Legal Document
Privacy Policy
ThreatSabre Limited
Last updated 23 June 2026
1. Who We Are
ThreatSabre Limited (“we”, “us”, or “our”) is a New Zealand company (Company Number 9363459) that builds a platform for network security posture management. We are the data controller for the personal data described in this policy.
We comply with the New Zealand Privacy Act 2020. Where we process personal data of individuals in the European Economic Area (EEA) or the United Kingdom, we also comply with the EU General Data Protection Regulation (GDPR) and UK GDPR.
Privacy enquiries: support+privacy@threatsabre.com
ThreatSabre has not appointed a Data Protection Officer as one is not required under GDPR Article 37.
2. What This Policy Covers
This policy explains how we collect, use, store, and share personal data when you:
- Visit our website at www.threatsabre.com (the “Website”)
- Submit a contact form or enquiry
- Book a demo via our scheduling pages
- Register for or use the ThreatSabre platform (the “Platform”)
- Communicate with us by email or through our support channels
3. Personal Data We Collect
3.1 Information You Provide
- Contact information — name, email address, phone number, and company name when you fill out a contact form, book a demo, or raise a support request
- Account information — email address and display name when you register for the Platform
- Communications — the content of messages you send us via email, contact forms, or support tickets
- Booking details — meeting time, attendee name, email, and any notes you provide when scheduling a demo
3.2 Information Collected Automatically
When you visit our Website, we automatically collect basic anonymised analytics data using privacy-preserving analytics that run in an in-memory mode. This does not set cookies or store any data on your device, and creates no persistent identifier. See our Cookie Policy for full details.
This baseline data includes:
- Pages visited and time spent on pages
- Referring website addresses
- Browser type and version
- Operating system
- Approximate geographic location (country/region level, derived from IP address — IP is not stored)
- Page performance metrics
If you accept analytics cookies via our cookie banner, we additionally collect more detailed session and interaction data. See our Cookie Policy for details of the cookies we use and how to manage your preferences.
3.3 Information We Receive From Other Sources
If someone at your organisation invites you to the ThreatSabre Platform, we receive your email address from the person who sent the invitation. In that case, you will be informed at the point of invitation that your data has been shared with us, along with the purpose and your rights.
3.4 Data We Do NOT Collect
We do not process special category data (Article 9), criminal conviction data (Article 10), or children’s data. Our Platform is aimed at business professionals and is not offered to anyone under 18. We do not carry out automated decision-making or profiling that produces legal or similarly significant effects on individuals (Article 22).
4. How We Use Your Data and Our Legal Basis
Under GDPR Article 6, we must have a lawful basis for each processing activity. The table below sets out our purposes and the corresponding legal basis.
| Purpose | Data Used | Lawful Basis | Details |
|---|---|---|---|
| Providing and operating the Platform | Email, name, user ID, authentication tokens | Contractual necessity (Art. 6(1)(b)) | Processing is necessary to deliver the service you or your organisation has contracted for |
| Responding to enquiries and support requests | Name, email, message content, support ticket content | Contractual necessity (Art. 6(1)(b)) | Processing is necessary to respond to your request or deliver support under our service agreement |
| Scheduling demo meetings | Name, email, meeting time, notes | Legitimate interests (Art. 6(1)(f)) | Our legitimate interest in engaging with prospective customers; the data is limited to business contact details and the impact on data subjects is minimal |
| Sending transactional emails (invitations, notifications) | Email, display name, organisation name | Contractual necessity (Art. 6(1)(b)) | Necessary to operate the Platform (e.g. inviting users, delivering notifications) |
| Anonymised website analytics (cookieless) | Anonymised page view data, browser type, approximate location | Legitimate interests (Art. 6(1)(f)) | Our legitimate interest in understanding how visitors use our Website to improve it; no data is stored on your device, no persistent identifier is created, and the analytics run in an in-memory mode that cannot identify individuals |
| Enhanced website analytics (with cookies) | Session data, interaction data, device identifiers | Consent (Art. 6(1)(a)) | Only collected if you accept analytics cookies via our cookie banner |
| Website hosting, security, and bot protection | IP address, browser metadata, HTTP request data | Legitimate interests (Art. 6(1)(f)) | Our legitimate interest in securing the Website against attacks, fraud, and abuse |
| Complying with legal obligations | As required | Legal obligation (Art. 6(1)(c)) | Where we are required by law to retain or disclose data (e.g. tax record-keeping) |
Where we rely on legitimate interests, we have conducted a balancing assessment and concluded that our interests do not override your rights and freedoms, given the limited and business-related nature of the data involved.
