EU-US Data Privacy Framework, the Standard Contractual Clauses (Module 2 of Commission Implementing Decision (EU) 2021/914) apply as a fallback should those mechanisms cease to be in force.

6. International Data Transfers

When your personal data is transferred outside the European Economic Area (EEA), we ensure that adequate safeguards are in place. These include transfers to countries benefiting from an adequacy decision by the European Commission, or the use of Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c) of the GDPR.

You may request a copy of the applicable safeguards by contacting us at privacy@blackcatsecurity.fr.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. The following retention periods apply:

Account data: retained for the duration of the contractual relationship plus 3 years after termination for the management of potential claims.
Usage logs: retained for 6 months from the date of collection (in line with the CNIL's recommendation on the retention of access and security logs).
Billing and invoicing records: retained for 10 years in accordance with French tax and commercial law (Code général des impôts, article L102 B du Livre des procédures fiscales).
Support tickets: retained for 3 years following resolution.

At the end of the applicable retention period, your data is securely deleted or anonymized.

8. Your Rights

Under the GDPR and applicable French data protection legislation, you have the following rights with respect to your personal data:

Right of access: obtain confirmation of whether we process your data and request a copy of it.
Right to rectification: request correction of inaccurate or incomplete data.
Right to erasure ("right to be forgotten"): request deletion of your data where the processing is no longer necessary or you withdraw consent.
Right to data portability: receive your data in a structured, commonly used, machine-readable format.
Right to object: object to processing based on legitimate interest, including for direct marketing purposes.
Right to restriction: request that we limit the processing of your data in certain circumstances.
Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal (Article 7(3) of the GDPR).
Right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you (Article 22 of the GDPR). See Section 10 for our automated processing disclosure.

If you believe that your rights have not been respected, you have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés, www.cnil.fr) or with the supervisory authority of the Member State of your habitual residence, place of work, or place of the alleged infringement, in accordance with Article 77 of the GDPR.

9. How to Exercise Your Rights

You may exercise any of the rights described above by contacting our Data Protection Officer at privacy@blackcatsecurity.fr, or by submitting a request via our online form at /dsr. Please include sufficient information to identify yourself and specify the right(s) you wish to exercise.

We will respond to your request within 30 days of receipt. In exceptional circumstances, this period may be extended by a further two months, in which case we will inform you within the initial 30-day period.

10. Automated Decision-Making

Our service performs automated security risk scoring of SaaS configurations using deterministic policy evaluation (Open Policy Agent / Rego rules). This is not an artificial intelligence system within the meaning of Regulation (EU) 2024/1689 (the EU AI Act), as no machine-learning model is used to infer outputs from data inputs. The scoring prioritises remediation recommendations and does not produce legal effects or similarly significant effects on individuals. If we introduce AI-based features in the future, this section will be updated and the transparency obligations of Article 50 of the AI Act (applicable from 2 August 2026) will be observed.

11. Children's Privacy

Our services are not directed at individuals under the age of 15 (the digital age of consent applicable in France under Article 45 of the French Data Protection Act, derogating from Article 8(1) of the GDPR). We do not knowingly collect personal data from children under 15. If we become aware that we have inadvertently collected personal data from a child under 15, we will take steps to delete that data as soon as reasonably possible. If you believe that a child under 15 has provided us with personal data, please contact us at privacy@blackcatsecurity.fr.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. Material changes will be notified to you by email at least 30 days in advance of taking effect. We encourage you to review this page periodically for the latest information on our privacy practices.

Change history

2026-04-18 — Linked /dsr online form for data-subject-request submissions (mailto MVP pending /v1/dsr backend endpoint).
2026-04-18 — Sub-processor inventory expanded (Sentry, Ory) and canonical list published at /sub-processors.
2026-04-18 — Clarified that automated risk scoring is deterministic (Rego) and not an AI system under EU 2024/1689.
2026-04-18 — Shortened usage-log retention from 12 to 6 months (CNIL guidance).
2026-04-18 — Distinguished B2C consent-based marketing from B2B legitimate-interest prospection (CNIL guidance).
2026-04-18 — Acknowledged right to complain to local EEA supervisory authority (Art. 77).
2026-04-18 — Added GDPR Art. 7(3) consent-withdrawal and Art. 22 automated-decision rights to the rights list.
2026-04-18 — Added explicit SCC fallback statement under sub-processor table.
2026-04-18 — Children's age threshold corrected to 15 (Loi I&L Art. 45).