// privacy_policy
last_updated: March 2026
1. Introduction
Threadlinqs ("we," "us," "our") operates the threat intelligence platform at intel.threadlinqs.com (the "Platform"). This Privacy Policy describes how we collect, use, store, and protect your personal information when you use the Platform. By creating an account or using the Platform, you acknowledge that you have read and understood this Privacy Policy.
2. Information We Collect
2a. Account Information (provided by you)
- Email address
- Display name (optional)
- Password — stored as a PBKDF2 hash with a per-user cryptographic salt. Your password is never stored or logged in plaintext.
2b. Automatically Collected Information
- IP address (from request headers)
- User agent string (browser type and version)
- Country and city (derived from Cloudflare geo-headers, not precise GPS geolocation)
- Device type (desktop, mobile, or tablet — derived from user agent)
- Session tokens (cryptographically generated, stored server-side)
2c. Usage and Activity Data
We log the following activity types for security monitoring and platform improvement:
- Page views and navigation events
- Search queries within the Platform
- Threat report views
- Detection rule copies
- Library saves and removals
- Simulation views and copies
- Detail tab interactions
2d. Payment Information
Payment processing is handled entirely by Stripe, Inc. ("Stripe"). When you subscribe to a paid tier, you are redirected to Stripe's hosted checkout page. We never receive, process, or store your credit card number, CVV, or full payment card details. We receive and store only: your Stripe customer ID, subscription ID, subscription status (active, canceled, past_due, trialing), the Stripe price ID associated with your plan, and the current billing period end date. For details on how Stripe handles your payment data, see Stripe's Privacy Policy.
2e. Information We Do NOT Collect
- We do not use third-party tracking scripts, advertising pixels, or analytics platforms
- We do not use browser fingerprinting technologies
- We do not collect precise geolocation (GPS coordinates)
- We do not access your contacts, camera, or microphone
3. How We Use Your Information
| Purpose | Lawful Basis (GDPR) |
|---|---|
| Account authentication and access control | Performance of contract |
| Delivering Platform features (threats, detections, IOCs) | Performance of contract |
| Subscription billing and tier management | Performance of contract |
| Daily intelligence debrief delivery (if subscribed) | Consent |
| Security monitoring (rate limiting, session caps, abuse detection) | Legitimate interest |
| Platform improvement and aggregated usage analytics | Legitimate interest |
| Responding to support inquiries | Performance of contract |
| Compliance with legal obligations | Legal obligation |
We do not use your data for advertising, profiling, or automated decision-making. We do not share your data with data brokers.
4. Cookies and Session Data
We use a single session cookie for authentication purposes. This cookie is:
- HttpOnly (not accessible to client-side JavaScript)
- Secure (transmitted only over HTTPS/TLS)
- SameSite=Strict (not sent with cross-site requests)
- Domain-scoped to intel.threadlinqs.com
- Maximum age: 7 days
We do not use marketing cookies, analytics cookies, advertising cookies, or any third-party tracking cookies. We do not participate in cross-site tracking.
5. Third-Party Services
| Service | Purpose | Data Shared |
|---|---|---|
| Cloudflare | Hosting, CDN, DDoS protection | IP address, request metadata (Cloudflare processes requests before they reach us) |
| Stripe | Payment processing, subscription billing | Email address, Stripe customer/subscription IDs (Stripe collects payment card data directly via their hosted checkout) |
| Resend | Transactional email delivery | Email address (for daily intelligence debrief delivery and verification codes) |
We do not sell, rent, or trade your personal information to third parties. We do not use advertising networks. We do not share data with data brokers.
6. Data Retention
- Account data: Retained while your account is active. Deleted within 30 days of a verified account deletion request.
- Session data: Automatically expires and is purged after 7 days.
- Activity logs: Retained for 90 days for security monitoring purposes, then automatically purged.
- Billing records: Stripe customer and subscription IDs are retained for the duration of your account. Stripe independently retains payment records per their retention policy.
- Email logs: Delivery records for daily debriefs are retained for 90 days.
- Deleted accounts: Upon account deletion, we delete your account data, session data, activity logs, library saves, and preferences. Billing records may be retained as required by tax and financial reporting obligations.
7. Data Security
- All data is encrypted in transit using TLS 1.3
- Passwords are hashed using PBKDF2 with per-user cryptographic salts and are never stored or logged in plaintext
- Session tokens are cryptographically generated
- Rate limiting is enforced on authentication endpoints (login, signup, email verification)
- Concurrent session limits are enforced (maximum 3 active sessions per account)
- All sessions are invalidated on password change
- Security headers are applied to all responses (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy)
8. Your Rights
8a. All Users
- Right to access: Request a copy of all personal data we hold about you
- Right to correction: Request correction of inaccurate personal data
- Right to deletion: Request deletion of your account and all associated data
- Right to data portability: Request your data in a machine-readable format
8b. European Economic Area (EEA) Residents — GDPR
If you are located in the European Economic Area, you have the following additional rights under the General Data Protection Regulation (GDPR):
- Right to restrict processing of your personal data
- Right to object to processing based on legitimate interest
- Right to withdraw consent at any time (for consent-based processing such as debrief email subscriptions) without affecting the lawfulness of processing before withdrawal
- Right to lodge a complaint with your local data protection authority
Our lawful bases for processing are: performance of contract (account services), legitimate interest (security monitoring, platform improvement), consent (email subscriptions), and legal obligation (financial record-keeping).
8c. California Residents — CCPA/CPRA
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with the following rights:
- Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting, and the categories of third parties with whom we share it.
- Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
- Right to Correct: You have the right to request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information as defined under the CCPA/CPRA. No opt-out is necessary because no sale or sharing occurs.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
To exercise any of these rights, contact us at contact@threadlinqs.com. We will respond within 45 days. We may request verification of your identity before processing your request.
9. International Data Transfers
The Platform is hosted in the United States via Cloudflare's global network. If you access the Platform from outside the United States, your data may be transferred to, stored in, and processed in the United States. By using the Platform, you consent to such transfer. For EEA users, we rely on Cloudflare's Standard Contractual Clauses and Stripe's Data Processing Agreement for lawful international data transfers.
10. Children's Privacy
The Platform is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at contact@threadlinqs.com.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by posting the updated policy on this page with a revised "last updated" date. We encourage you to review this page periodically. Your continued use of the Platform after changes are posted constitutes acceptance of the updated Privacy Policy.
12. Contact
For privacy-related inquiries, data access requests, or to exercise any of your rights, contact us at contact@threadlinqs.com.