Where we rely on consent, you can withdraw it at any time — see Section 8 for details. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
5. Third-Party Services and Data Processors
We use the following third-party services to operate our Website and Platform. Each acts as a data processor on our behalf under a signed Data Processing Agreement (DPA). A consolidated, current list of the sub-processors that process Customer Personal Data is maintained at https://www.threatsabre.com/sub-processors.
5.1 Cloudflare — Hosting, CDN, and Security
Our Website is hosted on Cloudflare’s global network. Cloudflare provides content delivery, DDoS protection, and security services, and may process your IP address and browser metadata at the nearest edge node.
We also use Cloudflare Turnstile on forms for bot protection. Turnstile collects technical information about your browser and device to verify you are a human visitor.
- Data processed: IP address, browser metadata, HTTP request data, Turnstile tokens
- Location: Global (edge network)
- DPA: Cloudflare Customer DPA (v6.3) with EU SCCs, UK Addendum, and EU-U.S. Data Privacy Framework certification
- Cloudflare Privacy Policy
5.2 PostHog — Website Analytics
We use PostHog to understand how visitors interact with our Website. By default, PostHog runs in a privacy-preserving in-memory mode that counts visits without setting cookies or storing any data on your device, with person profiles disabled and your IP address not stored. If you accept analytics cookies, PostHog additionally uses cookies for richer session tracking.
- Data processed: Anonymised page views, session data, browser type, approximate location (IP is not stored)
- Location: United States (PostHog Cloud US)
- DPA: PostHog DPA with EU SCCs
- PostHog Privacy Policy
5.3 Resend — Transactional Email
When you submit a contact form, we use Resend to deliver email notifications. Resend also delivers transactional emails from the Platform (invitations, notifications).
- Data processed: Email address, display name, organisation name, email content
- Location: United States
- DPA: Resend DPA with EU-U.S. Data Privacy Framework certification and EU SCCs (Module 2)
- Resend Privacy Policy
5.4 Zoho — CRM, Support, and Demo Booking
We use Zoho CRM to manage customer and prospect relationships, Zoho Desk for support ticketing, and Zoho Bookings for scheduling demos.
- Data processed: Email address, name, support ticket content, booking details, communication history
- Location: Australia (Zoho AU data centre)
- DPA: Zoho Privacy Terms (signed 2026-03-07)
- Zoho Privacy Policy
5.5 Kinde — Authentication
We use Kinde as the identity and authentication provider for the ThreatSabre Platform.
- Data processed: Email address, name, user ID, authentication tokens, IP address, browser metadata
- Location: Australia (AWS ap-southeast-2)
- DPA: Kinde DPA (signed 2026-01-22)
- Kinde Privacy Policy
5.6 AWS — Cloud Infrastructure
The ThreatSabre Platform is hosted on Amazon Web Services.
- Data processed: Email, name, user ID, IP address, authentication tokens, application logs
- Location: ap-southeast-2 (Sydney, Australia) — primary; ap-southeast-4 (Melbourne, Australia) — cross-region backups for disaster recovery
- DPA: AWS Data Processing Addendum with EU SCCs
5.7 Microsoft 365 — Corporate Productivity
We use Microsoft 365 for internal business operations (email, collaboration, file storage, endpoint security). This processes data of ThreatSabre employees and contractors, and of anyone who communicates with us by email.
- Data processed: Email addresses, names, email content, files, Teams messages, calendar data, device telemetry
- Location: New Zealand
- DPA: Microsoft DPA with EU SCCs and EU-U.S. Data Privacy Framework certification
5.8 Data Processing Agreement for Customers
If your organisation uses the ThreatSabre Platform, our Data Processing Agreement (DPA) under GDPR Article 28 applies to our processing of personal data on your behalf. The DPA is published at https://www.threatsabre.com/dpa and is incorporated by reference into our Terms of Use — it applies automatically and no separate signature is required. The sub-processors engaged to deliver the service are listed at https://www.threatsabre.com/sub-processors and described in Section 5 above. If your organisation requires a counter-signed copy of the DPA, please contact us at support+privacy@threatsabre.com.
