Privacy Policy

Effective Date: 23/02/2026
Last Updated: 23/02/2026

1. Introduction

CrowsNest Systems, Inc. (“CrowsNest,” “we,” “our,” or “us”) is a cybersecurity software company providing governance, risk, and compliance automation platforms for enterprise customers.

We are committed to protecting personal data and complying with:

• The EU General Data Protection Regulation (EU) 2016/679 (“GDPR”)
• The UK GDPR
• The US-EU Data Privacy Framework (DPF)
• The Swiss-US Data Privacy Framework
• Applicable U.S. federal and state privacy laws

This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when:

• You visit our website
• You engage with us as a customer or prospect
• You use our products
• You interact with us in a professional capacity

2. Roles and Scope of Processing

CrowsNest operates in two distinct roles:

2.1 Controller

We act as a data controller when we process personal data for:

• Website visitors
• Marketing communications
• Event participation
• Business contact management
• Recruitment activities

2.2 Processor

We act as a data processor when we process personal data on behalf of our enterprise customers in connection with our cybersecurity automation platform. . In those cases:

• We process data solely pursuant to a Data Processing Agreement (DPA)
• Customers determine the purposes and means of processing
• We implement technical and organizational safeguards

3. Categories of Personal Data We Collect

3.1 Website & Marketing Data (Controller)

• Name
• Business email address
• Company name
• Job title
• Phone number (if provided)
• IP address
• Browser/device information
• Cookie identifiers

3.2 Customer & Account Data (Controller)

• Account administrator details
• Contract and billing contact information
• Business communications

3.3 Product Data (Processor)

Depending on customer configuration, our platform may process:

• Usernames
• Corporate email addresses
• Access logs
• System identifiers
• Role/permission mappings
• Security telemetry metadata

Our platform is not designed to intentionally collect:

• Sensitive personal data
• Biometric data
• Health data
• Consumer behavioral profiling data

4. Legal Bases for Processing (GDPR)

Where GDPR applies, we rely on:

• Article 6(1)(b) – Performance of a contract
• Article 6(1)(f) – Legitimate interests
• Article 6(1)(a) – Consent (where required)
• Article 6(1)(c) – Legal obligation

Legitimate interests include:

• Improving our services
• Securing our systems
• Preventing fraud
• Business development activities

5. Data Privacy Framework (DPF) Participation and Commitment

CrowsNest Systems, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. CrowsNest Systems, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) and the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and Switzerland in reliance on the EU-U.S. DPF and the Swiss-U.S. DPF.

If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the applicable Principles shall govern.

CrowsNest Systems, Inc. is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

CrowsNest currently relies on the EU-U.S. DPF and Swiss-U.S. DPF for personal data other than human resources data. CrowsNest does not rely on the DPF for human resources data transferred in the context of the employment relationship.

In accordance with the DPF Principles:

• We provide individuals with the opportunity to access personal data about them.
• We will take reasonable steps to correct, amend, or delete personal data that is inaccurate or processed in violation of the DPF Principles.
• We remain responsible and liable under the DPF Principles if third parties that we engage to process personal data on our behalf do so in a manner inconsistent with the Principles, unless we prove we are not responsible for the event giving rise to the damage.

For more information about the Data Privacy Framework program, please visit:

https://www.dataprivacyframework.gov/

6. International Data Transfers

CrowsNest is headquartered in the United States.

Personal data may be transferred to and processed in:

• The United States
• The European Union
• Other jurisdictions where our subprocessors operate

We ensure lawful transfer mechanisms through:

• Data Privacy Framework certification
• Standard Contractual Clauses (SCCs), where required
• Contractual Data Processing Agreements

7. Data Sharing & Onward Transfers

We may share personal data with:

• Cloud infrastructure providers
• Hosting providers
• Security service providers
• Analytics providers
• Payment processors
• Professional advisors (legal, accounting)

All subprocessors:

• Are bound by written agreements
• Must implement appropriate security safeguards
• Must only process data consistent with our obligations

We remain liable under the DPF Principles for onward transfers.

We do not sell personal data.

8. Data Security

We implement appropriate technical and organizational measures, including:

• Encryption in transit (TLS 1.2+ / 1.3)
• Encryption at rest (where applicable)
• Access controls and RBAC
• Audit logging
• Secure software development lifecycle (SDLC)
• Vulnerability management
• Incident response procedures

Security controls are regularly reviewed and tested.

9. Data Retention

We retain personal data only as long as necessary for:

• Contractual obligations
• Legal requirements
• Legitimate business purposes

When data is no longer required, it is securely deleted or anonymized.

Processor data is retained in accordance with customer instructions.

10. Individual Rights (GDPR)

If you are located in the EU/EEA, you have the right to:

• Access your personal data
• Rectify inaccurate data
• Erase data (“right to be forgotten”)
• Restrict processing
• Data portability
• Object to processing
• Withdraw consent

Requests may be submitted to: privacy@crowsnestsecurity.com

If unsatisfied, you may lodge a complaint with your local supervisory authority.

In addition, individuals whose personal data is transferred to the United States in reliance on the EU-U.S. DPF or Swiss-U.S. DPF have the right to access their personal data and to request correction, amendment, or deletion where such data is inaccurate or processed in violation of the DPF Principles.

11. Disclosures Required by Law (DPF Requirement)

CrowsNest Systems, Inc. may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

We will only disclose personal information where required to do so by applicable law, regulation, subpoena, court order, or other valid legal process. Where legally permitted, we will take reasonable steps to notify the affected individual prior to such disclosure.

CrowsNest will assess each request to ensure that any disclosure is legally required and proportionate, and we will not disclose personal information in response to informal or non-binding requests.

12. Dispute Resolution (DPF Requirement)

Independent Recourse Mechanism and Dispute Resolution (DPF)

In compliance with the EU-U.S. DPF and the Swiss-U.S. DPF, CrowsNest Systems, Inc. commits to resolve complaints about our collection or use of personal data transferred in reliance on the DPF.

Individuals with inquiries or complaints regarding our DPF compliance should first contact us at: privacy@crowsnestsecurity.com

If a complaint cannot be resolved through our internal process, CrowsNest Systems, Inc. has agreed to participate in the independent dispute resolution procedures provided by:

JAMS

https://www.jamsadr.com/DPF-Dispute-Resolution

The services of JAMS are provided free of charge to individuals for the purpose of resolving DPF-related complaints.

Under certain conditions, and as described in the EU-U.S. DPF and Swiss-U.S. DPF Principles, individuals may invoke binding arbitration to address residual complaints not resolved by other mechanisms

13. Choice

CrowsNest Systems, Inc. provides individuals with the opportunity to choose (opt out) whether their personal data is:

1. Disclosed to a third party that is not acting as an agent on our behalf; or
2. Used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individual.

Individuals may exercise this choice at any time by contacting us at: privacy@crowsnestsecurity.com

CrowsNest will provide individuals with clear, conspicuous, and readily available mechanisms to exercise their opt-out rights. Opt-out requests will be honored prior to any onward disclosure of personal data to a non-agent third party or prior to use of the data for a materially different purpose.

CrowsNest does not sell personal data.

14. Cookies and Tracking Technologies

We use cookies and similar technologies for:

• Essential website functionality
• Security
• Analytics
• Performance monitoring

Users may manage cookie preferences through browser settings. Where required by law, we obtain consent before deploying non-essential cookies.

15. Children’s Data

Our services are directed to enterprises and not to individuals under 16. We do not knowingly collect personal data from children.

16. Changes to This Policy

We may update this Privacy Policy periodically.

Material changes will be:

• Posted on our website
• Communicated to customers where required