6. International Data Transfers
ThreatSabre is based in New Zealand. Some of the third-party services we use process data outside New Zealand, including in Australia and the United States. New Zealand has an EU adequacy decision, meaning transfers from the EEA to New Zealand are permitted without additional safeguards.
For transfers to countries without an EU adequacy decision, we rely on the following mechanisms as required by GDPR Chapter V (Articles 44–49):
| Destination | Processors | Transfer Mechanism |
|---|---|---|
| United States | PostHog, Resend, GitHub, Tailscale | Standard Contractual Clauses (SCCs); Resend additionally certified under the EU-U.S. Data Privacy Framework |
| Global (edge network) | Cloudflare | EU SCCs, UK Addendum, EU-U.S. Data Privacy Framework certification |
| Australia | Kinde, AWS, Zoho | AU data residency — Australia does not have an EU adequacy decision; DPAs include SCCs where applicable |
For each transfer, we have assessed the legal framework of the destination country and the supplementary measures in place. Details are documented in our International Data Transfer Policy and individual Data Transfer Agreements.
7. Data Retention
We retain personal data only for as long as necessary for the purpose it was collected. Our specific retention periods are:
| Data | Retention Period |
|---|---|
| Platform account data | Duration of subscription + 3 months |
| Contact form submissions | 12 months if no ongoing relationship results |
| CRM customer records | 7 years after contract ends (NZ tax and record-keeping obligations) |
| CRM prospect records | Duration of active relationship; deleted after 2 years of inactivity |
| Support tickets | 24 months after subscription termination |
| Transactional email data (at Resend) | Duration of agreement + 90 days |
| Website analytics data (PostHog) | Duration of agreement (no personal data stored — IP anonymisation enabled, person profiles disabled) |
| Demo booking records | 12 months after the booked meeting |
When retention periods expire, data is securely deleted or anonymised.
8. Your Rights
8.1 Under GDPR / UK GDPR (EEA and UK Residents)
If you are in the EEA or UK, you have the following rights under GDPR Articles 15–22:
- Right of access (Art. 15) — obtain a copy of your personal data and information about how we process it
- Right to rectification (Art. 16) — have inaccurate or incomplete data corrected
- Right to erasure (Art. 17) — request deletion of your personal data where it is no longer necessary, you withdraw consent, or you object and we have no overriding grounds
- Right to restrict processing (Art. 18) — request that we limit how we use your data while a dispute or concern is resolved
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format, or have it transferred to another controller, where processing is based on consent or contract
- Right to object (Art. 21) — object to processing based on legitimate interests; we will stop unless we demonstrate compelling legitimate grounds
- Right to withdraw consent (Art. 7(3)) — where processing is based on consent (analytics cookies), you can withdraw at any time via the “Cookie Settings” link on our Website or by contacting us
- Right to lodge a complaint — you have the right to complain to your local data protection supervisory authority if you believe we have not handled your data in accordance with applicable law
We do not carry out automated decision-making or profiling with legal or similarly significant effects (Article 22), so the related right does not apply.
To exercise any of these rights, contact us at support+privacy@threatsabre.com. We will respond within one month. If your request is complex, we may extend this by up to two additional months and will inform you of any extension within the first month.
We will not charge a fee for handling your request unless it is manifestly unfounded or excessive.
8.2 Under the New Zealand Privacy Act 2020
If you are in New Zealand, you have the right to:
- Access your personal information (Information Privacy Principle 6)
- Request correction of inaccurate information (Information Privacy Principle 7)
If you believe we have breached the Privacy Act, you may complain to the Office of the Privacy Commissioner at privacy.org.nz.
9. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Multi-factor authentication on all internal systems
- Least-privilege access controls
- Regular security assessments and vulnerability management
- Incident response procedures aligned with our Breach Notification Policy
Our primary data storage locations are New Zealand and New South Wales, Australia.
10. Cookies
We use a combination of cookieless and cookie-based analytics on our Website. For full details of the cookies we use, their purposes, and how to manage your preferences, see our Cookie Policy.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date above.
We encourage you to review this policy periodically.
12. Contact Us
If you have questions about this policy, our privacy practices, or wish to exercise your rights, contact us at:
ThreatSabre Limited Email: support+privacy@threatsabre.com General enquiries: support@threatsabre.com